Adds --ignore-file functionality (#126)

.github/workflows/go-quality.yml

@@ -11,12 +11,12 @@ jobs:
         name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.19'
+          go-version: '1.20'
       - 
         name: Install Dependencies
         run: |
           go version
-          go install golang.org/x/lint/golint@latest
+          go install honnef.co/go/tools/cmd/staticcheck@latest
           go install github.com/fzipp/gocyclo/cmd/gocyclo@latest
       - 
         name: Test
@@ -35,8 +35,8 @@ jobs:
         name: Vet
         run: go vet -v
       - 
-        name: Lint
-        run: golint ./...
+        name: staticcheck
+        run: staticcheck -f stylish -checks all  ./...
       - 
         name: gocyclo
         run: gocyclo .

.hookz.yaml

@@ -3,7 +3,7 @@
     - source: github.com/anchore/syft/cmd/syft@latest
     - source: github.com/devops-kung-fu/hinge@latest
     - source: github.com/kisielk/errcheck@latest      
-    - source: golang.org/x/lint/golint@latest
+    - source: honnef.co/go/tools/cmd/staticcheck@latest
     - source: github.com/fzipp/gocyclo/cmd/gocyclo@latest
   hooks:
     - type: pre-commit
@@ -20,9 +20,9 @@
         - name: "gofmt: Run gofmt to format the code"
           exec: gofmt
           args: ["-s", "-w", "**/*.go"]
-        - name: "golint: Lint all go files"
-          exec: golint
-          args: ["./..."] #to error out, add the arg "-set_exit_status"
+        - name: "staticcheck: Lint all go files"
+          exec: staticcheck
+          args: ["-f", "stylish", "-checks", "all", "./..."] #to error out, add the arg "-set_exit_status"
         - name: "errcheck: Ensure that errors are checked"
           exec: errcheck
           args: ["-ignoretests", "./..."]

.vscode/launch.json

@@ -13,87 +13,95 @@
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--debug=true", "scan", "./sbom/test"]
+            "args": ["--debug=true", "scan", "./_TESTDATA_/sbom"]
         },
         {
             "name": "Debug Expression License (OSV)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--debug=true", "scan", "./sbom/test/expression-license.json"]
+            "args": ["--debug=true", "scan", "./_TESTDATA_/sbom/expression-license.json"]
         },
         {
             "name": "Debug Folder (ossindex)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--provider=ossindex", "--debug=true", "scan", "./sbom"]
+            "args": ["--provider=ossindex", "--debug=true", "scan", "./_TESTDATA_/sbom"]
         },
         {
             "name": "Debug File (OSS Index - juiceshop)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--debug=true", "--provider=ossindex", "scan", "./sbom/test/juiceshop.cyclonedx.json"]
+            "args": ["--debug=true", "--provider=ossindex", "scan", "./_TESTDATA_/sbom/juiceshop.cyclonedx.json"]
         },
         {
             "name": "Debug File (Snyk - juiceshop)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--provider=snyk", "--debug=true", "scan", "./sbom/test/juiceshop.cyclonedx.json"]
+            "args": ["--provider=snyk", "--debug=true", "scan", "./_TESTDATA_/sbom/juiceshop.cyclonedx.json"]
         },
         {
             "name": "Debug File (OSV - juiceshop)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--provider=osv", "--debug=true", "scan", "./sbom/test/juiceshop.cyclonedx.json"]
+            "args": ["--provider=osv", "--debug=true", "scan", "./_TESTDATA_/sbom/juiceshop.cyclonedx.json"]
         },
         {
             "name": "Debug File (OSV - ubuntu-latest.cyclonedx.json)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--provider=osv", "--debug=true", "scan", "./sbom/test/ubuntu-latest.cyclonedx.json"]
+            "args": ["--provider=osv", "--debug=true", "scan", "./_TESTDATA_/sbom/ubuntu-latest.cyclonedx.json"]
         },
         {
             "name": "Debug File, Output HTML (ossindex - juiceshop)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--provider=ossindex", "--debug=true", "--output=html", "scan", "./sbom/test/juiceshop.cyclonedx.json"]
+            "args": ["--provider=ossindex", "--debug=true", "--output=html", "scan", "./_TESTDATA_/sbom/juiceshop.cyclonedx.json"]
         },
         {
             "name": "Debug File, Output HTML (osv - juiceshop)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--debug=true", "--output=html", "scan", "./sbom/test/juiceshop.cyclonedx.json"]
+            "args": ["--debug=true", "--output=html", "scan", "./_TESTDATA_/sbom/juiceshop.cyclonedx.json"]
         },
         {
             "name": "Debug File (ossindex - railsgoat)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--provider=ossindex", "--debug=true", "scan", "./sbom/test/railsgoat.cyclonedx.json"]
+            "args": ["--provider=ossindex", "--debug=true", "scan", "./_TESTDATA_/sbom/railsgoat.cyclonedx.json"]
         },
         {
             "name": "Debug File, Output JSON (ossindex - railsgoat)",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--provider=ossindex", "--debug=true", "--output=json", "scan", "./sbom/test/railsgoat.cyclonedx.json"]
+            "args": ["--provider=ossindex", "--debug=true", "--output=json", "scan", "./_TESTDATA_/sbom/railsgoat.cyclonedx.json"]
+        },
+        {
+            "name": "Debug File, Ignore, Output JSON (osv - railsgoat)",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/main.go",
+            "args": ["--provider=osv", "--debug=true", "--output=json", "--ignore-file=./_TESTDATA_/ignore/bomber.ignore", "scan", "./_TESTDATA_/sbom/railsgoat.cyclonedx.json"]
         },
     ]
 }

.vscode/settings.json

@@ -8,6 +8,7 @@
         "coverprofile",
         "cpes",
         "CRAN",
+        "cves",
         "cyclomatic",
         "cyclonedx",
         "Distro",
@@ -46,6 +47,7 @@
         "Tabbedf",
         "unindexed",
         "vuln",
-        "vulns"
+        "vulns",
+        "Warningf"
     ]
 }

README.md

@@ -148,6 +148,23 @@ Example command:
 bomber scan bad-bom.json --output=json > filename.json
 ```
 
+## Ignoring Vulnerabilities
+
+If needed, you can use the ```--ignore-file``` flag to load a list of CVEs to ignore in the vulnerability output. This list needs to be in a specific format where each CVE to ignore is entered on a separate line similar to the following:
+
+```
+CVE-2022-31163
+CVE-2022-23520
+```
+
+There is an example ```bomber.ignore``` file [here](./_TESTDATA_/ignore/bomber.ignore)
+
+To use the ```bomber.ignore``` file, use the syntax as follows:
+
+``` bash
+bomber --ignore-file=bomber.ignore scan bom.json
+```
+
 ## Data Enrichment
 
 ```bomber``` has the ability to enrich vulnerability data it obtains from the [Providers](#providers). The first "enricher" we have implemented for is for [EPSS](https://www.first.org/epss/)
@@ -200,6 +217,12 @@ If you would like to contribute to the development of ```bomber``` please refer
 
 The current CycloneDX SBOM for ```bomber``` is available [here](./sbom/bomber.cyclonedx.json).
 
+## Sponsors
+
+Thank you to the sponsors and supporters of ```bomber```
+
+![](img/sponsors/zero-logo.png)
+
 ## Credits
 
 A big thank-you to our friends at [ZERO](https://zero.health) for the ```bomber``` logo.

_TESTDATA_/ignore/bomber.ignore

@@ -0,0 +1,2 @@
+CVE-2022-31163
+CVE-2022-23520

cmd/scan.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/devops-kung-fu/bomber/lib"
 	"github.com/devops-kung-fu/bomber/lib/enrichment"
+	"github.com/devops-kung-fu/bomber/lib/filters"
 	"github.com/devops-kung-fu/bomber/models"
 	"github.com/devops-kung-fu/bomber/providers"
 	"github.com/devops-kung-fu/bomber/renderers"
@@ -27,6 +28,7 @@ var (
 	credentials     = models.Credentials{}
 	renderer        models.Renderer
 	provider        models.Provider
+	ignoreFile      string
 
 	// summary, detailed bool
 	scanCmd = &cobra.Command{
@@ -78,10 +80,22 @@ var (
 				})
 
 				response, err = provider.Scan(purls, &credentials)
+				if err != nil {
+					log.Print(err)
+				}
+				ignoredCVE, err := lib.LoadIgnore(Afs, ignoreFile)
+				if err != nil {
+					util.PrintWarningf("Ignore flag set, but there was an error: %s", err)
+				}
 
 				for i, p := range response {
 					enrichedVulnerabilities, _ := enrichment.Enrich(p.Vulnerabilities)
 					response[i].Vulnerabilities = enrichedVulnerabilities
+
+					if len(ignoredCVE) > 0 {
+						filteredVulnerabilities := filters.Ignore(p.Vulnerabilities, ignoredCVE)
+						response[i].Vulnerabilities = filteredVulnerabilities
+					}
 				}
 
 				util.DoIf(output != "json", func() {
@@ -100,7 +114,7 @@ var (
 					}
 				}
 				results := models.NewResults(response, severitySummary, scanned, licenses, version, providerName)
-				err := renderer.Render(results)
+				err = renderer.Render(results)
 				if err != nil {
 					log.Println(err)
 				}
@@ -118,4 +132,5 @@ func init() {
 	scanCmd.PersistentFlags().StringVar(&credentials.Username, "username", "", "The user name for the provider being used.")
 	scanCmd.PersistentFlags().StringVar(&credentials.Token, "token", "", "The API token for the provider being used.")
 	scanCmd.PersistentFlags().StringVar(&providerName, "provider", "osv", "The vulnerability provider (ossindex, osv).")
+	scanCmd.PersistentFlags().StringVar(&ignoreFile, "ignore-file", "", "An optional file containing CVEs to ignore when rendering output.")
 }

formats/cyclonedx/cyclonedx.go

@@ -1,3 +1,4 @@
+// Package cyclonedx provides additional functionality to interact with CycloneDX formatted SBOMs
 package cyclonedx
 
 import (

formats/spdx/spdx.go

@@ -1,3 +1,4 @@
+// Package spdx provides functionality and structs to work with SPDX formatted SBOMs
 package spdx
 
 // BOM represents a SPDX Software Bill of Materials

formats/syft/syft.go

@@ -1,3 +1,4 @@
+// Package syft provides functionality and structs to work with syft formatted SBOMs
 package syft
 
 // BOM represents a Syft Software Bill of Materials

go.mod

@@ -1,30 +1,30 @@
 module github.com/devops-kung-fu/bomber
 
-go 1.19
+go 1.20
 
 require (
 	github.com/CycloneDX/cyclonedx-go v0.7.0
-	github.com/briandowns/spinner v1.20.0
+	github.com/briandowns/spinner v1.21.0
 	github.com/devops-kung-fu/common v0.2.5
 	github.com/gookit/color v1.5.2
-	github.com/jarcoal/httpmock v1.2.0
+	github.com/jarcoal/httpmock v1.3.0
 	github.com/jedib0t/go-pretty/v6 v6.4.4
 	github.com/kirinlabs/HttpRequest v1.1.1
-	github.com/microcosm-cc/bluemonday v1.0.21
+	github.com/microcosm-cc/bluemonday v1.0.22
 	github.com/package-url/packageurl-go v0.1.0
 	github.com/remeh/sizedwaitgroup v1.0.0
 	github.com/spf13/afero v1.9.3
 	github.com/spf13/cobra v1.6.1
 	github.com/stretchr/testify v1.8.1
-	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448
+	k8s.io/utils v0.0.0-20230209194617-a36077c30491
 )
 
-require golang.org/x/term v0.4.0 // indirect
+require golang.org/x/term v0.5.0 // indirect
 
 require (
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fatih/color v1.13.0 // indirect
+	github.com/fatih/color v1.14.1 // indirect
 	github.com/gomarkdown/markdown v0.0.0-20221013030248-663e2500819c
 	github.com/gorilla/css v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -37,9 +37,9 @@ require (
 	github.com/rivo/uniseg v0.4.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	golang.org/x/net v0.5.0 // indirect
-	golang.org/x/sys v0.4.0 // indirect
-	golang.org/x/text v0.6.0 // indirect
+	golang.org/x/net v0.6.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )