npm - @cyclonedx/cdxgen - Versions diffs - 12.2.0 → 12.3.0 - Mend

@cyclonedx/cdxgen 12.2.0 → 12.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (181) hide show

package/README.md +242 -90
package/bin/audit.js +191 -0
package/bin/cdxgen.js +532 -168
package/bin/convert.js +99 -0
package/bin/evinse.js +23 -0
package/bin/repl.js +339 -8
package/bin/sign.js +8 -0
package/bin/validate.js +8 -0
package/bin/verify.js +8 -0
package/data/container-knowledge-index.json +125 -0
package/data/gtfobins-index.json +6296 -0
package/data/lolbas-index.json +150 -0
package/data/queries-darwin.json +63 -3
package/data/queries-win.json +45 -3
package/data/queries.json +74 -2
package/data/rules/chrome-extensions.yaml +240 -0
package/data/rules/ci-permissions.yaml +478 -18
package/data/rules/container-risk.yaml +270 -0
package/data/rules/obom-runtime.yaml +891 -0
package/data/rules/package-integrity.yaml +49 -0
package/data/spdx-export.schema.json +6794 -0
package/data/spdx-model-v3.0.1.jsonld +15999 -0
package/lib/audit/index.js +1924 -0
package/lib/audit/index.poku.js +1488 -0
package/lib/audit/progress.js +137 -0
package/lib/audit/progress.poku.js +188 -0
package/lib/audit/reporters.js +618 -0
package/lib/audit/scoring.js +310 -0
package/lib/audit/scoring.poku.js +341 -0
package/lib/audit/targets.js +260 -0
package/lib/audit/targets.poku.js +331 -0
package/lib/cli/index.js +276 -68
package/lib/cli/index.poku.js +368 -0
package/lib/helpers/analyzer.js +1052 -5
package/lib/helpers/analyzer.poku.js +301 -0
package/lib/helpers/annotationFormatter.js +49 -0
package/lib/helpers/annotationFormatter.poku.js +44 -0
package/lib/helpers/bomUtils.js +36 -0
package/lib/helpers/bomUtils.poku.js +51 -0
package/lib/helpers/caxa.js +2 -2
package/lib/helpers/chromextutils.js +1153 -0
package/lib/helpers/chromextutils.poku.js +493 -0
package/lib/helpers/ciParsers/githubActions.js +1632 -45
package/lib/helpers/ciParsers/githubActions.poku.js +853 -1
package/lib/helpers/containerRisk.js +186 -0
package/lib/helpers/containerRisk.poku.js +52 -0
package/lib/helpers/depsUtils.js +16 -0
package/lib/helpers/depsUtils.poku.js +58 -1
package/lib/helpers/display.js +245 -61
package/lib/helpers/display.poku.js +162 -2
package/lib/helpers/exportUtils.js +123 -0
package/lib/helpers/exportUtils.poku.js +60 -0
package/lib/helpers/formulationParsers.js +69 -0
package/lib/helpers/formulationParsers.poku.js +44 -0
package/lib/helpers/gtfobins.js +189 -0
package/lib/helpers/gtfobins.poku.js +49 -0
package/lib/helpers/lolbas.js +267 -0
package/lib/helpers/lolbas.poku.js +39 -0
package/lib/helpers/osqueryTransform.js +84 -0
package/lib/helpers/osqueryTransform.poku.js +49 -0
package/lib/helpers/provenanceUtils.js +193 -0
package/lib/helpers/provenanceUtils.poku.js +145 -0
package/lib/helpers/pylockutils.js +281 -0
package/lib/helpers/pylockutils.poku.js +48 -0
package/lib/helpers/registryProvenance.js +793 -0
package/lib/helpers/registryProvenance.poku.js +452 -0
package/lib/helpers/remote/dependency-track.js +84 -0
package/lib/helpers/remote/dependency-track.poku.js +119 -0
package/lib/helpers/source.js +1267 -0
package/lib/helpers/source.poku.js +771 -0
package/lib/helpers/spdxUtils.js +97 -0
package/lib/helpers/spdxUtils.poku.js +70 -0
package/lib/helpers/table.js +384 -0
package/lib/helpers/table.poku.js +186 -0
package/lib/helpers/unicodeScan.js +147 -0
package/lib/helpers/unicodeScan.poku.js +45 -0
package/lib/helpers/utils.js +882 -136
package/lib/helpers/utils.poku.js +995 -91
package/lib/managers/binary.js +29 -5
package/lib/managers/docker.js +179 -52
package/lib/managers/docker.poku.js +327 -28
package/lib/managers/oci.js +107 -23
package/lib/managers/oci.poku.js +132 -0
package/lib/server/openapi.yaml +50 -0
package/lib/server/server.js +228 -331
package/lib/server/server.poku.js +220 -5
package/lib/stages/postgen/annotator.js +7 -0
package/lib/stages/postgen/annotator.poku.js +40 -0
package/lib/stages/postgen/auditBom.js +20 -5
package/lib/stages/postgen/auditBom.poku.js +1729 -67
package/lib/stages/postgen/postgen.js +40 -0
package/lib/stages/postgen/postgen.poku.js +47 -0
package/lib/stages/postgen/ruleEngine.js +80 -2
package/lib/stages/postgen/spdxConverter.js +796 -0
package/lib/stages/postgen/spdxConverter.poku.js +341 -0
package/lib/validator/bomValidator.js +232 -0
package/lib/validator/bomValidator.poku.js +70 -0
package/lib/validator/complianceRules.js +70 -7
package/lib/validator/complianceRules.poku.js +30 -0
package/lib/validator/reporters/annotations.js +2 -2
package/lib/validator/reporters/console.js +13 -2
package/lib/validator/reporters.poku.js +13 -0
package/package.json +10 -8
package/types/bin/audit.d.ts +3 -0
package/types/bin/audit.d.ts.map +1 -0
package/types/bin/convert.d.ts +3 -0
package/types/bin/convert.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +115 -0
package/types/lib/audit/index.d.ts.map +1 -0
package/types/lib/audit/progress.d.ts +27 -0
package/types/lib/audit/progress.d.ts.map +1 -0
package/types/lib/audit/reporters.d.ts +35 -0
package/types/lib/audit/reporters.d.ts.map +1 -0
package/types/lib/audit/scoring.d.ts +35 -0
package/types/lib/audit/scoring.d.ts.map +1 -0
package/types/lib/audit/targets.d.ts +63 -0
package/types/lib/audit/targets.d.ts.map +1 -0
package/types/lib/cli/index.d.ts +8 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +13 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/annotationFormatter.d.ts +23 -0
package/types/lib/helpers/annotationFormatter.d.ts.map +1 -0
package/types/lib/helpers/bomUtils.d.ts +5 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -0
package/types/lib/helpers/chromextutils.d.ts +97 -0
package/types/lib/helpers/chromextutils.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts +3 -8
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
package/types/lib/helpers/containerRisk.d.ts +17 -0
package/types/lib/helpers/containerRisk.d.ts.map +1 -0
package/types/lib/helpers/depsUtils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts +4 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/exportUtils.d.ts +40 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -0
package/types/lib/helpers/formulationParsers.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +17 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts +16 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -0
package/types/lib/helpers/osqueryTransform.d.ts +7 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -0
package/types/lib/helpers/provenanceUtils.d.ts +90 -0
package/types/lib/helpers/provenanceUtils.d.ts.map +1 -0
package/types/lib/helpers/pylockutils.d.ts +51 -0
package/types/lib/helpers/pylockutils.d.ts.map +1 -0
package/types/lib/helpers/registryProvenance.d.ts +17 -0
package/types/lib/helpers/registryProvenance.d.ts.map +1 -0
package/types/lib/helpers/remote/dependency-track.d.ts +16 -0
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -0
package/types/lib/helpers/source.d.ts +141 -0
package/types/lib/helpers/source.d.ts.map +1 -0
package/types/lib/helpers/spdxUtils.d.ts +2 -0
package/types/lib/helpers/spdxUtils.d.ts.map +1 -0
package/types/lib/helpers/table.d.ts +6 -0
package/types/lib/helpers/table.d.ts.map +1 -0
package/types/lib/helpers/unicodeScan.d.ts +46 -0
package/types/lib/helpers/unicodeScan.d.ts.map +1 -0
package/types/lib/helpers/utils.d.ts +30 -11
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/server/server.d.ts +0 -35
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/postgen/spdxConverter.d.ts +11 -0
package/types/lib/stages/postgen/spdxConverter.d.ts.map +1 -0
package/types/lib/validator/bomValidator.d.ts +1 -0
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/types/lib/validator/reporters/console.d.ts.map +1 -1
package/types/bin/dependencies.d.ts +0 -3
package/types/bin/dependencies.d.ts.map +0 -1
package/types/bin/licenses.d.ts +0 -3
package/types/bin/licenses.d.ts.map +0 -1

package/data/rules/container-risk.yaml ADDED Viewed

@@ -0,0 +1,270 @@
+- id: CTR-001
+  name: "Container image ships setuid/setgid GTFOBins execution primitive"
+  description: "Known GTFOBins execution helpers become materially riskier when the image keeps the binary setuid or setgid."
+  severity: critical
+  category: container-risk
+  condition: |
+    components[
+      $prop($, 'cdx:gtfobins:matched') = 'true'
+      and (
+        $listContains($prop($, 'cdx:gtfobins:functions'), 'shell')
+        or $listContains($prop($, 'cdx:gtfobins:functions'), 'command')
+        or $listContains($prop($, 'cdx:gtfobins:functions'), 'reverse-shell')
+        or $listContains($prop($, 'cdx:gtfobins:functions'), 'bind-shell')
+      )
+      and (
+        $prop($, 'internal:has_setuid') = 'true'
+        or $prop($, 'internal:has_setgid') = 'true'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'SrcFile')
+    }
+  message: "Executable '{{ name }}' at '{{ $prop($, 'SrcFile') }}' combines GTFOBins execution features with setuid/setgid permissions"
+  mitigation: "Remove the setuid/setgid bit, replace the image with a slimmer base, and keep container privilege boundaries strict (no host mounts, no privileged mode, no extra capabilities)."
+  attack:
+    tactics: [TA0004, TA0008]
+    techniques: [T1548, T1611]
+  evidence: |
+    {
+      "canonicalName": $prop($, 'cdx:gtfobins:name'),
+      "functions": $prop($, 'cdx:gtfobins:functions'),
+      "contexts": $prop($, 'cdx:gtfobins:contexts'),
+      "riskTags": $prop($, 'cdx:gtfobins:riskTags'),
+      "srcFile": $prop($, 'SrcFile'),
+      "reference": $prop($, 'cdx:gtfobins:reference')
+    }
+- id: CTR-002
+  name: "Container image includes privileged container-escape helper"
+  description: "Container runtime or namespace-management helpers that are already classified as GTFOBins can accelerate container breakout when runtime isolation is weakened."
+  severity: critical
+  category: container-risk
+  condition: |
+    components[
+      $prop($, 'cdx:gtfobins:matched') = 'true'
+      and $listContains($prop($, 'cdx:gtfobins:riskTags'), 'container-escape')
+      and (
+        $prop($, 'internal:has_setuid') = 'true'
+        or $prop($, 'internal:has_setgid') = 'true'
+        or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'capabilities')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'SrcFile')
+    }
+  message: "Container-escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' with elevated execution semantics"
+  mitigation: "Remove container runtime and namespace-management tooling from application images, avoid CAP_SYS_ADMIN-like capability grants, and block access to the Docker/containerd sockets."
+  attack:
+    tactics: [TA0004, TA0008]
+    techniques: [T1611]
+  evidence: |
+    {
+      "canonicalName": $prop($, 'cdx:gtfobins:name'),
+      "privilegedContexts": $prop($, 'cdx:gtfobins:privilegedContexts'),
+      "riskTags": $prop($, 'cdx:gtfobins:riskTags'),
+      "srcFile": $prop($, 'SrcFile')
+    }
+- id: CTR-003
+  name: "Container image includes privileged GTFOBins library-load or escalation primitive"
+  description: "GTFOBins entries that can load attacker-controlled shared libraries or directly escalate privileges are strong hardening failures in container images."
+  severity: high
+  category: container-risk
+  condition: |
+    components[
+      $prop($, 'cdx:gtfobins:matched') = 'true'
+      and (
+        $listContains($prop($, 'cdx:gtfobins:functions'), 'library-load')
+        or $listContains($prop($, 'cdx:gtfobins:functions'), 'privilege-escalation')
+      )
+      and (
+        $prop($, 'internal:has_setuid') = 'true'
+        or $prop($, 'internal:has_setgid') = 'true'
+        or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'sudo')
+        or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'suid')
+        or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'capabilities')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'SrcFile')
+    }
+  message: "Binary '{{ name }}' exposes GTFOBins privilege-escalation or library-load behavior in a privileged execution context"
+  mitigation: "Remove the helper from the image where possible, strip privileged bits/capabilities, and keep writable mounts away from privileged processes."
+  attack:
+    tactics: [TA0003, TA0004]
+    techniques: [T1574, T1548]
+  evidence: |
+    {
+      "canonicalName": $prop($, 'cdx:gtfobins:name'),
+      "functions": $prop($, 'cdx:gtfobins:functions'),
+      "privilegedContexts": $prop($, 'cdx:gtfobins:privilegedContexts'),
+      "srcFile": $prop($, 'SrcFile')
+    }
+- id: CTR-004
+  name: "Container image retains privileged GTFOBins exfiltration primitive"
+  description: "A GTFOBins helper that can read local files or upload data becomes especially dangerous when it also runs with setuid/setgid or other elevated contexts."
+  severity: high
+  category: container-risk
+  condition: |
+    components[
+      $prop($, 'cdx:gtfobins:matched') = 'true'
+      and (
+        $listContains($prop($, 'cdx:gtfobins:riskTags'), 'data-exfiltration')
+        or $listContains($prop($, 'cdx:gtfobins:functions'), 'upload')
+      )
+      and (
+        $prop($, 'internal:has_setuid') = 'true'
+        or $prop($, 'internal:has_setgid') = 'true'
+        or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'sudo')
+        or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'suid')
+        or $listContains($prop($, 'cdx:gtfobins:privilegedContexts'), 'capabilities')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'SrcFile')
+    }
+  message: "Binary '{{ name }}' can read or exfiltrate local data from a privileged execution path"
+  mitigation: "Drop privileged bits, keep secrets off the image filesystem, and remove unnecessary upload/file-read helpers from runtime images."
+  attack:
+    tactics: [TA0006, TA0010]
+    techniques: [T1005, T1041]
+  evidence: |
+    {
+      "canonicalName": $prop($, 'cdx:gtfobins:name'),
+      "functions": $prop($, 'cdx:gtfobins:functions'),
+      "privilegedContexts": $prop($, 'cdx:gtfobins:privilegedContexts'),
+      "srcFile": $prop($, 'SrcFile')
+    }
+- id: CTR-005
+  name: "Container image includes mutable-path GTFOBins remote-execution helper"
+  description: "Remote-execution-capable GTFOBins helpers under mutable or non-standard image paths often indicate an avoidable attack toolkit or image tampering."
+  severity: medium
+  category: container-risk
+  condition: |
+    components[
+      $prop($, 'cdx:gtfobins:matched') = 'true'
+      and (
+        $listContains($prop($, 'cdx:gtfobins:functions'), 'reverse-shell')
+        or $listContains($prop($, 'cdx:gtfobins:functions'), 'bind-shell')
+        or (
+          (
+            $listContains($prop($, 'cdx:gtfobins:functions'), 'shell')
+            or $listContains($prop($, 'cdx:gtfobins:functions'), 'command')
+          )
+          and (
+            $listContains($prop($, 'cdx:gtfobins:functions'), 'upload')
+            or $listContains($prop($, 'cdx:gtfobins:functions'), 'download')
+          )
+        )
+      )
+      and (
+        $startsWith($prop($, 'SrcFile'), '/usr/local/')
+        or $startsWith($prop($, 'SrcFile'), '/opt/')
+        or $startsWith($prop($, 'SrcFile'), '/app/')
+        or $startsWith($prop($, 'SrcFile'), '/tmp/')
+        or $startsWith($prop($, 'SrcFile'), '/var/tmp/')
+        or $startsWith($prop($, 'SrcFile'), '/root/')
+        or $startsWith($prop($, 'SrcFile'), '/home/')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'SrcFile')
+    }
+  message: "GTFOBins remote-execution helper '{{ name }}' is present in mutable image path '{{ $prop($, 'SrcFile') }}'"
+  mitigation: "Keep runtime images immutable and minimal, move administrative tooling to separate debug images, and investigate how the helper entered the image."
+  attack:
+    tactics: [TA0001, TA0008]
+    techniques: [T1105, T1570]
+  evidence: |
+    {
+      "canonicalName": $prop($, 'cdx:gtfobins:name'),
+      "functions": $prop($, 'cdx:gtfobins:functions'),
+      "riskTags": $prop($, 'cdx:gtfobins:riskTags'),
+      "srcFile": $prop($, 'SrcFile')
+    }
+- id: CTR-006
+  name: "Container image ships dedicated offensive container toolkit"
+  description: "Dedicated container or Kubernetes intrusion toolkits such as Peirates, CDK, or DEEPCE should not ship inside production runtime images."
+  severity: high
+  category: container-risk
+  condition: |
+    components[
+      $prop($, 'cdx:container:matched') = 'true'
+      and $listContains($prop($, 'cdx:container:riskTags'), 'offensive-toolkit')
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'SrcFile')
+    }
+  message: "Dedicated offensive toolkit '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}'"
+  mitigation: "Remove offensive testing binaries from runtime images, rebuild from a minimal trusted base, and keep container debugging or red-team tooling in separate break-glass images."
+  attack:
+    tactics: [TA0003, TA0004, TA0006, TA0007, TA0008]
+    techniques: [T1552.007, T1609, T1611, T1613]
+  evidence: |
+    {
+      "canonicalName": $prop($, 'cdx:container:name'),
+      "offenseTools": $prop($, 'cdx:container:offenseTools'),
+      "riskTags": $prop($, 'cdx:container:riskTags'),
+      "attackTechniques": $prop($, 'cdx:container:attackTechniques'),
+      "knowledgeSources": $prop($, 'cdx:container:knowledgeSources'),
+      "srcFile": $prop($, 'SrcFile')
+    }
+- id: CTR-007
+  name: "Container image includes seccomp-sensitive namespace escape helper"
+  description: "Helpers that rely on syscalls blocked by Docker's default seccomp profile become materially riskier when operators use `seccomp=unconfined` or permissive custom profiles."
+  severity: medium
+  category: container-risk
+  condition: |
+    components[
+      $prop($, 'cdx:container:matched') = 'true'
+      and $prop($, 'cdx:container:seccompProfile') = 'docker-default'
+      and $prop($, 'cdx:container:seccompBlockedSyscalls') != ''
+      and (
+        $listContains($prop($, 'cdx:container:riskTags'), 'container-escape')
+        or $listContains($prop($, 'cdx:container:riskTags'), 'namespace-escape')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'SrcFile')
+    }
+  message: "Seccomp-sensitive escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' and depends on syscalls blocked by the Docker default seccomp profile"
+  mitigation: "Keep Docker or OCI runtimes on the default seccomp profile, never use `seccomp=unconfined` for app workloads, and review custom profiles so they do not allow namespace or host-escape syscalls without a clear need."
+  attack:
+    tactics: [TA0004, TA0008]
+    techniques: [T1611]
+  evidence: |
+    {
+      "canonicalName": $prop($, 'cdx:container:name'),
+      "offenseTools": $prop($, 'cdx:container:offenseTools'),
+      "riskTags": $prop($, 'cdx:container:riskTags'),
+      "seccompProfile": $prop($, 'cdx:container:seccompProfile'),
+      "seccompBlockedSyscalls": $prop($, 'cdx:container:seccompBlockedSyscalls'),
+      "knowledgeSources": $prop($, 'cdx:container:knowledgeSources'),
+      "srcFile": $prop($, 'SrcFile')
+    }