βββββββ βββββββ ββββ βββββββββββ βββββββββββββββ
ββββββββββββββββββββββ βββββββββββββββββββββββββββββ
βββββββββββ ββββββββββββββββββββββββββββ ββββββββ
βββββββββββ ββββββββββββββββββββββββββββ ββββββββ
ββββββββββββββββββββ βββ ββββββββββββββββββββββ βββ
βββββββ βββββββ βββ ββββββββββ βββββββββββ βββ
SBOM generator and vulnerability matcher that scans Go, Node.js, and Python projects, produces SPDX 2.3 and CycloneDX 1.5 documents, and cross-references packages against OSV and NVD vulnerability databases.
This is a quick overview β security theory, architecture, and full walkthroughs are in the learn modules.
- Multi-ecosystem dependency scanning (Go
go.mod/go.sum, Node.jspackage.json/pnpm-lock.yaml, Pythonpyproject.toml/uv.lock) - Dependency graph construction with cycle detection and depth tracking
- SBOM generation in SPDX 2.3 and CycloneDX 1.5 JSON formats
- Vulnerability matching via OSV batch API (primary) and NVD REST API (optional)
- SQLite-backed response cache with configurable TTL
- Policy engine for CI/CD gates with severity thresholds and dependency depth limits
- Monorepo support with recursive ecosystem detection
go install github.com/CarterPerez-dev/bomber/cmd/bomber@latestOr use the install script:
curl -fsSL https://raw.githubusercontent.com/CarterPerez-dev/Cybersecurity-Projects/main/PROJECTS/intermediate/sbom-generator-vulnerability-matcher/install.sh | bashTip
This project uses just as a command runner. Type just to see all available commands.
Install: curl -sSf https://just.systems/install.sh | bash -s -- --to ~/.local/bin
bomber scan ./my-project # scan dependencies
bomber generate ./my-project --format spdx # SPDX 2.3 SBOM
bomber generate ./my-project --format cyclonedx # CycloneDX 1.5 SBOM
bomber vuln ./my-project # vulnerability scan
bomber check ./my-project --policy policy.yaml # CI/CD policy gatemax_severity: medium
max_depth: 5bomber check exits with code 1 when violations are found β drop it into any CI pipeline.
| Ecosystem | Manifest | Lockfile |
|---|---|---|
| Go | go.mod |
go.sum |
| Node.js | package.json |
pnpm-lock.yaml |
| Python | pyproject.toml |
uv.lock |
bomber scan ./project/
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β CLI (cobra) β
β scan β’ generate β’ vuln β’ check β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββ
β
βββββββββββββββΌββββββββββββββ
β Scanner Engine β
β walks dir, detects β
β ecosystems, dispatches β
βββββββββββββββ¬ββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββ
βΌ βΌ βΌ
βββββββββββ βββββββββββ βββββββββββ
βGo Parserβ βNode β βPython β
βgo.mod β βpnpm-lockβ βuv.lock β
βgo.sum β βpkg.json β βpyprojectβ
ββββββ¬βββββ ββββββ¬βββββ ββββββ¬βββββ
β β β
ββββββββββββββββΌβββββββββββββββ
βΌ
βββββββββββββββββββββββββββ
β Dependency Graph β
β direct + transitive β
β cycle detection β
ββββββββββββββ¬βββββββββββββ
β
βββββββββββΌββββββββββ
βΌ βΌ
ββββββββββββββββ ββββββββββββββββ
β SPDX 2.3 β β CycloneDX β
β Generator β β 1.5 Generatorβ
ββββββββ¬ββββββββ ββββββββ¬ββββββββ
β β
βββββββββββ¬ββββββββββ
βΌ
βββββββββββββββββββββββ
β Vulnerability β
β Matcher β
β OSV API (primary) β
β NVD API (optional) β
βββββββββββ¬ββββββββββββ
βΌ
βββββββββββββββββββββββ
β Policy Engine β
β --check mode β
β exit code 0 or 1 β
βββββββββββββββββββββββ
Language: Go 1.25
Dependencies: cobra (CLI), fatih/color (terminal), go-toml/v2 (TOML), yaml.v3 (YAML), modernc.org/sqlite (cache), google/uuid (CycloneDX), testify (tests)
This project includes step-by-step learning materials covering security theory, architecture, and implementation.
| Module | Topic |
|---|---|
| 00 - Overview | Prerequisites and quick start |
| 01 - Concepts | SBOMs, supply chain security, and vulnerability databases |
| 02 - Architecture | System design and data flow |
| 03 - Implementation | Code walkthrough |
| 04 - Challenges | Extension ideas and exercises |
AGPL 3.0