UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cdxgen/cdxgen

cdxgen/cdxgen

269 lines (268 loc) 20.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
{ "os_version": { "query": "select * from os_version;", "description": "Retrieves the current version of the running osquery in the target system and where the configuration was loaded from.", "purlType": "swid", "componentType": "operating-system" }, "kernel_info": { "query": "select * from kernel_info;", "name": "os-image", "description": "Retrieves information from the current kernel in the target system.", "purlType": "swid", "componentType": "operating-system" }, "chrome_extensions": { "query": "select chrome_extensions.* from users join chrome_extensions using (uid);", "description": "Retrieves the list of extensions for Chrome in the target system.", "purlType": "chrome-extension", "componentType": "application" }, "firefox_addons": { "query": "select firefox_addons.* from users join firefox_addons using (uid);", "description": "Retrieves the list of addons for Firefox in the target system.", "purlType": "swid", "componentType": "application" }, "vscode_extensions": { "query": "select vscode_extensions.* from users join vscode_extensions using (uid);", "description": "Lists all vscode extensions.", "purlType": "vscode-extension", "componentType": "application" }, "deb_packages": { "query": "select * from deb_packages;", "description": "Retrieves all the installed DEB packages in the target Linux system.", "purlType": "deb" }, "apt_sources": { "query": "select * from apt_sources;", "description": "Retrieves all the APT sources to install packages from in the target Linux system.", "purlType": "generic", "componentType": "data" }, "apt_ppa_sources": { "query": "SELECT COALESCE(name, base_uri, source) as name, release as version, maintainer as publisher, source as description, source, base_uri, release, components, architectures FROM apt_sources WHERE base_uri LIKE '%ppa.launchpadcontent.net%' OR base_uri LIKE '%ppa.launchpad.net%';", "description": "APT Personal Package Archive (PPA) sources configured on the target Linux system.", "purlType": "generic", "componentType": "data" }, "yum_sources": { "query": "select * from yum_sources;", "description": "Display yum package manager sources.", "purlType": "generic", "componentType": "data" }, "trusted_gpg_keys": { "query": "SELECT COALESCE(file.filename, file.path) as name, hash.sha256 as version, file.path as description, file.path, file.directory, file.filename, file.uid, file.gid, file.mode, file.size, file.mtime, hash.sha1, hash.sha256, CASE WHEN file.path LIKE '/etc/apt/%' OR file.path LIKE '/usr/share/keyrings/%' THEN 'apt' WHEN file.path LIKE '/etc/pki/rpm-gpg/%' OR file.path LIKE '/usr/share/distribution-gpg-keys/%' THEN 'rpm' WHEN file.path LIKE '/etc/apk/keys/%' THEN 'apk' ELSE 'generic' END AS trust_domain FROM file JOIN hash USING (path) WHERE (file.path = '/etc/apt/trusted.gpg' OR file.path LIKE '/etc/apt/trusted.gpg.d/%' OR file.path LIKE '/usr/share/keyrings/%' OR file.path LIKE '/etc/pki/rpm-gpg/%' OR file.path LIKE '/usr/share/distribution-gpg-keys/%' OR file.path LIKE '/etc/apk/keys/%') AND file.type = 'regular';", "description": "Trusted repository keyring material for APT, RPM/DNF, and APK package trust validation.", "purlType": "generic", "componentType": "cryptographic-asset" }, "portage_packages": { "query": "select * from portage_packages;", "description": "Retrieves all the installed packages on the target Linux system.", "purlType": "ebuild" }, "rpm_packages": { "query": "select * from rpm_packages;", "description": "Retrieves all the installed RPM packages in the target Linux system.", "purlType": "rpm" }, "python_packages": { "query": "select * from python_packages;", "description": "Python packages installed on system.", "purlType": "pypi" }, "npm_packages": { "query": "SELECT * FROM npm_packages;", "description": "Node packages installed on the system, including recursively discovered modern package manager layouts.", "purlType": "npm" }, "system_info_snapshot": { "query": "SELECT * FROM system_info;", "description": "System info snapshot query.", "purlType": "swid", "componentType": "data" }, "users_snapshot": { "query": "SELECT username as name, uuid as version, description, directory, shell, uid, gid FROM users;", "description": "Local user inventory for account and shell posture analysis.", "purlType": "swid", "componentType": "data" }, "logged_in_users_snapshot": { "query": "SELECT user as name, '' as version, type as description, pid, tty, host, time FROM logged_in_users;", "description": "Interactive and remote user sessions currently active on the host.", "purlType": "swid", "componentType": "data" }, "shell_history_snapshot": { "query": "SELECT users.username as name, '' as version, shell_history.command as description, shell_history.time, shell_history.history_file, shell_history.uid FROM users JOIN shell_history USING (uid);", "description": "User shell command history metadata for investigation support.", "purlType": "swid", "componentType": "data" }, "authorized_keys_snapshot": { "query": "SELECT users.username as name, authorized_keys.algorithm as version, authorized_keys.comment as description, authorized_keys.key_file, authorized_keys.options, authorized_keys.uid FROM users JOIN authorized_keys USING (uid);", "description": "Authorized SSH key metadata per account without exporting key material.", "purlType": "swid", "componentType": "data" }, "sudoers_snapshot": { "query": "SELECT header as name, source as path, rule_details as description FROM sudoers;", "description": "Sudo policy entries for least-privilege and privileged access review.", "purlType": "swid", "componentType": "data" }, "etc_hosts": { "query": "SELECT * FROM etc_hosts;", "description": "List the contents of the Windows hosts file.", "purlType": "swid", "componentType": "data" }, "crontab_snapshot": { "query": "SELECT * FROM crontab;", "description": "Retrieves all the jobs scheduled in crontab in the target system.", "purlType": "swid", "componentType": "data" }, "sysctl_hardening": { "query": "SELECT name, current_value as version, name as sysctl_key, current_value FROM sysctl WHERE name IN ('kernel.randomize_va_space', 'kernel.kptr_restrict', 'net.ipv4.conf.all.accept_redirects', 'net.ipv4.conf.default.accept_redirects', 'net.ipv4.conf.all.send_redirects', 'net.ipv4.conf.default.send_redirects');", "description": "Linux sysctl posture entries aligned with common hardening baselines.", "purlType": "swid", "componentType": "data" }, "kernel_modules": { "query": "SELECT * FROM kernel_modules;", "description": "Linux kernel modules both loaded and within the load search path.", "purlType": "swid", "componentType": "data" }, "secureboot_certificates": { "query": "SELECT COALESCE(common_name, subject, sha1) as name, COALESCE(subject_key_id, sha1) as version, issuer as publisher, subject as description, common_name, subject, issuer, serial, sha1, revoked, path, is_ca, self_signed, key_usage, authority_key_id, subject_key_id, signing_algorithm, key_algorithm, key_strength, not_valid_before, not_valid_after FROM secureboot_certificates;", "description": "UEFI Secure Boot certificate inventory, including trusted and revoked entries, for firmware trust posture reviews.", "purlType": "swid", "componentType": "data" }, "mount_hardening": { "query": "SELECT path as name, flags as version, device as description, path, device, type, flags FROM mounts WHERE path IN ('/tmp', '/var/tmp', '/dev/shm', '/home');", "description": "Linux mount points commonly reviewed for noexec, nodev, and nosuid hardening.", "purlType": "swid", "componentType": "data" }, "systemd_units": { "query": "SELECT id as name, active_state as version, description, load_state, sub_state, unit_file_state, user, fragment_path, source_path FROM systemd_units;", "description": "Systemd unit state and execution source inventory.", "purlType": "swid", "componentType": "application" }, "etc_services": { "query": "SELECT * FROM etc_services;", "description": "Service-to-port mappings configured in /etc/services.", "purlType": "swid", "componentType": "data" }, "behavioral_reverse_shell": { "query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%';", "description": "Find shell processes that have open sockets.", "purlType": "swid", "componentType": "data" }, "process_events": { "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';", "description": "Process events collected from the audit framework.", "purlType": "swid", "componentType": "data" }, "sudo_executions": { "query": "SELECT COALESCE((SELECT proc.name FROM processes AS proc WHERE proc.pid = process_events.pid), process_events.path) AS name, process_events.path, process_events.cmdline, process_events.cwd, process_events.auid, process_events.uid, process_events.euid, process_events.gid, process_events.egid, process_events.parent, process_events.pid, process_events.time, process_events.ctime, COALESCE((SELECT username FROM users WHERE uid = process_events.auid), '') AS login_user, COALESCE((SELECT username FROM users WHERE uid = process_events.uid), '') AS real_user, COALESCE((SELECT username FROM users WHERE uid = process_events.euid), '') AS effective_user, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process_events.path OR unit.source_path = process_events.path LIMIT 1), '') AS service_unit, CASE WHEN process_events.path LIKE '/usr/bin/%' OR process_events.path LIKE '/usr/sbin/%' OR process_events.path LIKE '/bin/%' OR process_events.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process_events.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process_events.path LIKE '/snap/%' THEN 'snap-path' WHEN process_events.path LIKE '/home/%' OR process_events.path LIKE '/tmp/%' OR process_events.path LIKE '/var/tmp/%' OR process_events.path LIKE '/dev/shm/%' OR process_events.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM process_events WHERE (process_events.path IN ('/usr/bin/sudo', '/usr/bin/pkexec', '/usr/bin/doas', '/bin/su', '/usr/bin/su') OR process_events.cmdline LIKE 'sudo %' OR process_events.cmdline LIKE 'pkexec %' OR process_events.cmdline LIKE '% pkexec %' OR process_events.cmdline LIKE 'doas %' OR process_events.cmdline LIKE '% doas %' OR process_events.cmdline LIKE 'su %') AND process_events.cmdline NOT LIKE '%_key%' AND process_events.cmdline NOT LIKE '%secret%';", "description": "Privileged execution events involving sudo, pkexec, doas, or su.", "purlType": "swid", "componentType": "application" }, "privilege_transitions": { "query": "SELECT COALESCE((SELECT proc.name FROM processes AS proc WHERE proc.pid = process_events.pid), process_events.path) AS name, process_events.path, process_events.cmdline, process_events.cwd, process_events.auid, process_events.uid, process_events.euid, process_events.gid, process_events.egid, process_events.parent, process_events.pid, process_events.time, process_events.ctime, COALESCE((SELECT username FROM users WHERE uid = process_events.auid), '') AS login_user, COALESCE((SELECT username FROM users WHERE uid = process_events.uid), '') AS real_user, COALESCE((SELECT username FROM users WHERE uid = process_events.euid), '') AS effective_user, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process_events.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process_events.path OR unit.source_path = process_events.path LIMIT 1), '') AS service_unit, CASE WHEN process_events.path LIKE '/usr/bin/%' OR process_events.path LIKE '/usr/sbin/%' OR process_events.path LIKE '/bin/%' OR process_events.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process_events.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process_events.path LIKE '/snap/%' THEN 'snap-path' WHEN process_events.path LIKE '/home/%' OR process_events.path LIKE '/tmp/%' OR process_events.path LIKE '/var/tmp/%' OR process_events.path LIKE '/dev/shm/%' OR process_events.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM process_events WHERE (process_events.uid != process_events.euid OR process_events.gid != process_events.egid) AND process_events.path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') AND process_events.cmdline NOT LIKE '%_key%' AND process_events.cmdline NOT LIKE '%secret%';", "description": "Process executions where real and effective privileges differ.", "purlType": "swid", "componentType": "application" }, "elevated_processes": { "query": "SELECT DISTINCT process.name, process.path, process.cmdline, process.cwd, process.root, process.uid, process.gid, process.pid, process.parent, process.start_time, process.on_disk, COALESCE(users.username, '') AS account, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process.path OR unit.source_path = process.path LIMIT 1), '') AS service_unit, CASE WHEN process.path LIKE '/usr/bin/%' OR process.path LIKE '/usr/sbin/%' OR process.path LIKE '/bin/%' OR process.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process.path LIKE '/snap/%' THEN 'snap-path' WHEN process.path LIKE '/home/%' OR process.path LIKE '/tmp/%' OR process.path LIKE '/var/tmp/%' OR process.path LIKE '/dev/shm/%' OR process.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM processes AS process LEFT JOIN users ON process.uid = users.uid WHERE process.uid = 0 OR process.uid BETWEEN 1 AND 999;", "description": "Processes running as root or service-style system accounts with lineage hints.", "purlType": "swid", "componentType": "application" }, "ld_preload": { "query": "SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, processes.path, processes.cmdline, processes.cwd FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';", "description": "Any processes that run with an LD_PRELOAD environment variable.", "purlType": "swid", "componentType": "data" }, "certificates": { "query": "SELECT * FROM certificates WHERE path != 'Other People';", "description": "List all certificates in the trust store.", "purlType": "swid", "componentType": "data" }, "processes": { "query": "SELECT * FROM processes;", "description": "List all processes.", "purlType": "swid", "componentType": "data" }, "process_open_sockets": { "query": "SELECT * FROM process_open_sockets WHERE remote_address NOT IN ('0.0.0.0', '::', '');", "description": "Network sockets opened by processes with non-empty remote endpoints.", "purlType": "swid", "componentType": "data" }, "startup_items": { "query": "SELECT * FROM startup_items;", "description": "List all startup_items.", "purlType": "swid", "componentType": "data" }, "listening_ports": { "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.on_disk, process.parent, process.start_time FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;", "description": "List all processes and their listening_ports.", "purlType": "swid", "componentType": "application" }, "privileged_listening_ports": { "query": "SELECT DISTINCT process.name, listening.port, listening.protocol, listening.family, listening.address, process.pid, process.path, process.cmdline, process.cwd, process.uid, process.gid, process.on_disk, process.parent, process.start_time, COALESCE(users.username, '') AS account, COALESCE((SELECT parent.name FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_name, COALESCE((SELECT parent.path FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_path, COALESCE((SELECT parent.cmdline FROM processes AS parent WHERE parent.pid = process.parent), '') AS parent_cmdline, COALESCE((SELECT unit.id FROM systemd_units AS unit WHERE unit.fragment_path = process.path OR unit.source_path = process.path LIMIT 1), '') AS service_unit, CASE WHEN process.path LIKE '/usr/bin/%' OR process.path LIKE '/usr/sbin/%' OR process.path LIKE '/bin/%' OR process.path LIKE '/sbin/%' THEN 'system-package-path' WHEN process.path LIKE '/opt/%' THEN 'optional-system-path' WHEN process.path LIKE '/snap/%' THEN 'snap-path' WHEN process.path LIKE '/home/%' OR process.path LIKE '/tmp/%' OR process.path LIKE '/var/tmp/%' OR process.path LIKE '/dev/shm/%' OR process.path LIKE '/run/user/%' THEN 'user-writable-path' ELSE 'unclassified-path' END AS package_source_hint FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid LEFT JOIN users ON process.uid = users.uid WHERE process.uid = 0 OR process.uid BETWEEN 1 AND 999;", "description": "Listening ports owned by root or service-style processes with lineage and path hints.", "purlType": "swid", "componentType": "application" }, "interface_addresses": { "query": "SELECT * FROM interface_addresses;", "description": "List all interface_addresses.", "purlType": "swid", "componentType": "data" }, "docker_container_ports": { "query": "SELECT * FROM docker_container_ports;", "description": "List all docker_container_ports.", "purlType": "swid", "componentType": "data" }, "docker_containers": { "query": "SELECT * FROM docker_containers;", "description": "List all docker_containers.", "purlType": "swid", "componentType": "data" }, "docker_networks": { "query": "SELECT * FROM docker_networks;", "description": "List all docker_networks.", "purlType": "swid", "componentType": "data" }, "docker_volumes": { "query": "SELECT * FROM docker_volumes;", "description": "List all docker_volumes.", "purlType": "swid", "componentType": "data" } }