@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/data/rules/mcp-servers.yaml

@@ -0,0 +1,304 @@
+- id: MCP-001
+  name: "Unauthenticated MCP tool server endpoint"
+  description: "HTTP-based MCP servers that expose tools without authentication let unauthenticated clients invoke model-controlled actions directly."
+  severity: critical
+  category: mcp-server
+  attack:
+    tactics: [TA0001, TA0004]
+    techniques: [T1190, T1059]
+  standards:
+    owasp-ai-top-10:
+      - "LLM07: Insecure Plugin Design"
+      - "LLM08: Excessive Agency"
+    nist-ai-rmf:
+      - "Map"
+      - "Manage"
+    nist-ssdf:
+      - "Protect externally reachable AI control surfaces"
+  condition: |
+    $auditServices($)[
+      $contains($nullSafeProp($, 'cdx:mcp:transport'), 'streamable-http')
+      and authenticated != true
+      and (
+        $prop($, 'cdx:mcp:capabilities:tools') = 'true'
+        or $prop($, 'cdx:mcp:toolCount') != '0'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile'),
+      "purl": endpoints[0]
+    }
+  message: "MCP server '{{ name }}' exposes tool endpoints without authentication"
+  mitigation: "Require bearer-token or equivalent authentication before exposing HTTP MCP tool endpoints."
+  evidence: |
+    {
+      "transport": $prop($, 'cdx:mcp:transport'),
+      "toolCount": $prop($, 'cdx:mcp:toolCount'),
+      "endpoints": endpoints,
+      "sdkImports": $prop($, 'cdx:mcp:sdkImports')
+    }
+- id: MCP-002
+  name: "Unauthenticated MCP HTTP server"
+  description: "Streamable HTTP MCP servers should authenticate incoming requests before serving prompts, resources, or tools."
+  severity: high
+  category: mcp-server
+  attack:
+    tactics: [TA0001]
+    techniques: [T1190]
+  standards:
+    owasp-ai-top-10:
+      - "LLM07: Insecure Plugin Design"
+    nist-ai-rmf:
+      - "Map"
+      - "Manage"
+    nist-ssdf:
+      - "Authenticate and authorize AI-facing service endpoints"
+  condition: |
+    $auditServices($)[
+      $contains($nullSafeProp($, 'cdx:mcp:transport'), 'streamable-http')
+      and authenticated != true
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile'),
+      "purl": endpoints[0]
+    }
+  message: "MCP HTTP endpoint '{{ endpoints[0] }}' is reachable without authentication"
+  mitigation: "Protect MCP HTTP endpoints with authentication and validate Origin/host binding for local deployments."
+  evidence: |
+    {
+      "officialSdk": $prop($, 'cdx:mcp:officialSdk'),
+      "transport": $prop($, 'cdx:mcp:transport'),
+      "promptCount": $prop($, 'cdx:mcp:promptCount'),
+      "resourceCount": $prop($, 'cdx:mcp:resourceCount'),
+      "toolCount": $prop($, 'cdx:mcp:toolCount')
+    }
+- id: MCP-003
+  name: "Network-exposed non-official MCP server"
+  description: "MCP servers built on non-official SDKs or wrappers deserve extra review before being exposed over HTTP, especially when they register tools."
+  severity: medium
+  category: mcp-server
+  attack:
+    tactics: [TA0001, TA0005]
+    techniques: [T1195.001]
+  standards:
+    owasp-ai-top-10:
+      - "LLM05: Supply Chain Vulnerabilities"
+      - "LLM07: Insecure Plugin Design"
+    nist-ai-rmf:
+      - "Govern"
+      - "Map"
+    nist-ssdf:
+      - "Verify provenance of AI and automation integrations"
+  condition: |
+    $auditServices($)[
+      $contains($nullSafeProp($, 'cdx:mcp:transport'), 'streamable-http')
+      and $prop($, 'cdx:mcp:officialSdk') = 'false'
+      and (
+        $prop($, 'cdx:mcp:capabilities:tools') = 'true'
+        or $prop($, 'cdx:mcp:toolCount') != '0'
+        or $count(endpoints) > 0
+      )
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile'),
+      "purl": endpoints[0]
+    }
+  message: "MCP server '{{ name }}' is network-accessible but relies on a non-official SDK or wrapper"
+  mitigation: "Review the SDK provenance, pin exact versions, and harden authentication/authorization before exposing the server."
+  evidence: |
+    {
+      "sdkImports": $prop($, 'cdx:mcp:sdkImports'),
+      "toolCount": $prop($, 'cdx:mcp:toolCount'),
+      "providerNames": $prop($, 'cdx:mcp:providerNames'),
+      "modelNames": $prop($, 'cdx:mcp:modelNames')
+    }
+
+- id: MCP-004
+  name: "Configured MCP endpoint lacks auth posture"
+  description: "MCP services discovered only from client configuration files still need explicit authentication or OAuth posture when they resolve to network-accessible HTTP endpoints."
+  severity: high
+  category: mcp-server
+  attack:
+    tactics: [TA0001]
+    techniques: [T1190]
+  standards:
+    owasp-ai-top-10:
+      - "LLM07: Insecure Plugin Design"
+      - "LLM08: Excessive Agency"
+    nist-ai-rmf:
+      - "Map"
+      - "Manage"
+    nist-ssdf:
+      - "Review and harden configured external AI control surfaces"
+  condition: |
+    $auditServices($)[
+      $prop($, 'cdx:mcp:inventorySource') = 'config-file'
+      and $contains($nullSafeProp($, 'cdx:mcp:transport'), 'http')
+      and authenticated != true
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile'),
+      "purl": endpoints[0]
+    }
+  message: "Configured MCP endpoint '{{ endpoints[0] }}' lacks any discovered auth posture"
+  mitigation: "Document bearer or OAuth requirements for configured MCP endpoints before allowing clients to auto-connect."
+  evidence: |
+    {
+      "configFormat": $prop($, 'cdx:mcp:configFormat'),
+      "configKey": $prop($, 'cdx:mcp:configKey'),
+      "authPosture": $prop($, 'cdx:mcp:authPosture'),
+      "trustProfile": $prop($, 'cdx:mcp:trustProfile')
+    }
+
+- id: MCP-005
+  name: "MCP configuration exposes inline credentials"
+  description: "MCP configs that embed tokens, API keys, or other secrets directly in args, env values, or headers create immediate credential-handling and supply-chain review risk."
+  severity: critical
+  category: mcp-server
+  attack:
+    tactics: [TA0006]
+    techniques: [T1552]
+  standards:
+    owasp-ai-top-10:
+      - "LLM05: Supply Chain Vulnerabilities"
+      - "LLM07: Insecure Plugin Design"
+    nist-ai-rmf:
+      - "Govern"
+      - "Manage"
+    nist-ssdf:
+      - "Protect secrets used by automation and AI integrations"
+  condition: |
+    $auditServices($)[
+      $prop($, 'cdx:mcp:inventorySource') = 'config-file'
+      and $prop($, 'cdx:mcp:credentialExposure') = 'true'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile')
+    }
+  message: "MCP config entry '{{ name }}' exposes inline credentials"
+  mitigation: "Move secrets out of config files and command args into secret stores or environment references that can be managed separately."
+  evidence: |
+    {
+      "configFormat": $prop($, 'cdx:mcp:configFormat'),
+      "configKey": $prop($, 'cdx:mcp:configKey'),
+      "credentialExposureFieldCount": $prop($, 'cdx:mcp:credentialExposureFieldCount'),
+      "credentialIndicatorCount": $prop($, 'cdx:mcp:credentialIndicatorCount'),
+      "credentialReferenceCount": $prop($, 'cdx:mcp:credentialReferenceCount')
+    }
+
+- id: MCP-006
+  name: "MCP configuration suggests confused-deputy risk"
+  description: "Dynamic client registration combined with a static configured client ID can create confused-deputy style authorization risk in MCP deployments."
+  severity: high
+  category: mcp-server
+  attack:
+    tactics: [TA0004]
+    techniques: [T1528]
+  standards:
+    owasp-ai-top-10:
+      - "LLM07: Insecure Plugin Design"
+      - "LLM08: Excessive Agency"
+    nist-ai-rmf:
+      - "Govern"
+      - "Map"
+    nist-ssdf:
+      - "Review AI authorization delegation and client registration flows"
+  condition: |
+    $auditServices($)[
+      $prop($, 'cdx:mcp:inventorySource') = 'config-file'
+      and $prop($, 'cdx:mcp:security:confusedDeputyRisk') = 'high'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile')
+    }
+  message: "MCP config entry '{{ name }}' combines dynamic client registration with a static client identity"
+  mitigation: "Avoid mixing DCR with shared static client identities; isolate delegated clients and validate downstream authorization assumptions."
+  evidence: |
+    {
+      "configFormat": $prop($, 'cdx:mcp:configFormat'),
+      "configKey": $prop($, 'cdx:mcp:configKey'),
+      "supportsDCR": $prop($, 'cdx:mcp:auth:supportsDCR'),
+      "authPosture": $prop($, 'cdx:mcp:authPosture')
+    }
+
+- id: MCP-007
+  name: "MCP configuration forwards bearer or access tokens"
+  description: "Token-forwarding and passthrough settings in MCP configs deserve review because they can propagate delegated credentials across trust boundaries."
+  severity: high
+  category: mcp-server
+  attack:
+    tactics: [TA0006]
+    techniques: [T1528]
+  standards:
+    owasp-ai-top-10:
+      - "LLM07: Insecure Plugin Design"
+      - "LLM08: Excessive Agency"
+    nist-ai-rmf:
+      - "Govern"
+      - "Manage"
+    nist-ssdf:
+      - "Review delegated token forwarding and trust-boundary crossings"
+  condition: |
+    $auditServices($)[
+      $prop($, 'cdx:mcp:inventorySource') = 'config-file'
+      and $prop($, 'cdx:mcp:security:tokenPassthroughRisk') = 'high'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile')
+    }
+  message: "MCP config entry '{{ name }}' forwards or passes through bearer-like credentials"
+  mitigation: "Prefer server-side credential exchange or scoped token minting instead of forwarding end-user tokens through MCP configs."
+  evidence: |
+    {
+      "configFormat": $prop($, 'cdx:mcp:configFormat'),
+      "configKey": $prop($, 'cdx:mcp:configKey'),
+      "trustProfile": $prop($, 'cdx:mcp:trustProfile'),
+      "authPosture": $prop($, 'cdx:mcp:authPosture')
+    }
+
+- id: MCP-008
+  name: "MCP configuration file is included in a build or post-build SBOM"
+  description: "Committed MCP client configuration files can carry trust, auth, and distribution sensitivity even when they are not actively used during the current scan."
+  severity: medium
+  category: mcp-server
+  standards:
+    owasp-ai-top-10:
+      - "LLM07: Insecure Plugin Design"
+      - "LLM08: Excessive Agency"
+    nist-ai-rmf:
+      - "Govern"
+      - "Map"
+    nist-ssdf:
+      - "Review configured AI control surfaces before release"
+  condition: |
+    components[
+      $prop($, 'cdx:file:kind') = 'mcp-config'
+      and $count($$.metadata.lifecycles[phase = 'build' or phase = 'post-build']) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile')
+    }
+  message: "MCP config file '{{ name }}' is included in a build/post-build SBOM"
+  mitigation: "Review the config with '--bom-audit --bom-audit-categories mcp-server', consider '--tlp-classification AMBER' before sharing the BOM broadly, or rerun with '--exclude-type mcp' if config artifacts should be omitted."
+  evidence: |
+    {
+      "configFormat": $prop($, 'cdx:mcp:configFormat'),
+      "configuredServiceCount": $prop($, 'cdx:mcp:configuredServiceCount'),
+      "configuredServiceNames": $prop($, 'cdx:mcp:configuredServiceNames')
+    }

package/data/rules/package-integrity.yaml

@@ -182,3 +182,126 @@
       "indicatorMap": $prop($, 'cdx:npm:lifecycleIndicatorMap')
     }
 
+- id: INT-010
+  name: "Yanked Cargo crate in dependency tree"
+  description: "Crates yanked from crates.io are often removed because of security, correctness, or ecosystem breakage issues"
+  severity: high
+  category: package-integrity
+  condition: |
+    components[
+      $prop($, 'cdx:cargo:yanked') = 'true'
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "Cargo crate '{{ name }}@{{ version }}' has been yanked from crates.io"
+  mitigation: "Update to a non-yanked release and review any recent publisher or release-cadence changes before upgrading"
+  evidence: |
+    {
+      "publisher": $prop($, 'cdx:cargo:publisher'),
+      "priorPublisher": $prop($, 'cdx:cargo:priorPublisher'),
+      "publishTime": $prop($, 'cdx:cargo:publishTime'),
+      "releaseGapDays": $prop($, 'cdx:cargo:releaseGapDays')
+    }
+
+- id: INT-011
+  name: "Rust project uses native Cargo build surface"
+  description: "Cargo build scripts and native build helpers expand execution surface during build and deserve additional review before release"
+  severity: medium
+  category: package-integrity
+  condition: |
+    formulation.components[
+      $prop($, 'cdx:rust:buildTool') = 'cargo'
+      and $prop($, 'cdx:cargo:hasNativeBuild') = 'true'
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile')
+    }
+  message: "Rust project '{{ name }}' uses Cargo build.rs or native build helpers"
+  mitigation: "Review `build.rs`, native build dependencies, and release workflows to ensure the build remains hermetic and expected"
+  evidence: |
+    {
+      "buildScript": $prop($, 'cdx:cargo:buildScript'),
+      "nativeBuildIndicators": $prop($, 'cdx:cargo:nativeBuildIndicators'),
+      "releaseProfiles": $prop($, 'cdx:cargo:releaseProfiles')
+    }
+
+- id: INT-012
+  name: "Rust native build uses mutable Cargo setup action"
+  description: "Native Cargo build surfaces deserve additional scrutiny when the workflow relies on mutable Cargo toolchain setup actions instead of immutable SHA-pinned references"
+  severity: medium
+  category: package-integrity
+  condition: |
+    formulation.components[
+      $prop($, 'cdx:rust:buildTool') = 'cargo'
+      and $prop($, 'cdx:cargo:hasNativeBuild') = 'true'
+      and $count($$.components[
+        $prop($, 'cdx:github:action:ecosystem') = 'cargo'
+        and $contains($prop($, 'cdx:github:action:role'), 'toolchain')
+        and $prop($, 'cdx:github:action:versionPinningType') != 'sha'
+      ]) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile')
+    }
+  message: "Rust project '{{ name }}' combines native Cargo build surfaces with mutable Cargo toolchain setup actions"
+  mitigation: "Prefer SHA-pinned Cargo toolchain setup actions for release workflows, especially when build.rs or native helpers run during CI"
+  evidence: |
+    {
+      "buildScript": $prop($, 'cdx:cargo:buildScript'),
+      "buildScriptCapabilities": $prop($, 'cdx:cargo:buildScriptCapabilities'),
+      "toolchainActions": $$.components[
+        $prop($, 'cdx:github:action:ecosystem') = 'cargo'
+        and $contains($prop($, 'cdx:github:action:role'), 'toolchain')
+        and $prop($, 'cdx:github:action:versionPinningType') != 'sha'
+      ].$prop($, 'cdx:github:action:uses')
+    }
+
+- id: INT-013
+  name: "Rust native build is exercised by Cargo workflow steps"
+  description: "Cargo workflows that execute build/test/package/publish steps against native build surfaces increase the impact of build-script or native-helper changes"
+  severity: medium
+  category: package-integrity
+  condition: |
+    formulation.components[
+      $prop($, 'cdx:rust:buildTool') = 'cargo'
+      and $prop($, 'cdx:cargo:hasNativeBuild') = 'true'
+      and (
+        $contains($prop($, 'cdx:cargo:buildScriptCapabilities'), 'process-execution')
+        or $contains($prop($, 'cdx:cargo:buildScriptCapabilities'), 'network-access')
+        or $contains($prop($, 'cdx:cargo:nativeBuildIndicators'), '-sys')
+      )
+      and $count($$.components[
+        $prop($, 'cdx:github:step:usesCargo') = 'true'
+        and (
+          $contains($prop($, 'cdx:github:step:cargoSubcommands'), 'build')
+          or $contains($prop($, 'cdx:github:step:cargoSubcommands'), 'test')
+          or $contains($prop($, 'cdx:github:step:cargoSubcommands'), 'package')
+          or $contains($prop($, 'cdx:github:step:cargoSubcommands'), 'publish')
+        )
+      ]) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "file": $prop($, 'SrcFile')
+    }
+  message: "Rust project '{{ name }}' runs Cargo build/test/package workflow steps against a native build surface"
+  mitigation: "Review build.rs, native helper crates, and workflow command scope before merging or publishing releases that exercise native build logic"
+  evidence: |
+    {
+      "buildScriptCapabilities": $prop($, 'cdx:cargo:buildScriptCapabilities'),
+      "nativeBuildIndicators": $prop($, 'cdx:cargo:nativeBuildIndicators'),
+      "cargoCommands": $$.components[
+        $prop($, 'cdx:github:step:usesCargo') = 'true'
+        and (
+          $contains($prop($, 'cdx:github:step:cargoSubcommands'), 'build')
+          or $contains($prop($, 'cdx:github:step:cargoSubcommands'), 'test')
+          or $contains($prop($, 'cdx:github:step:cargoSubcommands'), 'package')
+          or $contains($prop($, 'cdx:github:step:cargoSubcommands'), 'publish')
+        )
+      ].$prop($, 'cdx:github:step:command')
+    }