## https://sploitus.com/exploit?id=96729B1E-E24F-5CE9-BF28-5238F6E1059E
# ๐ SBOM Verifier for Go
[](https://www.python.org/)
[](LICENSE)
> ๐ก๏ธ A tool to verify Go vulnerabilities from SBOM reports using symbol analysis
## ๐ Overview
**SBOM Verifier for Go** is an vulnerability verification tool PoC that goes beyond traditional SBOM scanning. It analyzes Go binaries at the symbol level to confirm whether reported vulnerabilities are actually present in the compiled binary, reducing false positives and providing more accurate security assessments.
### โจ Key Features
- ๐ฌ **Symbol-Level Analysis** - Examines binary symbols to verify actual vulnerability presence
- ๐ **SBOM Generation** - Automatically generates Software Bill of Materials using Syft
- ๐ **Vulnerability Scanning** - Scans for vulnerabilities using Grype
- โ **Smart Verification** - Cross-references vulnerable functions with binary symbols
- ๐ **Clear Reporting** - Provides detailed tables showing confirmed vs. potential vulnerabilities
- ๐ฏ **Reduced False Positives** - Identifies which vulnerabilities are truly exploitable in your binary
## ๐ Quick Start
### Prerequisites
Before using SBOM Verifier, ensure you have the following tools installed:
- ๐ Python 3.13 or higher
- ๐ง [Syft](https://github.com/anchore/syft) - SBOM generation tool
- ๐ [Grype](https://github.com/anchore/grype) - Vulnerability scanner
- ๐ ๏ธ Go toolchain (`go tool` command)
### ๐ฆ Installation
1. **Clone the repository:**
```bash
git clone https://github.com/damaoooo/SBOMVerifierGoPoC.git
cd SBOMVerifierGo
```
2. **Install Python dependencies:**
```bash
pip install -r requirements.txt
```
3. **Verify external tools are installed:**
```bash
syft version
grype version
go version
```
## ๐ป Usage
### Basic Command
```bash
python -m src.main verify
```
### Command Options
```bash
python -m src.main verify [OPTIONS] BINARY_PATH GO_MOD_PATH
```
#### Arguments:
- `BINARY_PATH` - Path to the Go binary to analyze (required)
- `GO_MOD_PATH` - Path to the Go module's `go.mod` file (required)
#### Options:
- `-s, --sbom-output PATH` - Path to save the generated SBOM file (default: `./report/syft_report.json`)
- `-r, --report-output PATH` - Path to save the vulnerability report (default: `./report/grype_report.json`)
- `-v, --verbose` - Enable verbose output for debugging
- `--help` - Show help message
### ๐ Examples
#### Example 1: Basic Verification
```bash
python -m src.main verify ./sample_go_program/sample_app ./sample_go_program/go.mod
```
#### Example 2: Verbose Mode
```bash
python -m src.main verify \
./sample_go_program/sample_app \
./sample_go_program/go.mod \
--verbose
```
### ๐ Sample Output
```
+------------------+----------------------------+-----------------+---------------------+
| CVE ID | Package Name | Package Version | Confirmed in Binary |
+------------------+----------------------------+-----------------+---------------------+
| CVE-2023-xxxxx | github.com/package/name | v1.2.3 | Yes |
| CVE-2023-yyyyy | github.com/another/package | v2.0.1 | No |
+------------------+----------------------------+-----------------+---------------------+
Total 2 unique vulnerabilities found in the SBOM report.
[+] Verification complete. 1 vulnerable functions found in the binary.
```
## ๐ How It Works
The verification process consists of four main steps:
1. **๐จ SBOM Generation**
- Uses Syft to generate a comprehensive Software Bill of Materials from your Go module
2. **๐ Vulnerability Scanning**
- Runs Grype against the SBOM to identify potential vulnerabilities
3. **๐งฌ Symbol Extraction**
- Extracts all symbols from the compiled Go binary using `go tool nm`
4. **โ Cross-Reference Verification**
- Compares vulnerable functions from the CVE database with actual binary symbols
- Confirms which vulnerabilities are truly present in the executable
## ๐ Project Structure
```
SBOMVerifierGo/
โโโ src/
โ โโโ __init__.py # Package initialization
โ โโโ main.py # CLI entry point
โ โโโ binary_parser.py # Binary symbol extraction
โ โโโ go_database.py # Go vulnerability database
โ โโโ sbom_manager.py # SBOM generation and scanning
โ โโโ verifier.py # Vulnerability verification logic
โโโ sample_go_program/ # Sample Go application for testing
โโโ report/ # Generated reports directory
โโโ requirements.txt # Python dependencies
โโโ go_vuln.db # Local vulnerability database
โโโ README.md # This file
```
## ๐ License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## ๐ Acknowledgments
- [Syft](https://github.com/anchore/syft) - SBOM generation
- [Grype](https://github.com/anchore/grype) - Vulnerability scanning
- [Go Vulnerability Database](https://vuln.go.dev/) - CVE data source
## ๐ Contact
If you have any questions or suggestions, please open an issue on GitHub.