UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

166 lines (160 loc) 7.39 kB
# CBOM Security and Compliance Rules # Category: cbom-security, cbom-compliance # Evaluates cryptographic assets (algorithms, protocols, certificates, related-crypto-material) for weaknesses. - id: CBS-001 name: "Weak/Deprecated Cryptographic Algorithm" description: "Usage of weak or deprecated cryptographic algorithms such as MD5, SHA-1, RC4, DES, 3DES, or Blowfish exposes data to decryption or collision attacks." severity: high category: cbom-security dry-run-support: full standards: nist-800-53: - "SC-13 Cryptographic Protection" iso-27001: - "A.8.24 Use of cryptography" condition: | components[ cryptoProperties.assetType = 'algorithm' and ( $contains($lowercase($safeStr(cryptoProperties.algorithmProperties.algorithmFamily)), 'md5') or $contains($lowercase($safeStr(cryptoProperties.algorithmProperties.algorithmFamily)), 'sha-1') or $contains($lowercase($safeStr(cryptoProperties.algorithmProperties.algorithmFamily)), 'sha1') or $contains($lowercase($safeStr(cryptoProperties.algorithmProperties.algorithmFamily)), 'rc4') or $contains($lowercase($safeStr(cryptoProperties.algorithmProperties.algorithmFamily)), 'des') or $contains($lowercase($safeStr(cryptoProperties.algorithmProperties.algorithmFamily)), 'blowfish') or $contains($lowercase($safeStr(cryptoProperties.algorithmProperties.algorithmFamily)), 'md4') or $contains($lowercase($safeStr(cryptoProperties.algorithmProperties.algorithmFamily)), 'rc2') ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Weak/Deprecated cryptographic algorithm family '{{ cryptoProperties.algorithmProperties.algorithmFamily }}' detected in component '{{ name }}'" mitigation: "Migrate to secure alternatives like SHA-256, SHA-3, or AES-GCM." evidence: | { "algorithmFamily": cryptoProperties.algorithmProperties.algorithmFamily, "primitive": cryptoProperties.algorithmProperties.primitive } - id: CBS-002 name: "Insecure Cipher Mode of Operation" description: "Electronic Codebook (ECB) mode lacks cryptographic diffusion and exposes patterns in ciphertext, while Cipher Block Chaining (CBC) without authenticated encryption (AEAD) is vulnerable to padding oracle attacks." severity: high category: cbom-security dry-run-support: full standards: nist-800-53: - "SC-13 Cryptographic Protection" condition: | components[ cryptoProperties.assetType = 'algorithm' and ( cryptoProperties.algorithmProperties.mode = 'ecb' or (cryptoProperties.algorithmProperties.mode = 'cbc' and cryptoProperties.algorithmProperties.primitive != 'ae') ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Insecure cipher mode '{{ cryptoProperties.algorithmProperties.mode }}' detected for component '{{ name }}'" mitigation: "Use authenticated encryption modes such as GCM or CCM." evidence: | { "algorithmFamily": cryptoProperties.algorithmProperties.algorithmFamily, "mode": cryptoProperties.algorithmProperties.mode, "primitive": cryptoProperties.algorithmProperties.primitive } - id: CBS-003 name: "Insufficient Classical Security Level or Key Size" description: "Symmetric algorithms with security levels under 128 bits, or asymmetric algorithms (like RSA) with keys under 2048 bits, are vulnerable to brute-force attacks." severity: high category: cbom-security dry-run-support: full standards: nist-800-53: - "SC-13 Cryptographic Protection" condition: | components[ ( cryptoProperties.assetType = 'algorithm' and $number(cryptoProperties.algorithmProperties.classicalSecurityLevel) > 0 and $number(cryptoProperties.algorithmProperties.classicalSecurityLevel) < 128 ) or ( cryptoProperties.assetType = 'related-crypto-material' and cryptoProperties.relatedCryptoMaterialProperties.type = 'private-key' and $number(cryptoProperties.relatedCryptoMaterialProperties.size) > 0 and $number(cryptoProperties.relatedCryptoMaterialProperties.size) < 2048 ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Cryptographic strength is insufficient: {{ $firstNonEmpty(cryptoProperties.algorithmProperties.classicalSecurityLevel, cryptoProperties.relatedCryptoMaterialProperties.size) }} bits" mitigation: "Upgrade key lengths to at least 128 bits for symmetric keys and 2048 bits (preferably 3072 or 4096 bits) for asymmetric/RSA keys." evidence: | { "assetType": cryptoProperties.assetType, "classicalSecurityLevel": cryptoProperties.algorithmProperties.classicalSecurityLevel, "keySize": cryptoProperties.relatedCryptoMaterialProperties.size } - id: CBS-004 name: "Outdated/Insecure Protocol Version" description: "Outdated protocols such as SSL v2, SSL v3, TLS 1.0, or TLS 1.1 contain severe vulnerabilities and should be disabled in favor of TLS 1.2 or TLS 1.3." severity: critical category: cbom-security dry-run-support: full standards: nist-800-53: - "SC-8 Transmission Confidentiality and Integrity" condition: | components[ cryptoProperties.assetType = 'protocol' and ( cryptoProperties.protocolProperties.type = 'tls' or cryptoProperties.protocolProperties.type = 'dtls' ) and ( $contains($lowercase($safeStr(cryptoProperties.protocolProperties.version)), '1.0') or $contains($lowercase($safeStr(cryptoProperties.protocolProperties.version)), '1.1') or $contains($lowercase($safeStr(cryptoProperties.protocolProperties.version)), 'ssl') or $contains($lowercase($safeStr(cryptoProperties.protocolProperties.version)), '2.0') or $contains($lowercase($safeStr(cryptoProperties.protocolProperties.version)), '3.0') ) ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Insecure protocol version '{{ cryptoProperties.protocolProperties.version }}' detected for component '{{ name }}'" mitigation: "Require TLS 1.2 or TLS 1.3 as the minimum protocol version." evidence: | { "protocol": cryptoProperties.protocolProperties.type, "version": cryptoProperties.protocolProperties.version } - id: CBC-001 name: "Expired or Expiring Certificate" description: "Certificates that have expired or are close to their expiration date will cause service disruptions or trust validation failures." severity: high category: cbom-compliance dry-run-support: full condition: | components[ cryptoProperties.assetType = 'certificate' and $hasProp($, 'cdx:cert:isExpired', 'true') ] location: | { "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber) } message: "Certificate for Subject '{{ cryptoProperties.certificateProperties.subjectName }}' has expired or is invalid" mitigation: "Renew the certificate and update the deployment trust stores." evidence: | { "subject": cryptoProperties.certificateProperties.subjectName, "issuer": cryptoProperties.certificateProperties.issuerName, "notValidAfter": cryptoProperties.certificateProperties.notValidAfter }