@cyclonedx/cdxgen 12.3.2 → 12.4.0

package/data/rules/ci-permissions.yaml

@@ -7,8 +7,9 @@
   description: "GitHub Actions referenced by tag/branch in workflows with write permissions pose supply chain risk"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0001, TA0004]
+    tactics: [TA0001]
     techniques: [T1195.001]
   condition: |
     $auditComponents($)[
@@ -37,6 +38,7 @@
   description: "Workflows or jobs granting id-token:write to third-party actions may enable token exfiltration"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
     tactics: [TA0006]
     techniques: [T1528]
@@ -68,8 +70,9 @@
   description: "GitHub Actions pinned to tags (vs SHA) can change behavior unexpectedly if tag is moved"
   severity: medium
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0001, TA0005]
+    tactics: [TA0001]
     techniques: [T1195.001]
   condition: |
     $auditComponents($)[
@@ -89,6 +92,7 @@
   description: "pull_request_target can execute code in the context of the base branch, risking secret exposure"
   severity: medium
   category: ci-permission
+  dry-run-support: full
   attack:
     tactics: [TA0001, TA0004]
   condition: |
@@ -112,8 +116,9 @@
   description: "actions/checkout with persist-credentials=true (default) exposes GITHUB_TOKEN to subsequent steps"
   severity: medium
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0004, TA0006]
+    tactics: [TA0006]
     techniques: [T1552]
   condition: |
     $auditComponents($)[
@@ -142,8 +147,9 @@
   description: "GitHub Actions cache can be poisoned when used in workflows triggered by untrusted input (e.g., pull_request from forks)"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0001, TA0005]
+    tactics: [TA0001]
     techniques: [T1195.001]
   condition: |
     $auditComponents($)[
@@ -180,8 +186,9 @@
   description: "Direct interpolation of github.event.* or inputs.* into run: blocks enables command injection"
   severity: critical
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0002, TA0004]
+    tactics: [TA0002]
     techniques: [T1059]
   condition: |
     $auditComponents($)[
@@ -205,6 +212,7 @@
   description: "Triggers like pull_request_target, issue_comment, or workflow_run combined with write permissions enable privilege escalation"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
     tactics: [TA0001, TA0004]
   condition: |
@@ -234,6 +242,7 @@
   description: "Hidden Unicode in workflow files can disguise malicious logic, comments, or diffs and should be reviewed before merge"
   severity: medium
   category: ci-permission
+  dry-run-support: full
   attack:
     tactics: [TA0005]
     techniques: [T1027]
@@ -260,8 +269,9 @@
   description: "npm and PyPI publishing should prefer trusted publishing or OIDC-backed flows instead of long-lived token secrets or explicit --token arguments"
   severity: medium
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0006, TA0010]
+    tactics: [TA0006]
     techniques: [T1528]
   condition: |
     $auditComponents($)[
@@ -287,8 +297,9 @@
   description: "Reusable workflows invoked from external repositories with secrets: inherit expand the trust boundary and can expose repository credentials"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0006, TA0008]
+    tactics: [TA0006]
     techniques: [T1528, T1552]
   condition: |
     $auditComponents($)[
@@ -315,8 +326,9 @@
   description: "Reusable workflows referenced by tag or branch can change behavior without review and should be pinned to immutable SHAs"
   severity: medium
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0001, TA0005]
+    tactics: [TA0001]
     techniques: [T1195.001]
   condition: |
     $auditComponents($)[
@@ -342,6 +354,7 @@
   description: "High-risk triggers executing on self-hosted runners can expose internal network access, credentials, and long-lived runner state"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
     tactics: [TA0004, TA0008]
   condition: |
@@ -373,8 +386,9 @@
   description: "Writing to GITHUB_ENV, GITHUB_PATH, or GITHUB_OUTPUT in privileged workflows can persist attacker-controlled state across later steps and jobs"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0003, TA0004, TA0005]
+    tactics: [TA0002]
     techniques: [T1059]
   condition: |
     $auditComponents($)[
@@ -406,8 +420,9 @@
   description: "Run steps that invoke outbound network tools while transmitting secrets, github.token, or OIDC request context are strong exfiltration indicators"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0006, TA0010]
+    tactics: [TA0010]
     techniques: [T1048]
   condition: |
     $auditComponents($)[
@@ -436,8 +451,9 @@
   description: "workflow_call producers that request caller-provided secrets while also holding write or OIDC permissions expand the blast radius across repositories and workflows"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0006, TA0008]
+    tactics: [TA0006]
     techniques: [T1528, T1552]
   condition: |
     $auditWorkflows($)[
@@ -468,6 +484,7 @@
   description: "workflow_call producers that both accept caller-controlled inputs and emit outputs from privileged execution contexts can propagate unsafe values into downstream trusted jobs"
   severity: medium
   category: ci-permission
+  dry-run-support: full
   attack:
     tactics: [TA0003, TA0004]
   condition: |
@@ -500,8 +517,9 @@
   description: "Dispatching workflow_dispatch or repository_dispatch from fork-reachable or privileged jobs can create a lateral-movement path into downstream workflows with broader credentials"
   severity: high
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0004, TA0008]
+    tactics: [TA0006]
     techniques: [T1528]
   condition: |
     $auditComponents($)[
@@ -543,8 +561,9 @@
   description: "Dispatch chains that inspect pull_request head-repository or fork context before invoking downstream workflows are strong signals of fork-to-privileged lateral movement"
   severity: critical
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0004, TA0008]
+    tactics: [TA0006]
     techniques: [T1528, T1552]
   condition: |
     $auditComponents($)[
@@ -581,8 +600,9 @@
   description: "Checking out github.event.pull_request.head.* repository or ref inside pull_request_target executes untrusted fork code with base-repository privileges"
   severity: critical
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0001, TA0004]
+    tactics: [TA0001, TA0006]
     techniques: [T1195.001, T1552]
   condition: |
     $auditComponents($)[
@@ -616,8 +636,9 @@
   description: "High-risk GitHub Actions workflows that omit explicit permissions blocks while still performing sensitive operations may rely on repository-default token scopes. This is a review heuristic, not proof of write access."
   severity: medium
   category: ci-permission
+  dry-run-support: full
   attack:
-    tactics: [TA0004, TA0006]
+    tactics: [TA0006]
     techniques: [T1528, T1552]
   condition: |
     $auditComponents($)[
@@ -642,5 +663,140 @@
       "sensitiveOperations": $prop($, 'cdx:github:step:sensitiveOperations'),
       "sensitiveContextRefs": $prop($, 'cdx:github:step:sensitiveContextRefs'),
       "dispatchKinds": $prop($, 'cdx:github:step:dispatchKinds')
+     }
+
+- id: CI-022
+  name: "npm setup action disables build cache despite resolved package distributions"
+  description: "Explicitly disabling setup-node caching reduces tamper resistance and reviewability when npm dependencies are resolved from remote package distributions"
+  severity: medium
+  category: ci-permission
+  dry-run-support: full
+  attack:
+    tactics: [TA0001]
+    techniques: [T1195.001]
+  condition: |
+    $auditComponents($)[
+      $prop($, 'cdx:github:action:disablesBuildCache') = 'true'
+      and $prop($, 'cdx:github:action:buildCacheEcosystem') = 'npm'
+      and $count($$.components[
+        $startsWith(purl, 'pkg:npm/')
+        and (
+          $contains($lowercase($nullSafeProp($, 'cdx:npm:manifestSourceType')), 'git')
+          or $contains($lowercase($nullSafeProp($, 'cdx:npm:manifestSourceType')), 'url')
+        )
+        and $count(externalReferences[
+          type = 'distribution'
+          and (
+            $startsWith($lowercase(url), 'git+')
+            or $startsWith($lowercase(url), 'http://')
+            or $startsWith($lowercase(url), 'https://')
+          )
+        ]) > 0
+      ]) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "GitHub Action '{{ $prop($, 'cdx:github:action:uses') }}' explicitly disables npm build caching while resolved npm package distributions are present in the BOM"
+  mitigation: "Keep setup-node caching enabled unless you have a reviewed exception; disabling cache can weaken integrity checks and provenance review for resolved npm artifacts"
+  evidence: |
+    {
+      "cacheDisableInput": $prop($, 'cdx:github:action:buildCacheDisableInput'),
+      "cacheDisableValue": $prop($, 'cdx:github:action:buildCacheDisableValue'),
+      "matchingPackages": $$.components[
+        $startsWith(purl, 'pkg:npm/')
+        and (
+          $contains($lowercase($nullSafeProp($, 'cdx:npm:manifestSourceType')), 'git')
+          or $contains($lowercase($nullSafeProp($, 'cdx:npm:manifestSourceType')), 'url')
+        )
+        and $count(externalReferences[
+          type = 'distribution'
+          and (
+            $startsWith($lowercase(url), 'git+')
+            or $startsWith($lowercase(url), 'http://')
+            or $startsWith($lowercase(url), 'https://')
+          )
+        ]) > 0
+      ].purl
+    }
+
+- id: CI-023
+  name: "Python setup action disables build cache despite resolved package distributions"
+  description: "Explicitly disabling setup-python caching reduces tamper resistance and reviewability when PyPI dependencies are resolved from remote archives or VCS sources"
+  severity: medium
+  category: ci-permission
+  dry-run-support: full
+  attack:
+    tactics: [TA0001]
+    techniques: [T1195.001]
+  condition: |
+    $auditComponents($)[
+      $prop($, 'cdx:github:action:disablesBuildCache') = 'true'
+      and $prop($, 'cdx:github:action:buildCacheEcosystem') = 'pypi'
+      and $count($$.components[
+        $startsWith(purl, 'pkg:pypi/')
+        and (
+          $contains($lowercase($nullSafeProp($, 'cdx:pypi:manifestSourceType')), 'git')
+          or $contains($lowercase($nullSafeProp($, 'cdx:pypi:manifestSourceType')), 'url')
+        )
+      ]) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "GitHub Action '{{ $prop($, 'cdx:github:action:uses') }}' explicitly disables Python build caching while resolved PyPI package distributions are present in the BOM"
+  mitigation: "Keep setup-python caching enabled when lockfiles resolve remote archives or VCS sources unless you have a reviewed exception"
+  evidence: |
+    {
+      "cacheDisableInput": $prop($, 'cdx:github:action:buildCacheDisableInput'),
+      "cacheDisableValue": $prop($, 'cdx:github:action:buildCacheDisableValue'),
+      "matchingPackages": $$.components[
+        $startsWith(purl, 'pkg:pypi/')
+        and (
+          $contains($lowercase($nullSafeProp($, 'cdx:pypi:manifestSourceType')), 'git')
+          or $contains($lowercase($nullSafeProp($, 'cdx:pypi:manifestSourceType')), 'url')
+        )
+      ].purl
     }
 
+- id: CI-024
+  name: "Cargo setup action disables build cache despite manifest-declared git dependencies"
+  description: "Explicitly disabling Cargo setup caching reduces tamper resistance and reviewability when Cargo manifests rely on git dependencies"
+  severity: medium
+  category: ci-permission
+  dry-run-support: full
+  attack:
+    tactics: [TA0001]
+    techniques: [T1195.001]
+  condition: |
+    $auditComponents($)[
+      $prop($, 'cdx:github:action:disablesBuildCache') = 'true'
+      and $prop($, 'cdx:github:action:buildCacheEcosystem') = 'cargo'
+      and $count($$.components[
+        $startsWith(purl, 'pkg:cargo/')
+        and $hasProp($, 'cdx:cargo:git')
+      ]) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "GitHub Action '{{ $prop($, 'cdx:github:action:uses') }}' explicitly disables Cargo build caching while manifest-declared Cargo git dependencies are present in the BOM"
+  mitigation: "Keep Cargo setup caching enabled when manifests rely on git dependencies unless you have a reviewed exception"
+  evidence: |
+    {
+      "cacheDisableInput": $prop($, 'cdx:github:action:buildCacheDisableInput'),
+      "cacheDisableValue": $prop($, 'cdx:github:action:buildCacheDisableValue'),
+      "matchingPackages": $$.components[
+        $startsWith(purl, 'pkg:cargo/')
+        and $hasProp($, 'cdx:cargo:git')
+      ].purl
+    }

package/data/rules/container-risk.yaml

@@ -3,6 +3,7 @@
   description: "Known GTFOBins execution helpers become materially riskier when the image keeps the binary setuid or setgid."
   severity: critical
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -26,7 +27,7 @@
   message: "Executable '{{ name }}' at '{{ $prop($, 'SrcFile') }}' combines GTFOBins execution features with setuid/setgid permissions"
   mitigation: "Remove the setuid/setgid bit, replace the image with a slimmer base, and keep container privilege boundaries strict (no host mounts, no privileged mode, no extra capabilities)."
   attack:
-    tactics: [TA0004, TA0008]
+    tactics: [TA0004]
     techniques: [T1548, T1611]
   evidence: |
     {
@@ -43,6 +44,7 @@
   description: "Container runtime or namespace-management helpers that are already classified as GTFOBins can accelerate container breakout when runtime isolation is weakened."
   severity: critical
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -62,7 +64,7 @@
   message: "Container-escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' with elevated execution semantics"
   mitigation: "Remove container runtime and namespace-management tooling from application images, avoid CAP_SYS_ADMIN-like capability grants, and block access to the Docker/containerd sockets."
   attack:
-    tactics: [TA0004, TA0008]
+    tactics: [TA0004]
     techniques: [T1611]
   evidence: |
     {
@@ -77,6 +79,7 @@
   description: "GTFOBins entries that can load attacker-controlled shared libraries or directly escalate privileges are strong hardening failures in container images."
   severity: high
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -101,7 +104,7 @@
   message: "Binary '{{ name }}' exposes GTFOBins privilege-escalation or library-load behavior in a privileged execution context"
   mitigation: "Remove the helper from the image where possible, strip privileged bits/capabilities, and keep writable mounts away from privileged processes."
   attack:
-    tactics: [TA0003, TA0004]
+    tactics: [TA0002, TA0004, TA0005]
     techniques: [T1574, T1548]
   evidence: |
     {
@@ -116,6 +119,7 @@
   description: "A GTFOBins helper that can read local files or upload data becomes especially dangerous when it also runs with setuid/setgid or other elevated contexts."
   severity: high
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -140,7 +144,7 @@
   message: "Binary '{{ name }}' can read or exfiltrate local data from a privileged execution path"
   mitigation: "Drop privileged bits, keep secrets off the image filesystem, and remove unnecessary upload/file-read helpers from runtime images."
   attack:
-    tactics: [TA0006, TA0010]
+    tactics: [TA0009, TA0010]
     techniques: [T1005, T1041]
   evidence: |
     {
@@ -155,6 +159,7 @@
   description: "Remote-execution-capable GTFOBins helpers under mutable or non-standard image paths often indicate an avoidable attack toolkit or image tampering."
   severity: medium
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -191,7 +196,7 @@
   message: "GTFOBins remote-execution helper '{{ name }}' is present in mutable image path '{{ $prop($, 'SrcFile') }}'"
   mitigation: "Keep runtime images immutable and minimal, move administrative tooling to separate debug images, and investigate how the helper entered the image."
   attack:
-    tactics: [TA0001, TA0008]
+    tactics: [TA0008, TA0011]
     techniques: [T1105, T1570]
   evidence: |
     {
@@ -206,6 +211,7 @@
   description: "Dedicated container or Kubernetes intrusion toolkits such as Peirates, CDK, or DEEPCE should not ship inside production runtime images."
   severity: high
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:container:matched') = 'true'
@@ -220,7 +226,7 @@
   message: "Dedicated offensive toolkit '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}'"
   mitigation: "Remove offensive testing binaries from runtime images, rebuild from a minimal trusted base, and keep container debugging or red-team tooling in separate break-glass images."
   attack:
-    tactics: [TA0003, TA0004, TA0006, TA0007, TA0008]
+    tactics: [TA0002, TA0004, TA0006, TA0007]
     techniques: [T1552.007, T1609, T1611, T1613]
   evidence: |
     {
@@ -237,6 +243,7 @@
   description: "Helpers that rely on syscalls blocked by Docker's default seccomp profile become materially riskier when operators use `seccomp=unconfined` or permissive custom profiles."
   severity: medium
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:container:matched') = 'true'
@@ -256,7 +263,7 @@
   message: "Seccomp-sensitive escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' and depends on syscalls blocked by the Docker default seccomp profile"
   mitigation: "Keep Docker or OCI runtimes on the default seccomp profile, never use `seccomp=unconfined` for app workloads, and review custom profiles so they do not allow namespace or host-escape syscalls without a clear need."
   attack:
-    tactics: [TA0004, TA0008]
+    tactics: [TA0004]
     techniques: [T1611]
   evidence: |
     {

package/data/rules/dependency-sources.yaml

@@ -2,21 +2,24 @@
 # Category: dependency-source
 # Evaluates package manager data for non-registry, local, or mutable sources
 - id: PKG-001
-  name: "Install script from non-registry source"
-  description: "npm packages with install scripts from git/file/local sources increase supply chain attack surface"
+  name: "Install script from direct manifest source"
+  description: "npm packages with install scripts declared from git, URL, or local path sources in the manifest increase supply chain attack surface"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:npm:hasInstallScript') = 'true'
-      and $prop($, 'cdx:npm:isRegistryDependency') = 'false'
+      and $hasProp($, 'cdx:npm:manifestSourceType')
     ]
   location: |
     { "bomRef": $."bom-ref", "purl": purl }
-  message: "npm package '{{ name }}@{{ version }}' executes install script from non-registry source"
-  mitigation: "Avoid git/file dependencies with lifecycle hooks; use registry dependencies or vendor explicitly"
+  message: "npm package '{{ name }}@{{ version }}' executes install script from manifest-declared source type(s): {{ $prop($, 'cdx:npm:manifestSourceType') }}"
+  mitigation: "Avoid git, URL, or local-path dependencies with lifecycle hooks; use registry-published dependencies or vendor explicitly"
   evidence: |
     {
+      "manifestSourceType": $prop($, 'cdx:npm:manifestSourceType'),
+      "manifestSource": $prop($, 'cdx:npm:manifestSource'),
       "riskyScripts": $prop($, 'cdx:npm:risky_scripts'),
       "resolvedPath": $prop($, 'cdx:npm:resolvedPath'),
       "isLink": $prop($, 'cdx:npm:isLink')
@@ -26,6 +29,7 @@
   description: "Go modules with local_dir replacements are non-hermetic and may not be reproducible"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:go:local_dir')
@@ -44,6 +48,7 @@
   description: "Swift packages with localCheckoutPath indicate developer-only dependencies not suitable for release"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:swift:localCheckoutPath')
@@ -62,6 +67,7 @@
   description: "Nix dependencies without revision or nar_hash cannot be verified for content integrity"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:nix/')
@@ -86,6 +92,7 @@
   description: "Ruby gems sourced from git branches (without revision pin) can change unexpectedly"
   severity: medium
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:gem:remoteBranch')
@@ -106,6 +113,7 @@
   description: "PyPI packages from unapproved registries may introduce unvetted code"
   severity: low
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:pypi:registry')
@@ -126,6 +134,7 @@
   description: "Cargo git dependencies without revision or tag pinning can change unexpectedly and reduce build reproducibility"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:cargo:git')
@@ -148,6 +157,7 @@
   description: "Cargo path dependencies are local source references that reduce release reproducibility and may bypass registry review controls"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:cargo:path')
@@ -162,3 +172,64 @@
       "dependencyKind": $prop($, 'cdx:cargo:dependencyKind'),
       "target": $prop($, 'cdx:cargo:target')
     }
+- id: PKG-009
+  name: "Collider package resolved from insecure HTTP origin"
+  description: "Collider lock entries that resolve from HTTP origins can be observed or modified in transit before wrap-hash verification occurs"
+  severity: medium
+  category: dependency-source
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:collider:originScheme') = 'http'
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "Collider package '{{ name }}@{{ version }}' resolves from insecure origin '{{ $prop($, 'cdx:collider:origin') }}'"
+  mitigation: "Prefer HTTPS, trusted file:// repositories, or an authenticated internal mirror for Collider package origins"
+  evidence: |
+    {
+      "origin": $prop($, 'cdx:collider:origin'),
+      "originHost": $prop($, 'cdx:collider:originHost'),
+      "dependencyKind": $prop($, 'cdx:collider:dependencyKind')
+    }
+- id: PKG-010
+  name: "Collider origin required sanitization before BOM emission"
+  description: "Collider lock origin URLs should not carry credentials, query strings, or fragments because those values may embed secrets or unstable signed URLs"
+  severity: low
+  category: dependency-source
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:collider:originSanitized') = 'true'
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "Collider package '{{ name }}@{{ version }}' had sensitive origin fields stripped before BOM emission"
+  mitigation: "Avoid embedding credentials or signed query parameters in Collider repository origin URLs; prefer stable repository base URLs"
+  evidence: |
+    {
+      "origin": $prop($, 'cdx:collider:origin'),
+      "originHost": $prop($, 'cdx:collider:originHost'),
+      "dependencyKind": $prop($, 'cdx:collider:dependencyKind')
+    }
+- id: PKG-011
+  name: "Python dependency uses direct manifest source"
+  description: "Python dependencies declared via git, direct URL, or local path in requirements or pyproject files bypass normal registry version mediation"
+  severity: high
+  category: dependency-source
+  dry-run-support: full
+  condition: |
+    components[
+      $hasProp($, 'cdx:pypi:manifestSourceType')
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "Python package '{{ name }}@{{ version }}' is declared from manifest {{ $prop($, 'cdx:pypi:manifestSourceType') }} source '{{ $prop($, 'cdx:pypi:manifestSource') }}'"
+  mitigation: "Prefer registry-published releases for production builds, or pin and review direct git/URL/path sources explicitly"
+  evidence: |
+    {
+      "manifestSourceType": $prop($, 'cdx:pypi:manifestSourceType'),
+      "manifestSource": $prop($, 'cdx:pypi:manifestSource'),
+      "registry": $prop($, 'cdx:pypi:registry'),
+      "resolvedFrom": $prop($, 'cdx:pypi:resolved_from')
+    }