UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cdxgen/cdxgen

cdxgen/cdxgen

278 lines (271 loc) 11.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
- id: CTR-001 name: "Container image ships setuid/setgid GTFOBins execution primitive" description: "Known GTFOBins execution helpers become materially riskier when the image keeps the binary setuid or setgid." severity: critical category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'command') or $listContains($prop($, 'cdx:gtfobins:functions'), 'reverse-shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'bind-shell') ) and ( $prop($, 'internal:has_setuid') = 'true' or $prop($, 'internal:has_setgid') = 'true' ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Executable '{{ name }}' at '{{ $prop($, 'SrcFile') }}' combines GTFOBins execution features with setuid/setgid permissions" mitigation: "Remove the setuid/setgid bit, replace the image with a slimmer base, and keep container privilege boundaries strict (no host mounts, no privileged mode, no extra capabilities)." attack: tactics: [TA0004] techniques: [T1548, T1611] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "functions": $prop($, 'cdx:gtfobins:functions'), "contexts": $prop($, 'cdx:gtfobins:contexts'), "riskTags": $prop($, 'cdx:gtfobins:riskTags'), "srcFile": $prop($, 'SrcFile'), "reference": $prop($, 'cdx:gtfobins:reference') } - id: CTR-002 name: "Container image includes privileged container-escape helper" description: "Container runtime or namespace-management helpers that are already classified as GTFOBins can accelerate container breakout when runtime isolation is weakened." severity: critical category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and $listContains($prop($, 'cdx:gtfobins:riskTags'), 'container-escape') and ( $prop($, 'internal:has_setuid') = 'true' or $prop($, 'internal:has_setgid') = 'true' or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'capabilities') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Container-escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' with elevated execution semantics" mitigation: "Remove container runtime and namespace-management tooling from application images, avoid CAP_SYS_ADMIN-like capability grants, and block access to the Docker/containerd sockets." attack: tactics: [TA0004] techniques: [T1611] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "privilegedContexts": $prop($, 'cdx:gtfobins:privilegedContexts'), "riskTags": $prop($, 'cdx:gtfobins:riskTags'), "srcFile": $prop($, 'SrcFile') } - id: CTR-003 name: "Container image includes privileged GTFOBins library-load or escalation primitive" description: "GTFOBins entries that can load attacker-controlled shared libraries or directly escalate privileges are strong hardening failures in container images." severity: high category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'library-load') or $listContains($prop($, 'cdx:gtfobins:functions'), 'privilege-escalation') ) and ( $prop($, 'internal:has_setuid') = 'true' or $prop($, 'internal:has_setgid') = 'true' or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'sudo') or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'suid') or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'capabilities') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Binary '{{ name }}' exposes GTFOBins privilege-escalation or library-load behavior in a privileged execution context" mitigation: "Remove the helper from the image where possible, strip privileged bits/capabilities, and keep writable mounts away from privileged processes." attack: tactics: [TA0002, TA0004, TA0005] techniques: [T1574, T1548] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "functions": $prop($, 'cdx:gtfobins:functions'), "privilegedContexts": $prop($, 'cdx:gtfobins:privilegedContexts'), "srcFile": $prop($, 'SrcFile') } - id: CTR-004 name: "Container image retains privileged GTFOBins exfiltration primitive" description: "A GTFOBins helper that can read local files or upload data becomes especially dangerous when it also runs with setuid/setgid or other elevated contexts." severity: high category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $listContains($prop($, 'cdx:gtfobins:riskTags'), 'data-exfiltration') or $listContains($prop($, 'cdx:gtfobins:functions'), 'upload') ) and ( $prop($, 'internal:has_setuid') = 'true' or $prop($, 'internal:has_setgid') = 'true' or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'sudo') or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'suid') or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'capabilities') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Binary '{{ name }}' can read or exfiltrate local data from a privileged execution path" mitigation: "Drop privileged bits, keep secrets off the image filesystem, and remove unnecessary upload/file-read helpers from runtime images." attack: tactics: [TA0009, TA0010] techniques: [T1005, T1041] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "functions": $prop($, 'cdx:gtfobins:functions'), "privilegedContexts": $prop($, 'cdx:gtfobins:privilegedContexts'), "srcFile": $prop($, 'SrcFile') } - id: CTR-005 name: "Container image includes mutable-path GTFOBins remote-execution helper" description: "Remote-execution-capable GTFOBins helpers under mutable or non-standard image paths often indicate an avoidable attack toolkit or image tampering." severity: medium category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:gtfobins:matched') = 'true' and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'reverse-shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'bind-shell') or ( ( $listContains($prop($, 'cdx:gtfobins:functions'), 'shell') or $listContains($prop($, 'cdx:gtfobins:functions'), 'command') ) and ( $listContains($prop($, 'cdx:gtfobins:functions'), 'upload') or $listContains($prop($, 'cdx:gtfobins:functions'), 'download') ) ) ) and ( $startsWith($prop($, 'SrcFile'), '/usr/local/') or $startsWith($prop($, 'SrcFile'), '/opt/') or $startsWith($prop($, 'SrcFile'), '/app/') or $startsWith($prop($, 'SrcFile'), '/tmp/') or $startsWith($prop($, 'SrcFile'), '/var/tmp/') or $startsWith($prop($, 'SrcFile'), '/root/') or $startsWith($prop($, 'SrcFile'), '/home/') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "GTFOBins remote-execution helper '{{ name }}' is present in mutable image path '{{ $prop($, 'SrcFile') }}'" mitigation: "Keep runtime images immutable and minimal, move administrative tooling to separate debug images, and investigate how the helper entered the image." attack: tactics: [TA0008, TA0011] techniques: [T1105, T1570] evidence: | { "canonicalName": $prop($, 'cdx:gtfobins:name'), "functions": $prop($, 'cdx:gtfobins:functions'), "riskTags": $prop($, 'cdx:gtfobins:riskTags'), "srcFile": $prop($, 'SrcFile') } - id: CTR-006 name: "Container image ships dedicated offensive container toolkit" description: "Dedicated container or Kubernetes intrusion toolkits such as Peirates, CDK, or DEEPCE should not ship inside production runtime images." severity: high category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:container:matched') = 'true' and $listContains($prop($, 'cdx:container:riskTags'), 'offensive-toolkit') ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Dedicated offensive toolkit '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}'" mitigation: "Remove offensive testing binaries from runtime images, rebuild from a minimal trusted base, and keep container debugging or red-team tooling in separate break-glass images." attack: tactics: [TA0002, TA0004, TA0006, TA0007] techniques: [T1552.007, T1609, T1611, T1613] evidence: | { "canonicalName": $prop($, 'cdx:container:name'), "offenseTools": $prop($, 'cdx:container:offenseTools'), "riskTags": $prop($, 'cdx:container:riskTags'), "attackTechniques": $prop($, 'cdx:container:attackTechniques'), "knowledgeSources": $prop($, 'cdx:container:knowledgeSources'), "srcFile": $prop($, 'SrcFile') } - id: CTR-007 name: "Container image includes seccomp-sensitive namespace escape helper" description: "Helpers that rely on syscalls blocked by Docker's default seccomp profile become materially riskier when operators use `seccomp=unconfined` or permissive custom profiles." severity: medium category: container-risk dry-run-support: full condition: | components[ $prop($, 'cdx:container:matched') = 'true' and $prop($, 'cdx:container:seccompProfile') = 'docker-default' and $prop($, 'cdx:container:seccompBlockedSyscalls') != '' and ( $listContains($prop($, 'cdx:container:riskTags'), 'container-escape') or $listContains($prop($, 'cdx:container:riskTags'), 'namespace-escape') ) ] location: | { "bomRef": $."bom-ref", "purl": purl, "file": $prop($, 'SrcFile') } message: "Seccomp-sensitive escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' and depends on syscalls blocked by the Docker default seccomp profile" mitigation: "Keep Docker or OCI runtimes on the default seccomp profile, never use `seccomp=unconfined` for app workloads, and review custom profiles so they do not allow namespace or host-escape syscalls without a clear need." attack: tactics: [TA0004] techniques: [T1611] evidence: | { "canonicalName": $prop($, 'cdx:container:name'), "offenseTools": $prop($, 'cdx:container:offenseTools'), "riskTags": $prop($, 'cdx:container:riskTags'), "seccompProfile": $prop($, 'cdx:container:seccompProfile'), "seccompBlockedSyscalls": $prop($, 'cdx:container:seccompBlockedSyscalls'), "knowledgeSources": $prop($, 'cdx:container:knowledgeSources'), "srcFile": $prop($, 'SrcFile') }