Share
## https://sploitus.com/exploit?id=96729B1E-E24F-5CE9-BF28-5238F6E1059E
# ๐Ÿ” SBOM Verifier for Go

[![Python](https://img.shields.io/badge/Python-3.13+-blue.svg)](https://www.python.org/)
[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)

> ๐Ÿ›ก๏ธ A tool to verify Go vulnerabilities from SBOM reports using symbol analysis

## ๐Ÿ“– Overview

**SBOM Verifier for Go** is an vulnerability verification tool PoC that goes beyond traditional SBOM scanning. It analyzes Go binaries at the symbol level to confirm whether reported vulnerabilities are actually present in the compiled binary, reducing false positives and providing more accurate security assessments.

### โœจ Key Features

- ๐Ÿ”ฌ **Symbol-Level Analysis** - Examines binary symbols to verify actual vulnerability presence
- ๐Ÿ“Š **SBOM Generation** - Automatically generates Software Bill of Materials using Syft
- ๐Ÿ”’ **Vulnerability Scanning** - Scans for vulnerabilities using Grype
- โœ… **Smart Verification** - Cross-references vulnerable functions with binary symbols
- ๐Ÿ“ˆ **Clear Reporting** - Provides detailed tables showing confirmed vs. potential vulnerabilities
- ๐ŸŽฏ **Reduced False Positives** - Identifies which vulnerabilities are truly exploitable in your binary

## ๐Ÿš€ Quick Start

### Prerequisites

Before using SBOM Verifier, ensure you have the following tools installed:

- ๐Ÿ Python 3.13 or higher
- ๐Ÿ”ง [Syft](https://github.com/anchore/syft) - SBOM generation tool
- ๐Ÿ” [Grype](https://github.com/anchore/grype) - Vulnerability scanner
- ๐Ÿ› ๏ธ Go toolchain (`go tool` command)

### ๐Ÿ“ฆ Installation

1. **Clone the repository:**
```bash
git clone https://github.com/damaoooo/SBOMVerifierGoPoC.git
cd SBOMVerifierGo
```

2. **Install Python dependencies:**
```bash
pip install -r requirements.txt
```

3. **Verify external tools are installed:**
```bash
syft version
grype version
go version
```

## ๐Ÿ’ป Usage

### Basic Command

```bash
python -m src.main verify  
```

### Command Options

```bash
python -m src.main verify [OPTIONS] BINARY_PATH GO_MOD_PATH
```

#### Arguments:
- `BINARY_PATH` - Path to the Go binary to analyze (required)
- `GO_MOD_PATH` - Path to the Go module's `go.mod` file (required)

#### Options:
- `-s, --sbom-output PATH` - Path to save the generated SBOM file (default: `./report/syft_report.json`)
- `-r, --report-output PATH` - Path to save the vulnerability report (default: `./report/grype_report.json`)
- `-v, --verbose` - Enable verbose output for debugging
- `--help` - Show help message

### ๐Ÿ“ Examples

#### Example 1: Basic Verification

```bash
python -m src.main verify ./sample_go_program/sample_app ./sample_go_program/go.mod
```


#### Example 2: Verbose Mode

```bash
python -m src.main verify \
  ./sample_go_program/sample_app \
  ./sample_go_program/go.mod \
  --verbose
```

### ๐Ÿ“Š Sample Output

```
+------------------+----------------------------+-----------------+---------------------+
|      CVE ID      |       Package Name         | Package Version | Confirmed in Binary |
+------------------+----------------------------+-----------------+---------------------+
| CVE-2023-xxxxx   | github.com/package/name    | v1.2.3          |         Yes         |
| CVE-2023-yyyyy   | github.com/another/package | v2.0.1          |         No          |
+------------------+----------------------------+-----------------+---------------------+
Total 2 unique vulnerabilities found in the SBOM report.
[+] Verification complete. 1 vulnerable functions found in the binary.
```

## ๐Ÿ”„ How It Works

The verification process consists of four main steps:

1. **๐Ÿ”จ SBOM Generation**
   - Uses Syft to generate a comprehensive Software Bill of Materials from your Go module

2. **๐Ÿ” Vulnerability Scanning**
   - Runs Grype against the SBOM to identify potential vulnerabilities

3. **๐Ÿงฌ Symbol Extraction**
   - Extracts all symbols from the compiled Go binary using `go tool nm`

4. **โœ… Cross-Reference Verification**
   - Compares vulnerable functions from the CVE database with actual binary symbols
   - Confirms which vulnerabilities are truly present in the executable

## ๐Ÿ“ Project Structure

```
SBOMVerifierGo/
โ”œโ”€โ”€ src/
โ”‚   โ”œโ”€โ”€ __init__.py          # Package initialization
โ”‚   โ”œโ”€โ”€ main.py              # CLI entry point
โ”‚   โ”œโ”€โ”€ binary_parser.py     # Binary symbol extraction
โ”‚   โ”œโ”€โ”€ go_database.py       # Go vulnerability database
โ”‚   โ”œโ”€โ”€ sbom_manager.py      # SBOM generation and scanning
โ”‚   โ””โ”€โ”€ verifier.py          # Vulnerability verification logic
โ”œโ”€โ”€ sample_go_program/       # Sample Go application for testing
โ”œโ”€โ”€ report/                  # Generated reports directory
โ”œโ”€โ”€ requirements.txt         # Python dependencies
โ”œโ”€โ”€ go_vuln.db              # Local vulnerability database
โ””โ”€โ”€ README.md               # This file
```

## ๐Ÿ“„ License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## ๐Ÿ™ Acknowledgments

- [Syft](https://github.com/anchore/syft) - SBOM generation
- [Grype](https://github.com/anchore/grype) - Vulnerability scanning
- [Go Vulnerability Database](https://vuln.go.dev/) - CVE data source

## ๐Ÿ“ž Contact

If you have any questions or suggestions, please open an issue on GitHub.