UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cdxgen/cdxgen

cdxgen/cdxgen

266 lines (259 loc) 10.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
- id: AGT-001 name: "AI agent instruction file contains hidden Unicode characters" description: "Hidden Unicode in AI agent instructions or skill files can conceal misleading prompts, hidden tool behavior, or review-evasion content." severity: medium category: ai-agent dry-run-support: full standards: owasp-ai-top-10: - "LLM05: Supply Chain Vulnerabilities" - "LLM03:2025 Supply Chain" nist-ai-rmf: - "Govern" - "Manage" nist-ssdf: - "Review and protect build and automation instructions" condition: | formulation.components[ $prop($, 'cdx:agent:inventorySource') = 'agent-file' and $prop($, 'cdx:file:hasHiddenUnicode') = 'true' ] location: | { "bomRef": $."bom-ref", "file": $prop($, 'SrcFile') } message: "AI agent file '{{ name }}' contains hidden Unicode characters" mitigation: "Review the file with hidden-character rendering enabled, remove suspicious bidirectional or zero-width characters, and verify instruction blocks before merge." evidence: | { "codePoints": $prop($, 'cdx:file:hiddenUnicodeCodePoints'), "lineNumbers": $prop($, 'cdx:file:hiddenUnicodeLineNumbers'), "inComments": $prop($, 'cdx:file:hiddenUnicodeInComments') } - id: AGT-002 name: "AI agent instructions reference a public MCP endpoint without auth hints" description: "Public MCP endpoints referenced from agent or skill files deserve review when the instruction surface does not indicate any bearer, token, or OAuth controls." severity: high category: ai-agent dry-run-support: full attack: tactics: [TA0001] techniques: [T1190] standards: owasp-ai-top-10: - "LLM07: Insecure Plugin Design" - "LLM08: Excessive Agency" - "LLM06:2025 Excessive Agency" nist-ai-rmf: - "Map" - "Manage" nist-ssdf: - "Review externally reachable AI and automation interfaces" condition: | formulation.components[ $prop($, 'cdx:agent:inventorySource') = 'agent-file' and $prop($, 'cdx:agent:hasPublicMcpEndpoint') = 'true' and $nullSafeProp($, 'cdx:agent:authHints') = '' ] location: | { "bomRef": $."bom-ref", "file": $prop($, 'SrcFile') } message: "AI agent file '{{ name }}' references a public MCP endpoint without any auth hints" mitigation: "Treat public MCP endpoints as untrusted until authentication, authorization, and endpoint provenance are documented explicitly." evidence: | { "hiddenMcpUrls": $prop($, 'cdx:agent:hiddenMcpUrls'), "hiddenMcpHosts": $prop($, 'cdx:agent:hiddenMcpHosts'), "providerNames": $prop($, 'cdx:agent:providerNames') } - id: AGT-003 name: "AI agent instructions reference MCP surfaces not declared elsewhere in the BOM" description: "Agent files that mention MCP servers, packages, or endpoints without corresponding MCP package inventory or source-derived MCP services can hide runtime trust dependencies from reviewers." severity: medium category: ai-agent dry-run-support: full standards: owasp-ai-top-10: - "LLM05: Supply Chain Vulnerabilities" - "LLM08: Excessive Agency" - "LLM03:2025 Supply Chain" - "LLM06:2025 Excessive Agency" nist-ai-rmf: - "Map" - "Govern" nist-ssdf: - "Maintain complete third-party and runtime dependency inventory" condition: | formulation.components[ $prop($, 'cdx:agent:inventorySource') = 'agent-file' and $prop($, 'cdx:agent:hasMcpReferences') = 'true' and $count($$.components[$prop($, 'cdx:mcp:package') = 'true']) = 0 and $count($auditServices($$)[$nullSafeProp($, 'cdx:mcp:inventorySource') = 'source-code-analysis']) = 0 ] location: | { "bomRef": $."bom-ref", "file": $prop($, 'SrcFile') } message: "AI agent file '{{ name }}' references MCP surfaces that are not otherwise declared in the BOM" mitigation: "Inventory the referenced MCP packages, endpoints, and trust boundaries explicitly so reviewers can validate provenance and access controls." evidence: | { "mcpPackageRefs": $prop($, 'cdx:agent:mcpPackageRefs'), "hiddenMcpUrls": $prop($, 'cdx:agent:hiddenMcpUrls'), "hiddenComponentKinds": $prop($, 'cdx:agent:hiddenComponentKinds') } - id: AGT-004 name: "AI agent instructions reference tunneled or reverse-proxied MCP exposure" description: "Localhost tunneling and reverse-proxy references in agent files can turn development-only MCP servers into remotely reachable control surfaces." severity: high category: ai-agent dry-run-support: full attack: tactics: [TA0001, TA0011] techniques: [T1190, T1071] standards: owasp-ai-top-10: - "LLM07: Insecure Plugin Design" - "LLM08: Excessive Agency" - "LLM06:2025 Excessive Agency" nist-ai-rmf: - "Map" - "Manage" nist-ssdf: - "Review externally reachable development interfaces" condition: | formulation.components[ $prop($, 'cdx:agent:inventorySource') = 'agent-file' and $prop($, 'cdx:agent:hasTunnelReference') = 'true' ] location: | { "bomRef": $."bom-ref", "file": $prop($, 'SrcFile') } message: "AI agent file '{{ name }}' references a tunneled or reverse-proxied MCP endpoint" mitigation: "Avoid exposing localhost MCP servers through ad-hoc tunnels; require reviewed ingress, authentication, and environment-specific controls." evidence: | { "hiddenMcpUrls": $prop($, 'cdx:agent:hiddenMcpUrls'), "hiddenMcpHosts": $prop($, 'cdx:agent:hiddenMcpHosts') } - id: AGT-005 name: "AI agent instructions reference non-official MCP packages or wrappers" description: "Non-official MCP wrappers referenced directly from agent instructions deserve extra review before they are trusted in developer tooling or automation flows." severity: medium category: ai-agent dry-run-support: full standards: owasp-ai-top-10: - "LLM05: Supply Chain Vulnerabilities" - "LLM07: Insecure Plugin Design" - "LLM03:2025 Supply Chain" nist-ai-rmf: - "Govern" - "Map" nist-ssdf: - "Verify provenance of third-party AI integrations" condition: | formulation.components[ $prop($, 'cdx:agent:inventorySource') = 'agent-file' and $prop($, 'cdx:agent:hasNonOfficialMcpReference') = 'true' ] location: | { "bomRef": $."bom-ref", "file": $prop($, 'SrcFile') } message: "AI agent file '{{ name }}' references non-official MCP packages or wrappers" mitigation: "Prefer official MCP SDKs where possible and document provenance, version pinning, and trust assumptions for any wrapper packages." evidence: | { "mcpPackageRefs": $prop($, 'cdx:agent:mcpPackageRefs'), "hiddenComponentKinds": $prop($, 'cdx:agent:hiddenComponentKinds') } - id: AGT-006 name: "AI agent instructions contain inline credential patterns" description: "Agent or skill files that embed bearer tokens, API keys, or similar secrets create immediate review and credential-rotation risk." severity: critical category: ai-agent dry-run-support: full attack: tactics: [TA0006] techniques: [T1552] standards: owasp-ai-top-10: - "LLM05: Supply Chain Vulnerabilities" - "LLM07: Insecure Plugin Design" - "LLM03:2025 Supply Chain" nist-ai-rmf: - "Govern" - "Manage" nist-ssdf: - "Protect secrets used by AI automation and developer tooling" condition: | formulation.components[ $prop($, 'cdx:agent:inventorySource') = 'agent-file' and $prop($, 'cdx:agent:credentialExposure') = 'true' ] location: | { "bomRef": $."bom-ref", "file": $prop($, 'SrcFile') } message: "AI agent file '{{ name }}' contains inline credential patterns" mitigation: "Remove embedded credentials from agent instructions and move them into reviewed secret-management flows before the file is shared or executed." evidence: | { "credentialRiskIndicators": $prop($, 'cdx:agent:credentialRiskIndicators'), "hiddenMcpUrls": $prop($, 'cdx:agent:hiddenMcpUrls'), "providerNames": $prop($, 'cdx:agent:providerNames') } - id: AGT-007 name: "AI agent or skill file is included in a build or post-build SBOM" description: "Shipped AI instruction and skill files deserve explicit review because they can alter developer tooling, release-time automation, and downstream runtime behavior." severity: medium category: ai-agent dry-run-support: full standards: owasp-ai-top-10: - "LLM05: Supply Chain Vulnerabilities" - "LLM08: Excessive Agency" - "LLM03:2025 Supply Chain" - "LLM06:2025 Excessive Agency" nist-ai-rmf: - "Govern" - "Map" nist-ssdf: - "Review build and release instructions before distribution" condition: | components[ ( $prop($, 'cdx:agent:inventorySource') = 'agent-file' or $prop($, 'cdx:agent:inventorySource') = 'community-config' ) and ( $prop($, 'cdx:file:kind') = 'skill-file' or $prop($, 'cdx:file:kind') = 'agent-instructions' or $prop($, 'cdx:file:kind') = 'copilot-instructions' or $prop($, 'cdx:file:kind') = 'copilot-setup-workflow' or $prop($, 'cdx:file:kind') = 'ai-agent-file' ) and $count($$.metadata.lifecycles[phase = 'build' or phase = 'post-build']) > 0 ] location: | { "bomRef": $."bom-ref", "file": $prop($, 'SrcFile') } message: "AI instruction or skill file '{{ name }}' is included in a build/post-build SBOM" mitigation: "If the file must ship, keep the BOM review-friendly with '--bom-audit --bom-audit-categories ai-agent' and consider '--tlp-classification AMBER'. If you want a package-only BOM, rerun with '--exclude-type ai-skill'." evidence: | { "inventorySource": $prop($, 'cdx:agent:inventorySource'), "fileKind": $prop($, 'cdx:file:kind'), "providerNames": $prop($, 'cdx:agent:providerNames') }