UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cdxgen/cdxgen

cdxgen/cdxgen

326 lines (315 loc) 14.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
# HBOM Compliance and Governance Rules # Category: hbom-compliance # Evaluates hardware inventory completeness, redaction posture, and governance-ready evidence. - id: HBC-001 name: "HBOM inventory lacks firmware or board provenance" description: "Incomplete firmware or board provenance weakens auditability for hardware refresh, attestation, and patch-governance workflows." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" - "SI-7 Software, Firmware, and Information Integrity" cis-controls-v8: - "1.1 Establish and Maintain Detailed Enterprise Asset Inventory" condition: | metadata.component[ $safeStr($prop($, 'cdx:hbom:platform')) = 'linux' and $count( $$.components[ $prop($, 'cdx:hbom:hardwareClass') = 'board' and ( $hasProp($, 'cdx:hbom:boardVendor') or $hasProp($, 'cdx:hbom:boardName') or $hasProp($, 'cdx:hbom:biosVendor') or $hasProp($, 'cdx:hbom:biosVersion') or $hasProp($, 'cdx:hbom:firmwareDate') ) ] ) = 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' lacks board or firmware provenance fields needed for governance review" mitigation: "Enable richer firmware/board collection on supported Linux hosts, validate SMBIOS access, and ensure the inventory captures board vendor, board name, BIOS vendor, BIOS version, and firmware date where available." evidence: | { "platform": $prop($, 'cdx:hbom:platform'), "architecture": $prop($, 'cdx:hbom:architecture'), "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "boardComponentCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'board']) } - id: HBC-002 name: "Managed asset identity is incomplete" description: "HBOMs used for fleet governance should capture stable host identity fields such as model, platform, and serial or asset identifiers." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" cis-controls-v8: - "1.1 Establish and Maintain Detailed Enterprise Asset Inventory" iso-27001: - "A.5.9 Inventory of information and other associated assets" condition: | metadata.component[ type = 'device' and ( $hasProp($, 'cdx:hbom:platform') = false or $hasProp($, 'cdx:hbom:architecture') = false or ( $hasProp($, 'cdx:hbom:serialNumber') = false and $hasProp($, 'cdx:hbom:platformUuid') = false and $hasProp($, 'cdx:hbom:assetTag') = false ) ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM metadata for '{{ name }}' is missing stable asset identity fields required for governance workflows" mitigation: "Capture platform, architecture, and at least one durable host identifier (serial, platform UUID, or asset tag) so the device can be reconciled with CMDB and lifecycle systems." evidence: | { "platform": $prop($, 'cdx:hbom:platform'), "architecture": $prop($, 'cdx:hbom:architecture'), "serialNumber": $prop($, 'cdx:hbom:serialNumber'), "platformUuid": $prop($, 'cdx:hbom:platformUuid'), "assetTag": $prop($, 'cdx:hbom:assetTag') } - id: HBC-003 name: "HBOM collector evidence is incomplete" description: "Governance review is weaker when the BOM omits the collector command evidence used to derive the hardware inventory." severity: medium category: hbom-compliance dry-run-support: full condition: | metadata.component[ type = 'device' and ( $hasProp($$, 'cdx:hbom:evidence:commandCount') = false or $number($firstNonEmpty($prop($$, 'cdx:hbom:evidence:commandCount'), '0')) = 0 or $hasProp($$, 'cdx:hbom:evidence:command') = false ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' is missing collector command evidence needed for reproducible review" mitigation: "Retain command-evidence metadata in the distributed BOM, or attach equivalent collection provenance so reviewers can understand how the hardware inventory was derived." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "commandCount": $prop(bom, 'cdx:hbom:evidence:commandCount'), "commandEvidence": $prop(bom, 'cdx:hbom:evidence:command') } - id: HBC-004 name: "Storage inventory lacks encryption posture evidence" description: "Storage volumes without explicit encryption posture make it difficult to prove compliance with device and media protection requirements." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "SC-28 Protection of Information at Rest" - "CM-8 System Component Inventory" condition: | metadata.component[ type = 'device' and $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'storage-volume']) > 0 and $count( $$.components[ $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume' and ( $hasProp($, 'cdx:hbom:isEncrypted') or $hasProp($, 'cdx:hbom:fileVault') ) ] ) = 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' includes storage volumes but no explicit encryption posture evidence" mitigation: "Enable volume-level enrichment on supported platforms or pair the HBOM with equivalent host controls evidence so encryption compliance can be verified." evidence: | { "storageVolumeCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'storage-volume']), "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "platform": $prop($, 'cdx:hbom:platform') } - id: HBC-005 name: "HBOM uses non-redacted identifier policy" description: "HBOMs intended for broad distribution should avoid a non-redacted identifier policy unless raw identifiers are explicitly required by the receiving workflow." severity: medium category: hbom-compliance dry-run-support: full condition: | metadata.component[ type = 'device' and $hasProp($, 'cdx:hbom:identifierPolicy') and $not($startsWith($lowercase($safeStr($prop($, 'cdx:hbom:identifierPolicy'))), 'redacted')) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' uses identifier policy '{{ $prop($, 'cdx:hbom:identifierPolicy') }}' instead of a redacted posture" mitigation: "Default distributed HBOMs to redacted identifiers and keep raw hardware identity values confined to internal asset-governance workflows with a documented need-to-know." evidence: | { "identifierPolicy": $prop($, 'cdx:hbom:identifierPolicy'), "serialNumber": $prop($, 'cdx:hbom:serialNumber'), "platformUuid": $prop($, 'cdx:hbom:platformUuid') } - id: HBC-006 name: "HBOM collector is missing optional enrichment commands" description: "Missing native utilities reduce the hardware evidence available to governance, assurance, and troubleshooting workflows." severity: medium category: hbom-compliance dry-run-support: full condition: | metadata.component[ type = 'device' and $number($firstNonEmpty($prop($$, 'cdx:hbom:analysis:missingCommandCount'), '0')) > 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' reported missing native enrichment commands" mitigation: "Install the reported utilities on the target host and rerun the HBOM collection so the inventory includes the richer structured hardware evidence those commands provide." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "missingCommandCount": $prop(bom, 'cdx:hbom:analysis:missingCommandCount'), "missingCommands": $propList(bom, 'cdx:hbom:analysis:missingCommands'), "diagnosticIssues": $propList(bom, 'cdx:hbom:analysis:diagnosticIssues') } - id: HBC-007 name: "HBOM collector hit permission-denied enrichments" description: "Permission-sensitive enrichments that fail during collection often leave firmware, graphics, or SMBIOS evidence incomplete until the host is rerun with the documented privileged mode." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" - "SI-7 Software, Firmware, and Information Integrity" condition: | metadata.component[ type = 'device' and $number($firstNonEmpty($prop($$, 'cdx:hbom:analysis:permissionDeniedCount'), '0')) > 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' hit permission-denied enrichments that likely require a rerun with --privileged" mitigation: "Where policy allows, rerun HBOM collection with --privileged so cdx-hbom can use the documented non-interactive sudo path for permission-sensitive Linux enrichments." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "permissionDeniedCount": $prop(bom, 'cdx:hbom:analysis:permissionDeniedCount'), "permissionDeniedCommands": $propList(bom, 'cdx:hbom:analysis:permissionDeniedCommands'), "requiresPrivileged": $prop(bom, 'cdx:hbom:analysis:requiresPrivileged') } - id: HBC-008 name: "HBOM collector is missing firmware-management enrichment" description: "Without fwupd-derived metadata, governance teams lose update-protocol, firmware GUID, and device lifecycle context that is useful for firmware assurance and remediation planning." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" - "SI-7 Software, Firmware, and Information Integrity" condition: | metadata.component[ $safeStr($prop($, 'cdx:hbom:platform')) = 'linux' and $listContains($propList($$, 'cdx:hbom:analysis:missingCommandIds'), 'fwupdmgr-devices-json') ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' is missing firmware-management enrichment because fwupdmgr was unavailable" mitigation: "Install fwupd on the target host and rerun the collection so the BOM can capture protocol, flags, GUIDs, and related firmware-management properties where supported." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "missingCommandIds": $propList(bom, 'cdx:hbom:analysis:missingCommandIds'), "missingCommands": $propList(bom, 'cdx:hbom:analysis:missingCommands'), "installHintCount": $prop(bom, 'cdx:hbom:analysis:installHintCount') } - id: HBC-009 name: "HBOM board and BIOS provenance was blocked by permissions" description: "When dmidecode-backed firmware and board enrichment is blocked, the HBOM may miss board-vendor, board-name, BIOS-version, and related governance evidence." severity: medium category: hbom-compliance dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" - "SI-7 Software, Firmware, and Information Integrity" condition: | metadata.component[ $safeStr($prop($, 'cdx:hbom:platform')) = 'linux' and $listContains($propList($$, 'cdx:hbom:analysis:permissionDeniedIds'), 'dmidecode-firmware-board') ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' could not capture full board and BIOS provenance because dmidecode enrichment was blocked" mitigation: "Where policy allows, rerun with --privileged or equivalent access so the collector can gather firmware vendor, BIOS version, board vendor, and board name data." evidence: | { "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'), "permissionDeniedIds": $propList(bom, 'cdx:hbom:analysis:permissionDeniedIds'), "permissionDeniedCommands": $propList(bom, 'cdx:hbom:analysis:permissionDeniedCommands'), "boardComponentCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'board']) } - id: HBC-010 name: "HBOM display and DRM evidence is incomplete" description: "Missing EDID decoding or blocked DRM enrichment reduces the fidelity of display, connector, and content-protection metadata used during workstation and kiosk governance reviews." severity: medium category: hbom-compliance dry-run-support: full condition: | metadata.component[ $count( $$.components[ $prop($, 'cdx:hbom:hardwareClass') = 'display-connector' or $prop($, 'cdx:hbom:hardwareClass') = 'display-adapter' ] ) > 0 and ( $listContains($propList($$, 'cdx:hbom:analysis:missingCommandIds'), 'edid-decode') or $listContains($propList($$, 'cdx:hbom:analysis:permissionDeniedIds'), 'drm-info-json') ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "HBOM for '{{ name }}' includes display hardware but the richer DRM or EDID evidence is incomplete" mitigation: "Install edid-decode where available and, if policy permits, rerun with --privileged so the collector can capture connector, mode, and content-protection metadata for Linux displays." evidence: | { "displayComponentCount": $count( $$.components[ $prop($, 'cdx:hbom:hardwareClass') = 'display-connector' or $prop($, 'cdx:hbom:hardwareClass') = 'display-adapter' ] ), "missingCommandIds": $propList(bom, 'cdx:hbom:analysis:missingCommandIds'), "permissionDeniedIds": $propList(bom, 'cdx:hbom:analysis:permissionDeniedIds') }