@cyclonedx/cdxgen 12.2.0 → 12.3.0

package/lib/helpers/exportUtils.poku.js

@@ -0,0 +1,60 @@
+import { assert, describe, it } from "poku";
+
+import {
+  createOutputPlan,
+  deriveCycloneDxOutputPath,
+  deriveSpdxOutputPath,
+  normalizeOutputFormats,
+} from "./exportUtils.js";
+
+describe("exportUtils", () => {
+  it("normalizes comma-separated export formats", () => {
+    assert.deepStrictEqual(normalizeOutputFormats("cyclonedx,spdx-json"), [
+      "cyclonedx",
+      "spdx",
+    ]);
+  });
+
+  it("normalizes repeated format flags", () => {
+    assert.deepStrictEqual(normalizeOutputFormats(["cyclonedx", "spdx"]), [
+      "cyclonedx",
+      "spdx",
+    ]);
+  });
+
+  it("derives SPDX and CycloneDX sibling paths", () => {
+    assert.strictEqual(
+      deriveSpdxOutputPath("/tmp/bom.cdx.json"),
+      "/tmp/bom.spdx.json",
+    );
+    assert.strictEqual(
+      deriveCycloneDxOutputPath("/tmp/bom.spdx.json"),
+      "/tmp/bom.cdx.json",
+    );
+  });
+
+  it("chooses SPDX automatically for .spdx.json outputs", () => {
+    const plan = createOutputPlan({ output: "/tmp/app.spdx.json" });
+    assert.strictEqual(plan.formats.has("spdx"), true);
+    assert.strictEqual(plan.formats.has("cyclonedx"), false);
+    assert.strictEqual(plan.outputs.spdx, "/tmp/app.spdx.json");
+  });
+
+  it("creates sibling outputs for dual exports", () => {
+    const plan = createOutputPlan({
+      format: "cyclonedx,spdx",
+      output: "/tmp/app.cdx.json",
+    });
+    assert.strictEqual(plan.outputs.cyclonedx, "/tmp/app.cdx.json");
+    assert.strictEqual(plan.outputs.spdx, "/tmp/app.spdx.json");
+  });
+
+  it("creates sibling outputs for repeated format flags", () => {
+    const plan = createOutputPlan({
+      format: ["cyclonedx", "spdx"],
+      output: "/tmp/app.cdx.json",
+    });
+    assert.strictEqual(plan.outputs.cyclonedx, "/tmp/app.cdx.json");
+    assert.strictEqual(plan.outputs.spdx, "/tmp/app.spdx.json");
+  });
+});

package/lib/helpers/formulationParsers.js

@@ -1,3 +1,5 @@
+import { readFileSync } from "node:fs";
+import { basename } from "node:path";
 import process from "node:process";
 
 import { v4 as uuidv4 } from "uuid";
@@ -16,8 +18,67 @@ import {
   gitTreeHashes,
   listFiles,
 } from "./envcontext.js";
+import { scanTextForHiddenUnicode } from "./unicodeScan.js";
 import { getAllFiles } from "./utils.js";
 
+const README_PATTERNS = [
+  "**/README*.{adoc,asciidoc,markdown,md,mdx,rst,txt}",
+  "**/readme*.{adoc,asciidoc,markdown,md,mdx,rst,txt}",
+];
+
+function buildReadmeSecurityComponents(discoveryPath, options) {
+  const matchedFiles = [];
+  for (const pattern of README_PATTERNS) {
+    const found = getAllFiles(discoveryPath, pattern, options);
+    if (found?.length) {
+      matchedFiles.push(...found);
+    }
+  }
+  const components = [];
+  for (const filePath of [...new Set(matchedFiles)]) {
+    let raw;
+    try {
+      raw = readFileSync(filePath, { encoding: "utf-8" });
+    } catch {
+      continue;
+    }
+    const scan = scanTextForHiddenUnicode(raw, { syntax: "markdown" });
+    if (!scan.hasHiddenUnicode) {
+      continue;
+    }
+    const properties = [
+      { name: "SrcFile", value: filePath },
+      { name: "cdx:file:kind", value: "readme" },
+      { name: "cdx:file:hasHiddenUnicode", value: "true" },
+      {
+        name: "cdx:file:hiddenUnicodeCodePoints",
+        value: scan.codePoints.join(","),
+      },
+      {
+        name: "cdx:file:hiddenUnicodeLineNumbers",
+        value: scan.lineNumbers.join(","),
+      },
+    ];
+    if (scan.inComments) {
+      properties.push({
+        name: "cdx:file:hiddenUnicodeInComments",
+        value: "true",
+      });
+      properties.push({
+        name: "cdx:file:hiddenUnicodeCommentCodePoints",
+        value: scan.commentCodePoints.join(","),
+      });
+    }
+    components.push({
+      "bom-ref": `file:${filePath}`,
+      name: basename(filePath),
+      properties,
+      type: "file",
+    });
+  }
+  return components;
+}
+
 /**
  * The parser registry. Pre-populated with the five built-in CI system parsers.
  *
@@ -291,6 +352,14 @@ export function addFormulationSection(filePath, options, context = {}) {
     components = components.concat(ciComponents);
   }
 
+  const readmeSecurityComponents = buildReadmeSecurityComponents(
+    discoveryPath,
+    options,
+  );
+  if (readmeSecurityComponents.length) {
+    components = components.concat(readmeSecurityComponents);
+  }
+
   // ── Environment variables ─────────────────────────────────────────────────
   let environmentVars = gitBranch?.length
     ? [{ name: "GIT_BRANCH", value: gitBranch }]

package/lib/helpers/formulationParsers.poku.js

@@ -0,0 +1,44 @@
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import { assert, describe, it } from "poku";
+
+import { addFormulationSection } from "./formulationParsers.js";
+
+function getProp(obj, name) {
+  return obj?.properties?.find((property) => property.name === name)?.value;
+}
+
+describe("addFormulationSection()", () => {
+  it("adds README file components when hidden Unicode is detected", () => {
+    const tmpDir = mkdtempSync(path.join(os.tmpdir(), "cdxgen-formulation-"));
+    writeFileSync(
+      path.join(tmpDir, "README.md"),
+      "# Demo\n<!-- hidden \u200B comment -->\nContent",
+    );
+
+    try {
+      const result = addFormulationSection(tmpDir, { specVersion: 1.7 });
+      const formulation = result.formulation[0];
+      const readmeComponent = formulation.components.find(
+        (component) => getProp(component, "cdx:file:kind") === "readme",
+      );
+      assert.ok(readmeComponent, "expected README formulation component");
+      assert.strictEqual(
+        getProp(readmeComponent, "cdx:file:hasHiddenUnicode"),
+        "true",
+      );
+      assert.strictEqual(
+        getProp(readmeComponent, "cdx:file:hiddenUnicodeInComments"),
+        "true",
+      );
+      assert.match(
+        getProp(readmeComponent, "cdx:file:hiddenUnicodeCodePoints"),
+        /U\+200B/,
+      );
+    } finally {
+      rmSync(tmpDir, { force: true, recursive: true });
+    }
+  });
+});

package/lib/helpers/gtfobins.js

@@ -0,0 +1,189 @@
+import { readFileSync } from "node:fs";
+import { basename, join } from "node:path";
+
+import { dirNameStr, safeExistsSync } from "./utils.js";
+
+const GTFOBINS_INDEX_FILE = join(dirNameStr, "data", "gtfobins-index.json");
+const GTFOBINS_REFERENCE_PREFIX = "https://gtfobins.github.io/gtfobins/";
+const PRIVILEGED_CONTEXTS = ["sudo", "suid", "capabilities"];
+const CONTAINER_ESCAPE_HELPERS = new Set([
+  "chroot",
+  "ctr",
+  "docker",
+  "kubectl",
+  "mount",
+  "nsenter",
+  "tar",
+  "unshare",
+]);
+const DIRECT_ALIASES = new Map([["nodejs", "node"]]);
+const VERSIONED_ALIASES = [
+  { pattern: /^python(?:\d+(?:\.\d+)*)?$/i, target: "python" },
+  { pattern: /^perl(?:\d+(?:\.\d+)*)?$/i, target: "perl" },
+  { pattern: /^ruby(?:\d+(?:\.\d+)*)?$/i, target: "ruby" },
+  { pattern: /^php(?:\d+(?:\.\d+)*)?$/i, target: "php" },
+  { pattern: /^lua(?:\d+(?:\.\d+)*)?$/i, target: "lua" },
+  { pattern: /^node(?:\d+(?:\.\d+)*)?$/i, target: "node" },
+];
+
+const GTFOBINS_INDEX = loadGtfoBinsIndex();
+
+function loadGtfoBinsIndex() {
+  if (!safeExistsSync(GTFOBINS_INDEX_FILE)) {
+    return { entries: {}, source: GTFOBINS_REFERENCE_PREFIX, sourceRef: "" };
+  }
+  try {
+    return JSON.parse(readFileSync(GTFOBINS_INDEX_FILE, "utf8"));
+  } catch {
+    return { entries: {}, source: GTFOBINS_REFERENCE_PREFIX, sourceRef: "" };
+  }
+}
+
+function resolveCandidateName(candidate) {
+  if (!candidate || typeof candidate !== "string") {
+    return undefined;
+  }
+  const trimmed = basename(candidate.trim());
+  if (!trimmed) {
+    return undefined;
+  }
+  const normalized = trimmed.toLowerCase();
+  if (GTFOBINS_INDEX.entries?.[trimmed]) {
+    return { canonicalName: trimmed, matchSource: "basename" };
+  }
+  if (GTFOBINS_INDEX.entries?.[normalized]) {
+    return { canonicalName: normalized, matchSource: "basename" };
+  }
+  const directAlias = DIRECT_ALIASES.get(normalized);
+  if (directAlias && GTFOBINS_INDEX.entries?.[directAlias]) {
+    return { canonicalName: directAlias, matchSource: "alias" };
+  }
+  for (const aliasRule of VERSIONED_ALIASES) {
+    if (
+      aliasRule.pattern.test(normalized) &&
+      GTFOBINS_INDEX.entries?.[aliasRule.target]
+    ) {
+      return { canonicalName: aliasRule.target, matchSource: "alias" };
+    }
+  }
+  return undefined;
+}
+
+function deriveRiskTags(entry, canonicalName) {
+  const functions = new Set(entry?.functions || []);
+  const contexts = new Set(entry?.contexts || []);
+  const riskTags = new Set();
+  const hasExecPrimitive =
+    functions.has("shell") ||
+    functions.has("command") ||
+    functions.has("reverse-shell") ||
+    functions.has("bind-shell");
+  const hasNetworkPrimitive =
+    functions.has("upload") ||
+    functions.has("download") ||
+    functions.has("reverse-shell") ||
+    functions.has("bind-shell");
+  if (functions.has("privilege-escalation")) {
+    riskTags.add("privilege-escalation");
+  }
+  if (
+    contexts.has("sudo") ||
+    contexts.has("suid") ||
+    contexts.has("capabilities")
+  ) {
+    riskTags.add("privilege-escalation");
+  }
+  if (hasExecPrimitive && hasNetworkPrimitive) {
+    riskTags.add("lateral-movement");
+  }
+  if (functions.has("upload") || functions.has("file-read")) {
+    riskTags.add("data-exfiltration");
+  }
+  if (functions.has("file-write") || functions.has("library-load")) {
+    riskTags.add("persistence");
+  }
+  if (
+    CONTAINER_ESCAPE_HELPERS.has(canonicalName) &&
+    (hasExecPrimitive ||
+      functions.has("privilege-escalation") ||
+      functions.has("library-load"))
+  ) {
+    riskTags.add("container-escape");
+  }
+  return Array.from(riskTags).sort();
+}
+
+export function getGtfoBinsMetadata(name, linkedName) {
+  const directMatch = resolveCandidateName(name);
+  if (directMatch) {
+    const entry = GTFOBINS_INDEX.entries[directMatch.canonicalName];
+    return {
+      canonicalName: directMatch.canonicalName,
+      contexts: entry.contexts,
+      functions: entry.functions,
+      matchSource: directMatch.matchSource,
+      mitreTechniques: entry.mitreTechniques,
+      privilegedContexts: entry.contexts.filter((context) =>
+        PRIVILEGED_CONTEXTS.includes(context),
+      ),
+      reference: `${GTFOBINS_REFERENCE_PREFIX}${encodeURIComponent(directMatch.canonicalName)}/`,
+      riskTags: deriveRiskTags(entry, directMatch.canonicalName),
+      source: GTFOBINS_INDEX.source,
+      sourceRef: GTFOBINS_INDEX.sourceRef,
+    };
+  }
+  const linkedMatch = resolveCandidateName(linkedName);
+  if (!linkedMatch) {
+    return undefined;
+  }
+  const entry = GTFOBINS_INDEX.entries[linkedMatch.canonicalName];
+  return {
+    canonicalName: linkedMatch.canonicalName,
+    contexts: entry.contexts,
+    functions: entry.functions,
+    matchSource: "symlink",
+    mitreTechniques: entry.mitreTechniques,
+    privilegedContexts: entry.contexts.filter((context) =>
+      PRIVILEGED_CONTEXTS.includes(context),
+    ),
+    reference: `${GTFOBINS_REFERENCE_PREFIX}${encodeURIComponent(linkedMatch.canonicalName)}/`,
+    riskTags: deriveRiskTags(entry, linkedMatch.canonicalName),
+    source: GTFOBINS_INDEX.source,
+    sourceRef: GTFOBINS_INDEX.sourceRef,
+  };
+}
+
+export function createGtfoBinsProperties(name, linkedName) {
+  const metadata = getGtfoBinsMetadata(name, linkedName);
+  if (!metadata) {
+    return [];
+  }
+  const properties = [
+    { name: "cdx:gtfobins:matched", value: "true" },
+    { name: "cdx:gtfobins:name", value: metadata.canonicalName },
+    { name: "cdx:gtfobins:matchSource", value: metadata.matchSource },
+    { name: "cdx:gtfobins:functions", value: metadata.functions.join(",") },
+    { name: "cdx:gtfobins:contexts", value: metadata.contexts.join(",") },
+    { name: "cdx:gtfobins:reference", value: metadata.reference },
+    { name: "cdx:gtfobins:sourceRef", value: metadata.sourceRef || "" },
+  ];
+  if (metadata.mitreTechniques.length) {
+    properties.push({
+      name: "cdx:gtfobins:mitreTechniques",
+      value: metadata.mitreTechniques.join(","),
+    });
+  }
+  if (metadata.privilegedContexts.length) {
+    properties.push({
+      name: "cdx:gtfobins:privilegedContexts",
+      value: metadata.privilegedContexts.join(","),
+    });
+  }
+  if (metadata.riskTags.length) {
+    properties.push({
+      name: "cdx:gtfobins:riskTags",
+      value: metadata.riskTags.join(","),
+    });
+  }
+  return properties;
+}

package/lib/helpers/gtfobins.poku.js

@@ -0,0 +1,49 @@
+import { strict as assert } from "node:assert";
+
+import { describe, it } from "poku";
+
+import { createGtfoBinsProperties, getGtfoBinsMetadata } from "./gtfobins.js";
+
+describe("gtfobins helpers", () => {
+  it("returns metadata for exact GTFOBins matches", () => {
+    const metadata = getGtfoBinsMetadata("bash");
+    assert.ok(metadata);
+    assert.strictEqual(metadata.canonicalName, "bash");
+    assert.ok(metadata.functions.includes("shell"));
+    assert.ok(metadata.contexts.includes("suid"));
+    assert.ok(metadata.riskTags.includes("privilege-escalation"));
+    assert.ok(metadata.riskTags.includes("lateral-movement"));
+  });
+
+  it("resolves versioned aliases conservatively", () => {
+    const metadata = getGtfoBinsMetadata("python3.12");
+    assert.ok(metadata);
+    assert.strictEqual(metadata.canonicalName, "python");
+    assert.strictEqual(metadata.matchSource, "alias");
+    assert.ok(metadata.functions.includes("shell"));
+  });
+
+  it("resolves symlink targets when the basename is not indexed", () => {
+    const metadata = getGtfoBinsMetadata("sh", "busybox");
+    assert.ok(metadata);
+    assert.strictEqual(metadata.canonicalName, "busybox");
+    assert.strictEqual(metadata.matchSource, "symlink");
+    assert.ok(metadata.riskTags.includes("lateral-movement"));
+  });
+
+  it("emits stable CycloneDX properties for matched binaries", () => {
+    const properties = createGtfoBinsProperties("docker");
+    const propertyMap = Object.fromEntries(
+      properties.map((property) => [property.name, property.value]),
+    );
+    assert.strictEqual(propertyMap["cdx:gtfobins:matched"], "true");
+    assert.strictEqual(propertyMap["cdx:gtfobins:name"], "docker");
+    assert.ok(propertyMap["cdx:gtfobins:functions"].includes("shell"));
+    assert.ok(
+      propertyMap["cdx:gtfobins:riskTags"].includes("container-escape"),
+    );
+    assert.ok(
+      propertyMap["cdx:gtfobins:reference"].endsWith("/gtfobins/docker/"),
+    );
+  });
+});

package/lib/helpers/lolbas.js

@@ -0,0 +1,267 @@
+import { readFileSync } from "node:fs";
+import path, { basename } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const LOLBAS_INDEX_FILE = fileURLToPath(
+  new URL("../../data/lolbas-index.json", import.meta.url),
+);
+const LOLBAS_REFERENCE_PREFIX =
+  "https://lolbas-project.github.io/lolbas/Binaries/";
+const DIRECT_ALIASES = new Map([
+  ["bitsadmin", "bitsadmin.exe"],
+  ["certutil", "certutil.exe"],
+  ["cmd", "cmd.exe"],
+  ["cmdkey", "cmdkey.exe"],
+  ["cmstp", "cmstp.exe"],
+  ["cscript", "cscript.exe"],
+  ["ftp", "ftp.exe"],
+  ["installutil", "installutil.exe"],
+  ["msbuild", "msbuild.exe"],
+  ["mshta", "mshta.exe"],
+  ["msiexec", "msiexec.exe"],
+  ["odbcconf", "odbcconf.exe"],
+  ["powershell", "powershell.exe"],
+  ["pwsh", "pwsh.exe"],
+  ["regsvr32", "regsvr32.exe"],
+  ["rundll32", "rundll32.exe"],
+  ["wmic", "wmic.exe"],
+  ["wscript", "wscript.exe"],
+]);
+const MATCH_FIELDS = [
+  "action",
+  "arguments",
+  "cmdline",
+  "command",
+  "command_line",
+  "command_line_template",
+  "description",
+  "display_name",
+  "executable",
+  "name",
+  "path",
+  "program",
+  "source",
+];
+const STANDALONE_COMMAND_PATTERN =
+  /\b(bitsadmin|certutil|cmd|cmdkey|cmstp|cscript|ftp|installutil|msbuild|mshta|msiexec|odbcconf|powershell|pwsh|regsvr32|rundll32|wmic|wscript)\b/gi;
+const WINDOWS_EXECUTABLE_PATTERN =
+  /(?:[a-z]:\\[^\s"'`,;|]+|\\\\[^\s"'`,;|]+|[a-z0-9._-]+)\.(?:exe|cmd|bat|dll|hta|js|jse|ps1|vbs|vbe|wsf|wsh)\b/gi;
+
+const LOLBAS_INDEX = loadLolbasIndex();
+
+function loadLolbasIndex() {
+  try {
+    return JSON.parse(readFileSync(LOLBAS_INDEX_FILE, "utf8"));
+  } catch {
+    return { entries: {}, source: "", sourceRef: "" };
+  }
+}
+
+function normalizeCandidate(candidate) {
+  if (!candidate || typeof candidate !== "string") {
+    return undefined;
+  }
+  const trimmed = candidate
+    .trim()
+    .replace(/^["']|["']$/g, "")
+    .replace(/\\/g, "/");
+  if (!trimmed) {
+    return undefined;
+  }
+  return basename(trimmed).toLowerCase();
+}
+
+function uniqueSortedStrings(values) {
+  return Array.from(
+    new Set(
+      values.filter(
+        (value) => typeof value === "string" && value.trim().length,
+      ),
+    ),
+  ).sort();
+}
+
+function resolveLolbasCandidate(candidate) {
+  const normalized = normalizeCandidate(candidate);
+  if (!normalized) {
+    return undefined;
+  }
+  if (LOLBAS_INDEX.entries?.[normalized]) {
+    return normalized;
+  }
+  const alias = DIRECT_ALIASES.get(normalized);
+  if (alias && LOLBAS_INDEX.entries?.[alias]) {
+    return alias;
+  }
+  return undefined;
+}
+
+function deriveRiskTags(entry) {
+  const riskTags = new Set(entry?.riskTags || []);
+  const functions = new Set(entry?.functions || []);
+  const contexts = new Set(entry?.contexts || []);
+  if (
+    functions.has("proxy-execution") ||
+    functions.has("library-load") ||
+    functions.has("script-execution")
+  ) {
+    riskTags.add("proxy-execution");
+  }
+  if (
+    functions.has("download") ||
+    functions.has("upload") ||
+    functions.has("credential-access")
+  ) {
+    riskTags.add("high-signal");
+  }
+  if (contexts.has("uac-bypass")) {
+    riskTags.add("uac-bypass");
+  }
+  if (functions.has("download") || functions.has("upload")) {
+    riskTags.add("network-transfer");
+  }
+  return Array.from(riskTags).sort();
+}
+
+function collectValueCandidates(value) {
+  if (!value || typeof value !== "string") {
+    return [];
+  }
+  const candidates = new Set();
+  for (const match of value.matchAll(WINDOWS_EXECUTABLE_PATTERN)) {
+    candidates.add(match[0]);
+  }
+  for (const match of value.matchAll(STANDALONE_COMMAND_PATTERN)) {
+    candidates.add(match[1]);
+  }
+  return Array.from(candidates);
+}
+
+/**
+ * Resolve LOLBAS metadata for a binary or script name.
+ *
+ * @param {string} candidate Binary or script path/name
+ * @returns {object|undefined} Matched LOLBAS metadata
+ */
+export function getLolbasMetadata(candidate) {
+  const canonicalName = resolveLolbasCandidate(candidate);
+  if (!canonicalName) {
+    return undefined;
+  }
+  const entry = LOLBAS_INDEX.entries[canonicalName];
+  return {
+    attackTactics: uniqueSortedStrings(entry.attackTactics || []),
+    attackTechniques: uniqueSortedStrings(entry.attackTechniques || []),
+    canonicalName,
+    contexts: uniqueSortedStrings(entry.contexts || []),
+    functions: uniqueSortedStrings(entry.functions || []),
+    reference:
+      entry.reference ||
+      `${LOLBAS_REFERENCE_PREFIX}${encodeURIComponent(path.parse(canonicalName).name)}/`,
+    riskTags: deriveRiskTags(entry),
+    source: LOLBAS_INDEX.source,
+    sourceRef: LOLBAS_INDEX.sourceRef,
+  };
+}
+
+/**
+ * Resolve LOLBAS properties for an osquery row.
+ *
+ * @param {string} queryCategory Osquery query category
+ * @param {object} row Osquery row
+ * @returns {Array<object>} CycloneDX custom properties
+ */
+export function createLolbasProperties(queryCategory, row) {
+  const matches = new Map();
+  for (const field of MATCH_FIELDS) {
+    const fieldValue = row?.[field];
+    if (!fieldValue) {
+      continue;
+    }
+    for (const candidate of collectValueCandidates(String(fieldValue))) {
+      const metadata = getLolbasMetadata(candidate);
+      if (!metadata) {
+        continue;
+      }
+      const existing = matches.get(metadata.canonicalName) || {
+        fields: new Set(),
+        metadata,
+      };
+      existing.fields.add(field);
+      matches.set(metadata.canonicalName, existing);
+    }
+  }
+  if (!matches.size) {
+    return [];
+  }
+  const attackTactics = uniqueSortedStrings(
+    Array.from(matches.values()).flatMap(
+      (match) => match.metadata.attackTactics,
+    ),
+  );
+  const attackTechniques = uniqueSortedStrings(
+    Array.from(matches.values()).flatMap(
+      (match) => match.metadata.attackTechniques,
+    ),
+  );
+  const contexts = uniqueSortedStrings(
+    Array.from(matches.values()).flatMap((match) => match.metadata.contexts),
+  );
+  const functions = uniqueSortedStrings(
+    Array.from(matches.values()).flatMap((match) => match.metadata.functions),
+  );
+  const references = uniqueSortedStrings(
+    Array.from(matches.values()).map((match) => match.metadata.reference),
+  );
+  const riskTags = uniqueSortedStrings(
+    Array.from(matches.values()).flatMap((match) => match.metadata.riskTags),
+  );
+  const matchFields = uniqueSortedStrings(
+    Array.from(matches.values()).flatMap((match) => Array.from(match.fields)),
+  );
+  const names = uniqueSortedStrings(Array.from(matches.keys()));
+  const properties = [
+    { name: "cdx:lolbas:matched", value: "true" },
+    { name: "cdx:lolbas:names", value: names.join(",") },
+    { name: "cdx:lolbas:matchFields", value: matchFields.join(",") },
+    { name: "cdx:lolbas:queryCategory", value: queryCategory },
+    { name: "cdx:lolbas:sourceRef", value: LOLBAS_INDEX.sourceRef || "" },
+  ];
+  if (functions.length) {
+    properties.push({
+      name: "cdx:lolbas:functions",
+      value: functions.join(","),
+    });
+  }
+  if (contexts.length) {
+    properties.push({
+      name: "cdx:lolbas:contexts",
+      value: contexts.join(","),
+    });
+  }
+  if (riskTags.length) {
+    properties.push({
+      name: "cdx:lolbas:riskTags",
+      value: riskTags.join(","),
+    });
+  }
+  if (attackTactics.length) {
+    properties.push({
+      name: "cdx:lolbas:attackTactics",
+      value: attackTactics.join(","),
+    });
+  }
+  if (attackTechniques.length) {
+    properties.push({
+      name: "cdx:lolbas:attackTechniques",
+      value: attackTechniques.join(","),
+    });
+  }
+  if (references.length) {
+    properties.push({
+      name: "cdx:lolbas:references",
+      value: references.join(","),
+    });
+  }
+  return properties;
+}