UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cdxgen/cdxgen

cdxgen/cdxgen

249 lines (242 loc) 10 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
# HBOM Security Rules # Category: hbom-security # Evaluates host hardware inventory for encryption, removable-media, wireless, and disclosure risks. - id: HBS-001 name: "Storage component is explicitly unencrypted" description: "System or attached storage reported as unencrypted increases exposure for lost, stolen, or offline-access devices." severity: high category: hbom-security dry-run-support: full standards: nist-800-53: - "SC-28 Protection of Information at Rest" cis-controls-v8: - "3.11 Encrypt Sensitive Data at Rest" iso-27001: - "A.8.24 Use of cryptography" condition: | components[ ( $prop($, 'cdx:hbom:hardwareClass') = 'storage' or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume' ) and ( $safeStr($prop($, 'cdx:hbom:isEncrypted')) = 'false' or $safeStr($prop($, 'cdx:hbom:fileVault')) = 'false' ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Storage component '{{ name }}' is reported as unencrypted" mitigation: "Enable full-disk or volume encryption, verify escrow/recovery procedures, and confirm the device is enrolled in the intended encryption baseline." evidence: | { "hardwareClass": $prop($, 'cdx:hbom:hardwareClass'), "isEncrypted": $prop($, 'cdx:hbom:isEncrypted'), "fileVault": $prop($, 'cdx:hbom:fileVault'), "volumeUuid": $prop($, 'cdx:hbom:volumeUuid'), "deviceSerial": $prop($, 'cdx:hbom:deviceSerial') } - id: HBS-002 name: "Connected wireless adapter uses weak or missing link security" description: "Wireless adapters connected without strong link security indicate elevated interception and unauthorized access risk." severity: high category: hbom-security dry-run-support: full standards: nist-800-53: - "AC-18 Wireless Access" - "SC-13 Cryptographic Protection" condition: | components[ $prop($, 'cdx:hbom:hardwareClass') = 'wireless-adapter' and $safeStr($prop($, 'cdx:hbom:connected')) = 'true' and ( $safeStr($prop($, 'cdx:hbom:securityMode')) = '' or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'open') or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'wep') or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'none') ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Wireless adapter '{{ name }}' is connected with weak or missing security mode '{{ $firstNonEmpty($prop($, 'cdx:hbom:securityMode'), 'unknown') }}'" mitigation: "Move the device to WPA2/WPA3-class protections, review SSID policy, and confirm that open or legacy wireless modes are not permitted for the host profile." evidence: | { "securityMode": $prop($, 'cdx:hbom:securityMode'), "channel": $prop($, 'cdx:hbom:channel'), "phyMode": $prop($, 'cdx:hbom:phyMode'), "countryCode": $prop($, 'cdx:hbom:countryCode'), "firmwareVersion": $prop($, 'cdx:hbom:firmwareVersion') } - id: HBS-003 name: "Removable storage is attached without encryption or lock evidence" description: "Attached removable storage that is explicitly unlocked or unencrypted increases data-exfiltration and malware-ingress risk." severity: high category: hbom-security dry-run-support: full standards: nist-800-53: - "MP-7 Media Use" - "SC-28 Protection of Information at Rest" cis-controls-v8: - "3.9 Encrypt Data on Removable Media" condition: | components[ ( $prop($, 'cdx:hbom:hardwareClass') = 'storage' or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume' ) and $safeStr($prop($, 'cdx:hbom:isRemovable')) = 'true' and ( $safeStr($prop($, 'cdx:hbom:isEncrypted')) = 'false' or $safeStr($prop($, 'cdx:hbom:isLocked')) = 'false' ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Removable storage '{{ name }}' is attached without encryption or lock assurance" mitigation: "Remove unapproved removable media, require encrypted removable devices, and verify the host's removable-media control policy." evidence: | { "isRemovable": $prop($, 'cdx:hbom:isRemovable'), "isEncrypted": $prop($, 'cdx:hbom:isEncrypted'), "isLocked": $prop($, 'cdx:hbom:isLocked'), "connectionType": $prop($, 'cdx:hbom:connectionType'), "transport": $prop($, 'cdx:hbom:transport') } - id: HBS-004 name: "HBOM exposes raw hardware identifiers" description: "Raw serial numbers, MAC addresses, or platform UUIDs in the BOM can leak asset intelligence beyond the intended audience." severity: medium category: hbom-security dry-run-support: full condition: | $append( metadata.component[ ( $hasProp($, 'cdx:hbom:serialNumber') and $startsWith($safeStr($prop($, 'cdx:hbom:serialNumber')), 'redacted') = false ) or ( $hasProp($, 'cdx:hbom:platformUuid') and $startsWith($safeStr($prop($, 'cdx:hbom:platformUuid')), 'redacted') = false ) ], components[ ( $hasProp($, 'cdx:hbom:serialNumber') and $startsWith($safeStr($prop($, 'cdx:hbom:serialNumber')), 'redacted') = false ) or ( $hasProp($, 'cdx:hbom:macAddress') and $startsWith($safeStr($prop($, 'cdx:hbom:macAddress')), 'redacted') = false ) or ( $hasProp($, 'cdx:hbom:deviceSerial') and $startsWith($safeStr($prop($, 'cdx:hbom:deviceSerial')), 'redacted') = false ) ] ) location: | { "bomRef": $firstNonEmpty($."bom-ref", metadata.component."bom-ref", bom.serialNumber) } message: "HBOM entry '{{ name }}' exposes raw hardware identifiers that should be reviewed before distribution" mitigation: "Use redacted identifier mode for externally shared HBOMs and restrict raw identifiers to tightly controlled internal asset workflows." evidence: | { "identifierPolicy": $firstNonEmpty($prop($, 'cdx:hbom:identifierPolicy'), $prop(metadata.component, 'cdx:hbom:identifierPolicy')), "serialNumber": $prop($, 'cdx:hbom:serialNumber'), "macAddress": $prop($, 'cdx:hbom:macAddress'), "deviceSerial": $prop($, 'cdx:hbom:deviceSerial'), "platformUuid": $prop(metadata.component, 'cdx:hbom:platformUuid') } - id: HBS-005 name: "External expansion bus reports permissive security posture" description: "A Thunderbolt or USB4 path with permissive security level or disabled IOMMU protection increases the risk of DMA-style or rogue-device attack paths." severity: high category: hbom-security dry-run-support: full standards: nist-800-53: - "CM-8 System Component Inventory" - "SC-7 Boundary Protection" - "SI-16 Memory Protection" condition: | components[ ( $hasProp($, 'cdx:hbom:securityLevel') or $hasProp($, 'cdx:hbom:iommuProtection') or $hasProp($, 'cdx:hbom:policy') ) and ( $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityLevel'))), 'none') or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityLevel'))), 'legacy') or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityLevel'))), 'user') or $safeStr($prop($, 'cdx:hbom:iommuProtection')) = 'false' ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "External expansion component '{{ name }}' reports a permissive security posture or missing IOMMU protection" mitigation: "Require a stronger Thunderbolt/USB4 security level, verify IOMMU protection is enabled, and review auto-authorization policy before trusting hot-plug external devices." evidence: | { "securityLevel": $prop($, 'cdx:hbom:securityLevel'), "iommuProtection": $prop($, 'cdx:hbom:iommuProtection'), "policy": $prop($, 'cdx:hbom:policy'), "authorized": $prop($, 'cdx:hbom:authorized'), "bootAclCount": $prop($, 'cdx:hbom:bootAclCount') } - id: HBS-006 name: "HBOM exposes raw cellular or subscriber identifiers" description: "Raw modem equipment identifiers, IMEIs, or subscriber numbers in the BOM can leak privacy-sensitive fleet and subscriber intelligence." severity: medium category: hbom-security dry-run-support: full condition: | components[ ( $prop($, 'cdx:hbom:hardwareClass') = 'modem' or $hasProp($, 'cdx:hbom:equipmentIdentifier') or $hasProp($, 'cdx:hbom:imei') or $hasProp($, 'cdx:hbom:ownNumbers') ) and ( ( $hasProp($, 'cdx:hbom:equipmentIdentifier') and $startsWith($lowercase($safeStr($prop($, 'cdx:hbom:equipmentIdentifier'))), 'redacted') = false ) or ( $hasProp($, 'cdx:hbom:imei') and $startsWith($lowercase($safeStr($prop($, 'cdx:hbom:imei'))), 'redacted') = false ) or ( $hasProp($, 'cdx:hbom:ownNumbers') and $startsWith($lowercase($safeStr($prop($, 'cdx:hbom:ownNumbers'))), 'redacted') = false ) ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Cellular component '{{ name }}' exposes raw modem or subscriber identifiers that should be reviewed before distribution" mitigation: "Keep modem identifiers redacted in shared HBOMs and restrict raw IMEI, equipment, or subscriber number exposure to tightly controlled internal device-management workflows." evidence: | { "equipmentIdentifier": $prop($, 'cdx:hbom:equipmentIdentifier'), "imei": $prop($, 'cdx:hbom:imei'), "ownNumbers": $prop($, 'cdx:hbom:ownNumbers'), "identifierPolicy": $firstNonEmpty($prop($, 'cdx:hbom:identifierPolicy'), $prop(metadata.component, 'cdx:hbom:identifierPolicy')) }