UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

github.com/cdxgen/cdxgen

cdxgen/cdxgen

166 lines (160 loc) 7.88 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# Host Topology Rules # Category: host-topology # Evaluates strict, evidence-backed insights derived from merged HBOM + OBOM inventories. - id: HMX-001 name: "Active wired interface with live runtime addresses is operating degraded" description: "A wired interface that is actually carrying runtime addresses but is negotiated at low bandwidth or half duplex represents a higher-confidence performance issue than hardware inventory alone." severity: medium category: host-topology dry-run-support: partial condition: | components[ $prop($, 'cdx:hbom:hardwareClass') = 'network-interface' and $number($firstNonEmpty($prop($, 'cdx:hostview:interface_addresses:count'), '0')) > 0 and ( $lowercase($safeStr($prop($, 'cdx:hbom:duplex'))) = 'half' or ( $hasProp($, 'cdx:hbom:speedMbps') and $number($prop($, 'cdx:hbom:speedMbps')) > 0 and $number($prop($, 'cdx:hbom:speedMbps')) < 1000 ) ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Interface '{{ name }}' has live runtime address evidence but negotiated degraded duplex or bandwidth characteristics" mitigation: "Inspect cabling, switch policy, NIC firmware/driver, and negotiated link settings before treating the issue as application-only latency." evidence: | { "runtimeAddressCount": $prop($, 'cdx:hostview:interface_addresses:count'), "driver": $prop($, 'cdx:hbom:driver'), "speedMbps": $prop($, 'cdx:hbom:speedMbps'), "duplex": $prop($, 'cdx:hbom:duplex'), "operState": $prop($, 'cdx:hbom:operState') } - id: HMX-002 name: "Wireless interface with live runtime address uses weak or missing link security" description: "Weak wireless security on an interface that also has runtime address evidence is a stronger exposure signal than hardware inventory alone." severity: high category: host-topology dry-run-support: partial condition: | components[ ( $prop($, 'cdx:hbom:hardwareClass') = 'wireless-adapter' or ( $prop($, 'cdx:hbom:hardwareClass') = 'network-interface' and $hasProp($, 'cdx:hbom:securityMode') ) ) and $number($firstNonEmpty($prop($, 'cdx:hostview:interface_addresses:count'), '0')) > 0 and ( $safeStr($prop($, 'cdx:hbom:securityMode')) = '' or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'open') or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'wep') or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'none') ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Wireless interface '{{ name }}' has live runtime address evidence while using weak or missing security mode '{{ $firstNonEmpty($prop($, 'cdx:hbom:securityMode'), 'unknown') }}'" mitigation: "Move the interface to WPA2/WPA3-class protections, review SSID policy, and verify that actively routed wireless links meet enterprise security baselines." evidence: | { "runtimeAddressCount": $prop($, 'cdx:hostview:interface_addresses:count'), "securityMode": $prop($, 'cdx:hbom:securityMode'), "channel": $prop($, 'cdx:hbom:channel'), "phyMode": $prop($, 'cdx:hbom:phyMode') } - id: HMX-003 name: "Merged host inventory lacks strict hardware/runtime topology links" description: "When a merged HBOM+OBOM view contains no strict cross-domain topology links, reviewers should treat combined host conclusions cautiously and inspect collection coverage." severity: medium category: host-topology dry-run-support: partial condition: | metadata.component[ type = 'device' and $prop($, 'cdx:hostview:mode') = 'hbom-obom-merged' and $number($firstNonEmpty($prop($, 'cdx:hostview:topologyLinkCount'), '0')) = 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Merged host inventory for '{{ name }}' contains no strict HBOM-to-OBOM topology links" mitigation: "Review collector coverage, ensure runtime categories such as interface_addresses or kernel_modules are available, and prefer exact identifier-bearing probes over heuristic joins." evidence: | { "hostViewMode": $prop($, 'cdx:hostview:mode'), "hardwareComponentCount": $prop($, 'cdx:hostview:hardwareComponentCount'), "runtimeComponentCount": $prop($, 'cdx:hostview:runtimeComponentCount'), "topologyLinkCount": $prop($, 'cdx:hostview:topologyLinkCount') } - id: HMX-004 name: "Mounted storage with explicit runtime evidence is reporting degraded health" description: "Storage health issues become higher-confidence operational findings when the hardware component is also linked to an active runtime mount or logical drive using exact identifiers." severity: high category: host-topology dry-run-support: partial condition: | components[ ( $prop($, 'cdx:hbom:hardwareClass') = 'storage' or $prop($, 'cdx:hbom:hardwareClass') = 'storage-device' or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume' ) and ( $number($firstNonEmpty($prop($, 'cdx:hostview:mount_hardening:count'), '0')) > 0 or $number($firstNonEmpty($prop($, 'cdx:hostview:runtime-storage:count'), '0')) > 0 ) and ( $contains($lowercase($safeStr($prop($, 'cdx:hbom:smartStatus'))), 'fail') or $contains($lowercase($safeStr($prop($, 'cdx:hbom:health'))), 'degrad') or $number($firstNonEmpty($prop($, 'cdx:hbom:wearPercentageUsed'), '0')) >= 90 ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Storage component '{{ name }}' is explicitly linked to a runtime mount or drive while reporting degraded health telemetry" mitigation: "Prioritize remediation for the backing device because the linked runtime mount evidence shows the degraded storage is actively in use." evidence: | { "mountCount": $prop($, 'cdx:hostview:mount_hardening:count'), "runtimeStorageCount": $prop($, 'cdx:hostview:runtime-storage:count'), "smartStatus": $prop($, 'cdx:hbom:smartStatus'), "health": $prop($, 'cdx:hbom:health'), "wearPercentageUsed": $prop($, 'cdx:hbom:wearPercentageUsed') } - id: HMX-005 name: "Explicit HBOM secure-boot trust anchor matches a revoked runtime Secure Boot certificate" description: "When HBOM metadata carries an explicit Secure Boot certificate identifier that strictly links to runtime secureboot_certificates data, revoked trust anchors indicate a higher-confidence firmware trust issue." severity: high category: host-topology dry-run-support: partial condition: | components[ $prop($, 'cdx:osquery:category') = 'secureboot_certificates' and $number($firstNonEmpty($prop($, 'revoked'), '0')) > 0 and $number($firstNonEmpty($prop($$.metadata.component, 'cdx:hostview:secureboot_certificates:count'), '0')) > 0 ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Secure Boot certificate '{{ name }}' is revoked and the host also has an explicit HBOM trust-anchor link for this Secure Boot surface" mitigation: "Review firmware trust policy, remove revoked Secure Boot entries from active trust sets, and verify that the expected db/dbx anchors on the host still match the approved platform state." evidence: | { "linkedSecureBootCertificateCount": $prop($, 'cdx:hostview:secureboot_certificates:count'), "revokedCertificateCount": $count(bom.components[ $prop($, 'cdx:osquery:category') = 'secureboot_certificates' and $number($firstNonEmpty($prop($, 'revoked'), '0')) > 0 ]) }