v0.4.0

bomber now supports enrichment of vulnerability data! Our first enrichment adds EPSS scores into the vulnerability output. What's an EPSS score? It tells us the probability that a vulnerability will be exploited. For in depth information, check out the fascinating documentation at https://www.first.org/epss/

Changelog

• 4747311 feat: EPSS support (#89)

v0.3.5

This update contains a few bug fixes and updated documentation, and improves the output of all renderers to output that list of files (and hashes) that bomber has processed during scanning.

v0.3.4

bomber has some new functionality hiding underneath the covers. If you are a Snyk customer, you can now use bomber to scan your SBOMs! Our friends at Snyk also contributed a cool feature that allows you to pipe SBOMs to bomber via STDIN.

We still have some documentation to add for the Snyk provider, but that will be coming soon!

Changelog

• 459a9c3 fix: Complexity fix for STDIN changes (#75)
• 1f7f249 feat: read SBOMs from stdin (#73)
• 7e1a723 feat: Renders and sanitizes Markdown vuln descriptions to HTML (#72)
• f280640 feat: add Snyk provider (#69)
• bd5178f fix: licenseDeclared is not slice (#63)
• 697f08b Delete test.json (#65)

v0.3.3

Changelog

• d58403d feat: License support (#58)

v0.3.2

bomber now can process XML based CycloneDX files!

Changelog

• 19aa8ec feat: Adds xml format support for CycloneDX (#53)

v0.3.1

Bomber will now detect if a newer version exists, and let you know with a nice little message when it loads up.

Changelog

• 8be7152 feat: Version check (#51)

v0.3.0

bomber now supports HTML output when using the --output=html flag!

Changelog

• d9898cd feat: HTML output support (#48)
• 93dd74f feat: Renderers (#47)
• b32963e feat: Removed removeDuplicates in favor of DKFM common (#44)
• 1e127f8 feat: Provider factory and http request cleanup (#43)

v0.2.1

bomber now outputs to JSON as well as to pretty tables! Just add --output=json when running bomber.

This build also fixes some issues where CVE identifiers were not showing, includes other performance and stability fixes, and now sports a pretty OpenSSF Best Practices badge on the README.md. We ensured that we are following the best practices as defined by OpenSSF and will regularly audit the repository.

Changelog

• 3cfed2b fix: Fixes strange merge problems (#39)
• 1a4cf97 fix: README.md (#38)
• 31f5e4f feat: Adds json formatted ouput (#33)
• 275a85e fix: Fixes severity to use Moderate instead of Medium (#31)

v0.2.0

Packed with a ton of new features!

bomber now uses OSV as it's default vulnerability provider so you don't need to create an account anywhere and deal with passwords or tokens. You'll also see better output containing CVEs (osv provider), and CWEs (osv and ossindex providers).

A big thank you to the community for feature requests and finding some bugs.

Changelog

• 92636f9 feat: Adds ecosystem pre-scan info, severity summary (#30)
• 697ad6d fix: Fixes updated README.md (#28)
• 537b4e9 fix: Fixes release typo from hookz to bomber (#27)
• 3c9f44d feat: Enhanced Output and Multiple vulnerability providers (#26)

v0.1.1

Changelog

• bd67455 feat: Stabilization and vulnerability display (#17)
• a4c228e fix: Warns on missing credentials, fixes output when no valid SBOMs are found (#13)
• c6b6cdd fix: Fixes bomber's sbom badge links (#4)
• d512cb9 fix: Update README.md (#3)