@cyclonedx/cdxgen
Version:
Creates CycloneDX Software Bill of Materials (SBOM) from source or container image
194 lines (193 loc) • 8.36 kB
JSON
{
"os_version": {
"query": "select * from os_version;",
"description": "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.",
"purlType": "swid",
"componentType": "operating-system"
},
"safari_extensions": {
"query": "select safari_extensions.* from users join safari_extensions using (uid);",
"description": "Safari browser extension details for all users. This table requires Full Disk Access (FDA) permission.",
"purlType": "swid",
"componentType": "application"
},
"chrome_extensions": {
"query": "select chrome_extensions.* from users join chrome_extensions using (uid);",
"description": "Retrieves the list of extensions for Chrome in the target system.",
"purlType": "chrome-extension",
"componentType": "application"
},
"firefox_addons": {
"query": "select firefox_addons.* from users join firefox_addons using (uid);",
"description": "Retrieves the list of addons for Firefox in the target system.",
"purlType": "swid",
"componentType": "application"
},
"vscode_extensions": {
"query": "select vscode_extensions.* from users join vscode_extensions using (uid);",
"description": "Lists all vscode extensions.",
"purlType": "vscode-extension",
"componentType": "application"
},
"apps": {
"query": "select * from apps;",
"description": "macOS applications installed in known search paths (e.g., /Applications).",
"purlType": "swid",
"componentType": "application"
},
"gatekeeper": {
"query": "SELECT 'gatekeeper' as name, COALESCE(NULLIF(version, ''), opaque_version) as version, opaque_version as description, assessments_enabled, dev_id_enabled FROM gatekeeper;",
"description": "macOS Gatekeeper policy status, including assessment enforcement and identified-developer allowance.",
"purlType": "swid",
"componentType": "data"
},
"system_extensions": {
"query": "select * from system_extensions;",
"description": "macOS (>= 10.15) system extension table.",
"purlType": "swid",
"componentType": "application"
},
"certificates": {
"query": "SELECT * FROM certificates WHERE path != 'Other People';",
"description": "List all certificates in the trust store.",
"purlType": "swid",
"componentType": "data"
},
"users_snapshot": {
"query": "SELECT username as name, uuid as version, description, directory, shell, uid, gid, is_hidden FROM users;",
"description": "Local account inventory including hidden-user attributes on macOS.",
"purlType": "swid",
"componentType": "data"
},
"logged_in_users_snapshot": {
"query": "SELECT user as name, '' as version, type as description, pid, host, tty, time FROM logged_in_users;",
"description": "Interactive and remote user sessions currently active on the host.",
"purlType": "swid",
"componentType": "data"
},
"shell_history_snapshot": {
"query": "SELECT users.username as name, '' as version, shell_history.command as description, shell_history.time, shell_history.history_file, shell_history.uid FROM users JOIN shell_history USING (uid);",
"description": "User shell command history metadata for investigation support.",
"purlType": "swid",
"componentType": "data"
},
"homebrew_packages": {
"query": "SELECT * FROM homebrew_packages;",
"description": "Homebrew formula and cask inventory including auto-update behavior.",
"purlType": "swid",
"componentType": "application"
},
"npm_packages": {
"query": "SELECT * FROM npm_packages;",
"description": "Node packages installed on the system, including recursively discovered modern package manager layouts.",
"purlType": "npm"
},
"launchd_services": {
"query": "SELECT name, label, path, program, run_at_load, keep_alive, disabled, username, groupname, stdout_path, stderr_path, start_interval, program_arguments, watch_paths, queue_directories, start_on_mount, working_directory, process_type FROM launchd;",
"description": "LaunchAgents and LaunchDaemons configuration used for macOS persistence.",
"purlType": "swid",
"componentType": "application"
},
"launchd_overrides": {
"query": "SELECT label as name, key as version, value as description, uid, path FROM launchd_overrides;",
"description": "Per-user launchd override state that can alter startup behavior.",
"purlType": "swid",
"componentType": "data"
},
"alf": {
"query": "SELECT 'alf' as name, global_state as version, version as description, allow_signed_enabled, firewall_unload, logging_enabled, logging_option, stealth_enabled FROM alf;",
"description": "Application Layer Firewall (ALF) configuration and enforcement posture.",
"purlType": "swid",
"componentType": "data"
},
"alf_exceptions": {
"query": "SELECT path as name, state as version FROM alf_exceptions;",
"description": "Firewall allow/block exception list for specific executables or bundle identifiers.",
"purlType": "swid",
"componentType": "data"
},
"xprotect_entries": {
"query": "SELECT * FROM xprotect_entries;",
"description": "Built-in XProtect malware signature entries on macOS.",
"purlType": "swid",
"componentType": "data"
},
"xprotect_meta": {
"query": "SELECT identifier as name, min_version as version, type as description, developer_id FROM xprotect_meta;",
"description": "XProtect browser extension/plugin policy metadata.",
"purlType": "swid",
"componentType": "data"
},
"package_bom": {
"query": "SELECT * FROM package_bom WHERE path IN (SELECT REPLACE(package_receipts.path, '.plist', '.bom') FROM package_receipts JOIN file ON file.path = REPLACE(package_receipts.path, '.plist', '.bom') WHERE package_receipts.path LIKE '%.plist' AND file.size <= 52428800);",
"description": "macOS package bill of materials (BOM) file list.",
"purlType": "swid",
"componentType": "application"
},
"package_install_history": {
"query": "SELECT * FROM package_install_history;",
"description": "macOS package install history.",
"purlType": "swid",
"componentType": "application"
},
"package_receipts": {
"query": "SELECT * FROM package_receipts;",
"description": "macOS package receipt details.",
"purlType": "swid",
"componentType": "application"
},
"running_apps": {
"query": "SELECT * FROM running_apps;",
"description": "macOS applications currently running on the host system.",
"purlType": "swid",
"componentType": "data"
},
"sandboxes": {
"query": "SELECT * FROM sandboxes;",
"description": "macOS application sandboxes container details.",
"purlType": "swid",
"componentType": "data"
},
"startup_items": {
"query": "SELECT * FROM startup_items;",
"description": "List all startup_items.",
"purlType": "swid",
"componentType": "data"
},
"listening_ports": {
"query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;",
"description": "List all processes and their listening_ports.",
"purlType": "swid",
"componentType": "application"
},
"interface_addresses": {
"query": "SELECT * FROM interface_addresses;",
"description": "List all interface_addresses.",
"purlType": "swid",
"componentType": "data"
},
"docker_container_ports": {
"query": "SELECT * FROM docker_container_ports;",
"description": "List all docker_container_ports.",
"purlType": "swid",
"componentType": "data"
},
"docker_containers": {
"query": "SELECT * FROM docker_containers;",
"description": "List all docker_containers.",
"purlType": "swid",
"componentType": "data"
},
"docker_networks": {
"query": "SELECT * FROM docker_networks;",
"description": "List all docker_networks.",
"purlType": "swid",
"componentType": "data"
},
"docker_volumes": {
"query": "SELECT * FROM docker_volumes;",
"description": "List all docker_volumes.",
"purlType": "swid",
"componentType": "data"
}
}