UNPKG

@cyclonedx/cdxgen

Version:

Creates CycloneDX Software Bill of Materials (SBOM) from source or container image

230 lines (219 loc) 11.3 kB
# Go Evinse and Golem Rules # Categories: golem-security, golem-performance, golem-compliance # Evaluates actionable cdx:golem:* properties emitted by evinse -l go when golem is available. - id: GOLEM-SEC-001 name: "Runtime Go dependency has a high-severity semantic security signal" description: "Golem mapped a high or critical security-sensitive Go API signal to a component that appears in runtime usage evidence" severity: medium category: golem-security dry-run-support: full condition: | components[ ( $prop($, 'cdx:golem:securitySignalSeverity') = 'high' or $prop($, 'cdx:golem:securitySignalSeverity') = 'critical' ) and ( $prop($, 'cdx:golem:usageScopes') = null or $listContains($prop($, 'cdx:golem:usageScopes'), 'runtime') ) ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Runtime Go component '{{ name }}' has Golem security signal '{{ $prop($, 'cdx:golem:securitySignalCategory') }}' with severity '{{ $prop($, 'cdx:golem:securitySignalSeverity') }}'" mitigation: "Inspect the component's occurrence and call-stack evidence. Confirm whether the API use is reachable in production code, whether configuration is safe, and whether a safer library or API should replace it" evidence: | { "category": $prop($, 'cdx:golem:securitySignalCategory'), "severity": $prop($, 'cdx:golem:securitySignalSeverity'), "usageScopes": $prop($, 'cdx:golem:usageScopes'), "evidenceKinds": $prop($, 'cdx:golem:occurrenceEvidenceKinds') } - id: GOLEM-SEC-002 name: "Go crypto material flows into a crypto sink" description: "Golem data-flow found a crypto-related source-to-sink path, such as user input, environment, or parameter data reaching a cryptographic operation" severity: low category: golem-security dry-run-support: full condition: | components[ $prop($, 'cdx:golem:cryptoDataFlow') = 'true' or $number($firstNonEmpty($prop($, 'cdx:golem:cryptoDataFlowCount'), '0')) > 0 ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Go component '{{ name }}' has crypto data-flow evidence: {{ $prop($, 'cdx:golem:cryptoDataFlowCategories') }}" mitigation: "Review the source and sink locations, taint kinds, and call-stack frames. Verify key provenance, entropy, sanitization, secret handling, and whether the algorithm or protocol use is appropriate for production" evidence: | { "categories": $prop($, 'cdx:golem:cryptoDataFlowCategories'), "ruleId": $prop($, 'cdx:golem:cryptoDataFlowRuleId'), "taintKinds": $prop($, 'cdx:golem:cryptoDataFlowTaintKinds'), "count": $prop($, 'cdx:golem:cryptoDataFlowCount') } - id: GOLEM-SEC-003 name: "Go component has a cryptographic finding" description: "Golem reported a crypto-specific finding, such as weak algorithm use, insecure TLS configuration, or suspicious crypto material handling" severity: low category: golem-security dry-run-support: full condition: | components[ $prop($, 'cdx:golem:cryptoFinding') != null ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Go component '{{ name }}' has crypto finding '{{ $prop($, 'cdx:golem:cryptoFinding') }}' with severity '{{ $prop($, 'cdx:golem:cryptoFindingSeverity') }}'" mitigation: "Inspect the crypto asset, operation, and occurrence evidence. Replace weak algorithms, remove insecure TLS settings, and ensure keys, nonces, salts, and certificates are generated and stored through approved mechanisms" evidence: | { "finding": $prop($, 'cdx:golem:cryptoFinding'), "severity": $prop($, 'cdx:golem:cryptoFindingSeverity'), "algorithm": $prop($, 'cdx:golem:cryptoAlgorithm'), "operationType": $prop($, 'cdx:golem:cryptoOperationType') } - id: GOLEM-SEC-004 name: "Go module uses a local replacement in analyzed source" description: "Golem observed a local Go module replacement, which can make builds non-hermetic and bypass normal module provenance review" severity: low category: golem-security dry-run-support: full condition: | components[ $prop($, 'cdx:golem:localReplacement') = 'true' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Go component '{{ name }}' is affected by a local replacement in the analyzed module graph" mitigation: "Use a published immutable module version for release builds, or vendor the exact source with explicit provenance, review approval, and reproducibility evidence" evidence: | { "replacementModule": $prop($, 'cdx:golem:replacementModule'), "modulePath": $prop($, 'cdx:golem:modulePath'), "vendored": $prop($, 'cdx:golem:vendored') } - id: GOLEM-PERF-001 name: "Go project crosses a native code boundary" description: "Golem observed cgo, assembly, native object, or related native sidecar evidence that can change build reproducibility, review scope, and platform risk" severity: low category: golem-performance dry-run-support: full condition: | metadata.component[ $number($firstNonEmpty($prop($, 'cdx:golem:nativeArtifactCount'), '0')) > 0 ] location: | { "bomRef": $."bom-ref", "component": name } message: "Go project '{{ name }}' includes native artifacts: {{ $prop($, 'cdx:golem:nativeArtifactKinds') }}" mitigation: "Review cgo, assembly, and native object provenance. Verify supported architectures, compiler/linker flags, reproducible build steps, and whether native code needs separate security review or signing" evidence: | { "nativeArtifactCount": $prop($, 'cdx:golem:nativeArtifactCount'), "nativeArtifactKinds": $prop($, 'cdx:golem:nativeArtifactKinds') } - id: GOLEM-PERF-002 name: "Go project relies on generated or embedded build inputs" description: "Golem observed go:generate, go:embed, or generated-file evidence that should be reviewed for reproducibility and release completeness" severity: low category: golem-performance dry-run-support: full condition: | metadata.component[ $number($firstNonEmpty($prop($, 'cdx:golem:goGenerateCount'), '0')) > 0 or $number($firstNonEmpty($prop($, 'cdx:golem:goEmbedCount'), '0')) > 0 or $number($firstNonEmpty($prop($, 'cdx:golem:generatedFileCount'), '0')) > 0 ] location: | { "bomRef": $."bom-ref", "component": name } message: "Go project '{{ name }}' has generated or embedded build inputs: generate={{ $prop($, 'cdx:golem:goGenerateCount') }}, embed={{ $prop($, 'cdx:golem:goEmbedCount') }}, generatedFiles={{ $prop($, 'cdx:golem:generatedFileCount') }}" mitigation: "Confirm generated files are reproducible and reviewed, go:generate commands are not required at release time unless explicitly controlled, and embedded assets are covered by license and secret-scanning review" evidence: | { "goGenerateCount": $prop($, 'cdx:golem:goGenerateCount'), "goEmbedCount": $prop($, 'cdx:golem:goEmbedCount'), "generatedFileCount": $prop($, 'cdx:golem:generatedFileCount'), "generatorKinds": $prop($, 'cdx:golem:generatorKinds') } - id: GOLEM-PERF-003 name: "Go data-flow evidence was truncated or sanitized" description: "Golem reported data-flow truncation or sanitization, which means some source-to-sink evidence may be incomplete in the enriched BOM" severity: low category: golem-performance dry-run-support: full condition: | metadata.component[ $prop($, 'cdx:golem:dataFlowTruncated') = 'true' or $prop($, 'cdx:golem:dataFlowTruncationReasons') != null or $number($firstNonEmpty($prop($, 'cdx:golem:dataFlowSanitizedSliceCount'), '0')) > 0 ] location: | { "bomRef": $."bom-ref", "component": name } message: "Go data-flow evidence for '{{ name }}' was truncated or sanitized" mitigation: "For high-assurance review, rerun with narrower --golem-patterns, a focused --golem-dataflow mode such as crypto, larger slice/trace limits, or more memory. Treat a clean result as coverage-limited until truncation is resolved" evidence: | { "dataFlowTruncated": $prop($, 'cdx:golem:dataFlowTruncated'), "dataFlowTruncationReasons": $prop($, 'cdx:golem:dataFlowTruncationReasons'), "dataFlowSanitizedSliceCount": $prop($, 'cdx:golem:dataFlowSanitizedSliceCount'), "dataFlowSliceCount": $prop($, 'cdx:golem:dataFlowSliceCount') } - id: GOLEM-COMP-001 name: "Go module appears private or workspace-local" description: "Private or workspace-local Go module candidates require internal provenance, access-control, and retention review because public registry metadata may be unavailable" severity: low category: golem-compliance dry-run-support: full condition: | components[ $prop($, 'cdx:golem:privateModuleCandidate') = 'true' ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Go component '{{ name }}' appears to be a private module candidate" mitigation: "Confirm the module is covered by internal source retention, license review, vulnerability intake, and release provenance controls. Ensure private module names are not shared externally unless approved" evidence: | { "modulePath": $prop($, 'cdx:golem:modulePath'), "goVersion": $prop($, 'cdx:golem:goVersion'), "usageScopes": $prop($, 'cdx:golem:usageScopes') } - id: GOLEM-COMP-002 name: "Vendored Go module lacks license-file evidence" description: "Vendored Go modules should preserve license files or equivalent license evidence for redistribution and audit readiness" severity: medium category: golem-compliance dry-run-support: full condition: | components[ $prop($, 'cdx:golem:vendored') = 'true' and $number($firstNonEmpty($prop($, 'cdx:golem:licenseFileCount'), '0')) = 0 ] location: | { "bomRef": $."bom-ref", "purl": purl } message: "Vendored Go component '{{ name }}' does not carry Golem license-file evidence" mitigation: "Keep upstream license files with vendored modules or document the equivalent license source in the release evidence bundle. Re-run Go Evinse after correcting the vendor tree" evidence: | { "vendored": $prop($, 'cdx:golem:vendored'), "licenseFileCount": $prop($, 'cdx:golem:licenseFileCount'), "licenseFiles": $prop($, 'cdx:golem:licenseFiles') } - id: GOLEM-COMP-003 name: "Go module graph uses exclude directives" description: "Go exclude directives alter dependency resolution and can hide why a version was intentionally blocked or replaced" severity: low category: golem-compliance dry-run-support: full condition: | metadata.component[ $number($firstNonEmpty($prop($, 'cdx:golem:goModExcludeCount'), '0')) > 0 ] location: | { "bomRef": $."bom-ref", "component": name } message: "Go project '{{ name }}' uses {{ $prop($, 'cdx:golem:goModExcludeCount') }} go.mod exclude directive(s)" mitigation: "Document why each excluded module version is blocked, verify the selected replacement version is safe and supported, and ensure release builds use the reviewed go.mod/go.sum pair" evidence: | { "goModExcludeCount": $prop($, 'cdx:golem:goModExcludeCount'), "excludeModule": $prop($, 'cdx:golem:excludeModule') }