Hoppr-Cop

Hoppr Cop is a cli and python library that generates high quality vulnerability information from a cyclone-dx Software Bill of Materials (SBOM) by aggregating data from multiple vulnerability databases. This project is offered as part of the hoppr ecosystem, however it is fully functional as a standalone cli or python library.

Project Status

Initial Release

The important functionality of identifying vulnerabilties by purl is handeld by the vulnerability database tools themselves.
These are in wide use and are the best currently available sources for open vulnerabilty inteligence.

Features

• Integrates data from four leading opensource vulnerability databases
  • gemnasium community
  • grype
  • trivy
  • oss-index
• Combines information from these sources in a way that reduces duplicates and ensures complete information for each vulnerability.
• Generates reports in multiple formats
  • cyclone-dx vex either embedded in the existing bom or as a standalone file.
  • html - detailed vulnerability information that can be viewed in disconnected networks.
  • Gitlab Dependency Scanning - Which enables Vulnerability Reports, Dependency List, and Security Dashboard

Why

SBOMs provide an ideal way to inventory all the dependencies in a project. A project's vulnerabilities should be monitored on a regular basis. hoppr-cop provides an easy mechanism to keep your vulnerability information up to date without regenerating an SBOM. The vex and html reports provide an ideal way to communicate vulnerability status to users, even in disconnected networks.

Why Use Multiple Scanners

• Provides broad coverage of the upstream vulnerability data sources. You can see the full details of the data-sources here. Gitlab and Sonotype provide their own vulnerability reporting that you won't get elsewhere.
• Provides much better coverage of a variety of package manager types. Each bom scanner has package managers that it excels at scanning, and some that it does a poor job of. Additionally, each product supports a different set of package ecosystems.
• Seeing that multiple datasources agree on a finding, improves confidence that the finding is not a false positive.
• Combining information from multiple sources leads to more complete and accurate information for each vulnerability identified, leading to quicker resolutions.

Demo