README
¶
██████╗ ██████╗ ███╗ ███╗██████╗ ███████╗██████╗
██╔══██╗██╔═══██╗████╗ ████║██╔══██╗██╔════╝██╔══██╗
██████╔╝██║ ██║██╔████╔██║██████╔╝█████╗ ██████╔╝
██╔══██╗██║ ██║██║╚██╔╝██║██╔══██╗██╔══╝ ██╔══██╗
██████╔╝╚██████╔╝██║ ╚═╝ ██║██████╔╝███████╗██║ ██║
╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚══════╝╚═╝ ╚═╝
SBOM generator and vulnerability matcher that scans Go, Node.js, and Python projects, produces SPDX 2.3 and CycloneDX 1.5 documents, and cross-references packages against OSV and NVD vulnerability databases.
This is a quick overview — security theory, architecture, and full walkthroughs are in the learn modules.
What It Does
- Multi-ecosystem dependency scanning (Go
go.mod/go.sum, Node.jspackage.json/pnpm-lock.yaml, Pythonpyproject.toml/uv.lock) - Dependency graph construction with cycle detection and depth tracking
- SBOM generation in SPDX 2.3 and CycloneDX 1.5 JSON formats
- Vulnerability matching via OSV batch API (primary) and NVD REST API (optional)
- SQLite-backed response cache with configurable TTL
- Policy engine for CI/CD gates with severity thresholds and dependency depth limits
- Monorepo support with recursive ecosystem detection
Quick Start
go install github.com/CarterPerez-dev/bomber/cmd/bomber@latest
Or use the install script:
curl -fsSL https://raw.githubusercontent.com/CarterPerez-dev/Cybersecurity-Projects/main/PROJECTS/intermediate/sbom-generator-vulnerability-matcher/install.sh | bash
[!TIP] This project uses
justas a command runner. Typejustto see all available commands.Install:
curl -sSf https://just.systems/install.sh | bash -s -- --to ~/.local/bin
Usage
bomber scan ./my-project # scan dependencies
bomber generate ./my-project --format spdx # SPDX 2.3 SBOM
bomber generate ./my-project --format cyclonedx # CycloneDX 1.5 SBOM
bomber vuln ./my-project # vulnerability scan
bomber check ./my-project --policy policy.yaml # CI/CD policy gate
Policy File
max_severity: medium
max_depth: 5
bomber check exits with code 1 when violations are found — drop it into any CI pipeline.
Supported Ecosystems
| Ecosystem | Manifest | Lockfile |
|---|---|---|
| Go | go.mod |
go.sum |
| Node.js | package.json |
pnpm-lock.yaml |
| Python | pyproject.toml |
uv.lock |
Architecture
bomber scan ./project/
┌─────────────────────────────────────────────────┐
│ CLI (cobra) │
│ scan • generate • vuln • check │
└──────────────────────┬──────────────────────────┘
│
┌─────────────▼─────────────┐
│ Scanner Engine │
│ walks dir, detects │
│ ecosystems, dispatches │
└─────────────┬─────────────┘
│
┌──────────────┼──────────────┐
▼ ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────┐
│Go Parser│ │Node │ │Python │
│go.mod │ │pnpm-lock│ │uv.lock │
│go.sum │ │pkg.json │ │pyproject│
└────┬────┘ └────┬────┘ └────┬────┘
│ │ │
└──────────────┼──────────────┘
▼
┌─────────────────────────┐
│ Dependency Graph │
│ direct + transitive │
│ cycle detection │
└────────────┬────────────┘
│
┌─────────┼─────────┐
▼ ▼
┌──────────────┐ ┌──────────────┐
│ SPDX 2.3 │ │ CycloneDX │
│ Generator │ │ 1.5 Generator│
└──────┬───────┘ └──────┬───────┘
│ │
└─────────┬─────────┘
▼
┌─────────────────────┐
│ Vulnerability │
│ Matcher │
│ OSV API (primary) │
│ NVD API (optional) │
└─────────┬───────────┘
▼
┌─────────────────────┐
│ Policy Engine │
│ --check mode │
│ exit code 0 or 1 │
└─────────────────────┘
Stack
Language: Go 1.25
Dependencies: cobra (CLI), fatih/color (terminal), go-toml/v2 (TOML), yaml.v3 (YAML), modernc.org/sqlite (cache), google/uuid (CycloneDX), testify (tests)
Learn
This project includes step-by-step learning materials covering security theory, architecture, and implementation.
| Module | Topic |
|---|---|
| 00 - Overview | Prerequisites and quick start |
| 01 - Concepts | SBOMs, supply chain security, and vulnerability databases |
| 02 - Architecture | System design and data flow |
| 03 - Implementation | Code walkthrough |
| 04 - Challenges | Extension ideas and exercises |
License
AGPL 3.0
Directories