This is a command line interface tool based on the @anchore's grype. It scans SBOM file and reports the vulnerabilities found in the image. This tool has its benefits over grype. It is less resource intensive and has simple and easy to use interface.
$ git clone
$ cd vuln-scanner
$ go build -o vuln-scanner
$ ./vuln-scanner -h
Usage:
./vuln-scanner -f <bom> [-d <distro:version>] [-o <output>] [-s <severity>] [-j]
Flags in square brackets are optional
Examples:
JSON output: ./vuln-scanner -f bom.json -d alpine:3.12.0 -s high -o output.txt -j
TXT file: ./vuln-scanner -f bom.json -d alpine:3.12.0 -o output.txt
STD output: ./vuln-scanner -f bom.json
Flags:
-f <bom> - path to SBOM
-d <distro:version> - distro and version (optional, default: centos:07)
-o <output> - output filename (optional)
-s <severity> - minimum severity (optional, default: high)
-c - columnize standard output (optional)
-of - only fixed (optional)
-j - output to json (optional, requires -o)
-p - dont show flag parameters (optional)
-h - help
$ ./vuln-scanner -f bom.json -d alpine:3.12.0 -c -p
pkg=pkg:rpm/[email protected] vuln=CVE-2022-29154 severity=High
pkg=pkg:rpm/[email protected] vuln=CVE-2021-4083 severity=High
pkg=pkg:rpm/[email protected] vuln=CVE-2022-1271 severity=High
pkg=pkg:rpm/[email protected] vuln=CVE-2020-15999 severity=High
...