npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.0 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/README.md +64 -22
package/bin/audit.js +21 -7
package/bin/cdxgen.js +238 -116
package/bin/convert.js +28 -13
package/bin/hbom.js +490 -0
package/bin/repl.js +580 -29
package/bin/validate.js +34 -4
package/bin/verify.js +40 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +209 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +506 -88
package/lib/cli/index.poku.js +1352 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +349 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +156 -45
package/lib/helpers/protobom.poku.js +140 -5
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +2 -27
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +192 -1
package/lib/stages/postgen/postgen.poku.js +321 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +62 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +3 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/lib/stages/postgen/auditBom.poku.js CHANGED Viewed

@@ -5,9 +5,12 @@ import { PackageURL } from "packageurl-js";
 import { assert, describe, it } from "poku";
 import { githubActionsParser } from "../../helpers/ciParsers/githubActions.js";
+import { createLolbasProperties } from "../../helpers/lolbas.js";
 import {
   auditBom,
   formatAnnotations,
+  formatDryRunSupportSummary,
+  getBomAuditDryRunSupportSummary,
   hasCriticalFindings,
 } from "./auditBom.js";
 import { evaluateRule, evaluateRules, loadRules } from "./ruleEngine.js";
@@ -95,6 +98,51 @@ function makeChromeExtensionComponent(name, version, properties) {
   };
 }
+function makeHbomComponent(name, hardwareClass, properties = [], extra = {}) {
+  return {
+    type: "device",
+    name,
+    version: extra.version,
+    "bom-ref": extra.bomRef || `urn:uuid:${hardwareClass}:${name}`,
+    properties: [["cdx:hbom:hardwareClass", hardwareClass], ...properties].map(
+      ([k, v]) => ({ name: k, value: v }),
+    ),
+    ...extra,
+  };
+}
+function makeHbomBom(
+  components = [],
+  metadataProperties = [],
+  bomProperties = [],
+) {
+  return {
+    bomFormat: "CycloneDX",
+    specVersion: "1.7",
+    serialNumber: "urn:uuid:test-hbom",
+    metadata: {
+      tools: {
+        components: [
+          {
+            type: "application",
+            name: "cdxgen",
+            version: "12.4.0",
+            "bom-ref": "pkg:npm/%40cyclonedx/cdxgen@12.4.0",
+          },
+        ],
+      },
+      component: {
+        name: "test-host",
+        type: "device",
+        "bom-ref": "urn:uuid:test-host",
+        properties: metadataProperties.map(([k, v]) => ({ name: k, value: v })),
+      },
+    },
+    components,
+    properties: bomProperties.map(([k, v]) => ({ name: k, value: v })),
+  };
+}
 function makeBomFromWorkflowFixture(filename) {
   const workflowFile = join(WORKFLOWS_DIR, filename);
   const result = githubActionsParser.parse([workflowFile], {
@@ -115,6 +163,10 @@ describe("loadRules", () => {
         ["critical", "high", "medium", "low"].includes(rule.severity),
         `Rule ${rule.id} severity must be valid`,
       );
+      assert.ok(
+        ["no", "partial", "full"].includes(rule.dryRunSupport),
+        `Rule ${rule.id} dry-run support must be valid`,
+      );
     }
   });
@@ -146,6 +198,50 @@ describe("loadRules", () => {
     assert.ok(mcpRules.length > 0, "Should have MCP server rules");
     const agentRules = rules.filter((r) => r.category === "ai-agent");
     assert.ok(agentRules.length > 0, "Should have AI agent rules");
+    const asarRules = rules.filter((r) => r.category === "asar-archive");
+    assert.ok(asarRules.length > 0, "Should have ASAR archive rules");
+    const hbomSecurityRules = rules.filter(
+      (r) => r.category === "hbom-security",
+    );
+    assert.ok(hbomSecurityRules.length > 0, "Should have HBOM security rules");
+    const hbomPerformanceRules = rules.filter(
+      (r) => r.category === "hbom-performance",
+    );
+    assert.ok(
+      hbomPerformanceRules.length > 0,
+      "Should have HBOM performance rules",
+    );
+    const hbomComplianceRules = rules.filter(
+      (r) => r.category === "hbom-compliance",
+    );
+    assert.ok(
+      hbomComplianceRules.length > 0,
+      "Should have HBOM compliance rules",
+    );
+    const hostTopologyRules = rules.filter(
+      (r) => r.category === "host-topology",
+    );
+    assert.ok(hostTopologyRules.length > 0, "Should have host-topology rules");
+  });
+  it("should assign explicit dry-run support metadata to built-in rules", async () => {
+    const rules = await loadRules(RULES_DIR);
+    assert.strictEqual(
+      rules.find((rule) => rule.id === "CI-001")?.dryRunSupport,
+      "full",
+    );
+    assert.strictEqual(
+      rules.find((rule) => rule.id === "INT-003")?.dryRunSupport,
+      "no",
+    );
+    assert.strictEqual(
+      rules.find((rule) => rule.id === "INT-005")?.dryRunSupport,
+      "partial",
+    );
+    assert.strictEqual(
+      rules.find((rule) => rule.id === "HBS-001")?.dryRunSupport,
+      "full",
+    );
   });
 });
@@ -307,6 +403,369 @@ describe("evaluateRule", () => {
     assert.strictEqual(findings[0].severity, "high");
   });
+  it("should detect HBOM security findings from synthetic device inventory", async () => {
+    const bom = makeHbomBom(
+      [
+        makeHbomComponent("Main SSD", "storage", [
+          ["cdx:hbom:isEncrypted", "false"],
+          ["cdx:hbom:deviceSerial", "ABC123456789"],
+        ]),
+        makeHbomComponent("wifi0", "wireless-adapter", [
+          ["cdx:hbom:connected", "true"],
+          ["cdx:hbom:securityMode", "open"],
+        ]),
+        makeHbomComponent("USB Stick", "storage-volume", [
+          ["cdx:hbom:isRemovable", "true"],
+          ["cdx:hbom:isLocked", "false"],
+        ]),
+        makeHbomComponent("USB4 Dock", "bus", [
+          ["cdx:hbom:securityLevel", "none"],
+          ["cdx:hbom:iommuProtection", "false"],
+          ["cdx:hbom:policy", "auto"],
+        ]),
+        makeHbomComponent("LTE Modem", "modem", [
+          ["cdx:hbom:imei", "490154203237518"],
+          ["cdx:hbom:ownNumbers", "+15551234567"],
+        ]),
+      ],
+      [
+        ["cdx:hbom:platform", "linux"],
+        ["cdx:hbom:architecture", "amd64"],
+        ["cdx:hbom:identifierPolicy", "full"],
+        ["cdx:hbom:serialNumber", "HOST-SERIAL-001"],
+      ],
+      [["cdx:hbom:collectorProfile", "linux-amd64"]],
+    );
+    const findings = await auditBom(bom, {
+      bomAuditCategories: "hbom-security",
+    });
+    const ruleIds = new Set(findings.map((finding) => finding.ruleId));
+    assert.ok(ruleIds.has("HBS-001"));
+    assert.ok(ruleIds.has("HBS-002"));
+    assert.ok(ruleIds.has("HBS-003"));
+    assert.ok(ruleIds.has("HBS-004"));
+    assert.ok(ruleIds.has("HBS-005"));
+    assert.ok(ruleIds.has("HBS-006"));
+  });
+  it("should detect HBOM performance findings from synthetic device inventory", async () => {
+    const bom = makeHbomBom([
+      makeHbomComponent("rootfs", "storage-volume", [
+        ["cdx:hbom:capacityBytes", "1000"],
+        ["cdx:hbom:freeBytes", "100"],
+      ]),
+      makeHbomComponent("nvme0", "storage", [
+        ["cdx:hbom:wearPercentageUsed", "91"],
+        ["cdx:hbom:smartStatus", "Failing"],
+      ]),
+      makeHbomComponent("CPU Thermal Zone", "thermal-zone", [
+        ["cdx:hbom:temperatureCelsius", "92"],
+      ]),
+      makeHbomComponent("Battery", "power", [
+        ["cdx:hbom:maximumCapacity", "71%"],
+        ["cdx:hbom:cycleCount", "1204"],
+        ["cdx:hbom:designCapacityPercent", "62"],
+      ]),
+      makeHbomComponent("eth0", "network-interface", [
+        ["cdx:hbom:operState", "up"],
+        ["cdx:hbom:duplex", "half"],
+        ["cdx:hbom:speedMbps", "100"],
+      ]),
+      makeHbomComponent("DIMM Bank", "memory", [
+        ["cdx:hbom:sizeBytes", "1000"],
+        ["cdx:hbom:memoryOnlineSize", "800"],
+      ]),
+      makeHbomComponent("USB Camera", "usb-device", [
+        ["cdx:hbom:currentRequired", "900"],
+        ["cdx:hbom:currentAvailable", "500"],
+      ]),
+      makeHbomComponent("LTE Modem", "modem", [
+        ["cdx:hbom:signalQuality", "18"],
+        ["cdx:hbom:operatorName", "ExampleTel"],
+      ]),
+    ]);
+    const findings = await auditBom(bom, {
+      bomAuditCategories: "hbom-performance",
+    });
+    const ruleIds = new Set(findings.map((finding) => finding.ruleId));
+    assert.ok(ruleIds.has("HBP-001"));
+    assert.ok(ruleIds.has("HBP-002"));
+    assert.ok(ruleIds.has("HBP-003"));
+    assert.ok(ruleIds.has("HBP-004"));
+    assert.ok(ruleIds.has("HBP-005"));
+    assert.ok(ruleIds.has("HBP-006"));
+    assert.ok(ruleIds.has("HBP-007"));
+    assert.ok(ruleIds.has("HBP-008"));
+    assert.ok(ruleIds.has("HBP-009"));
+  });
+  it("should detect HBOM compliance findings from synthetic device inventory", async () => {
+    const bom = makeHbomBom(
+      [
+        makeHbomComponent("rootfs", "storage-volume", [
+          ["cdx:hbom:capacityBytes", "1000"],
+        ]),
+        makeHbomComponent("HDMI-A-1", "display-connector", [
+          ["cdx:hbom:displayConnectorType", "HDMI-A"],
+        ]),
+      ],
+      [
+        ["cdx:hbom:platform", "linux"],
+        ["cdx:hbom:identifierPolicy", "full"],
+      ],
+      [
+        ["cdx:hbom:collectorProfile", "linux-amd64"],
+        ["cdx:hbom:analysis:missingCommandCount", "2"],
+        ["cdx:hbom:analysis:missingCommands", "lspci,lsusb"],
+        [
+          "cdx:hbom:analysis:missingCommandIds",
+          "fwupdmgr-devices-json,edid-decode",
+        ],
+        ["cdx:hbom:analysis:installHintCount", "2"],
+        ["cdx:hbom:analysis:permissionDeniedCount", "1"],
+        ["cdx:hbom:analysis:permissionDeniedCommands", "drm_info"],
+        [
+          "cdx:hbom:analysis:permissionDeniedIds",
+          "dmidecode-firmware-board,drm-info-json",
+        ],
+        ["cdx:hbom:analysis:privilegeHintCount", "1"],
+        ["cdx:hbom:analysis:requiresPrivileged", "true"],
+      ],
+    );
+    const findings = await auditBom(bom, {
+      bomAuditCategories: "hbom-compliance",
+    });
+    const ruleIds = new Set(findings.map((finding) => finding.ruleId));
+    assert.ok(ruleIds.has("HBC-001"));
+    assert.ok(ruleIds.has("HBC-002"));
+    assert.ok(ruleIds.has("HBC-003"));
+    assert.ok(ruleIds.has("HBC-004"));
+    assert.ok(ruleIds.has("HBC-005"));
+    assert.ok(ruleIds.has("HBC-006"));
+    assert.ok(ruleIds.has("HBC-007"));
+    assert.ok(ruleIds.has("HBC-008"));
+    assert.ok(ruleIds.has("HBC-009"));
+    assert.ok(ruleIds.has("HBC-010"));
+  });
+  it("should not flag redacted-by-default HBOM identifier policy as a compliance finding", async () => {
+    const bom = makeHbomBom(
+      [],
+      [
+        ["cdx:hbom:platform", "darwin"],
+        ["cdx:hbom:architecture", "arm64"],
+        ["cdx:hbom:identifierPolicy", "redacted-by-default"],
+        ["cdx:hbom:serialNumber", "redacted:serialNumber"],
+      ],
+      [
+        ["cdx:hbom:collectorProfile", "darwin-arm64"],
+        ["cdx:hbom:evidence:commandCount", "1"],
+        ["cdx:hbom:evidence:command", "system_profiler"],
+      ],
+    );
+    const findings = await auditBom(bom, {
+      bomAuditCategories: "hbom-compliance",
+    });
+    assert.ok(
+      !findings.some((finding) => finding.ruleId === "HBC-005"),
+      "redacted-by-default should not trigger HBC-005",
+    );
+  });
+  it("should not flag HBOM collector evidence as incomplete when BOM command evidence is present", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "HBC-003");
+    const bom = makeHbomBom(
+      [],
+      [
+        ["cdx:hbom:platform", "darwin"],
+        ["cdx:hbom:architecture", "arm64"],
+        ["cdx:hbom:identifierPolicy", "redacted-by-default"],
+      ],
+      [
+        ["cdx:hbom:collectorProfile", "darwin-arm64"],
+        ["cdx:hbom:evidence:commandCount", "2"],
+        [
+          "cdx:hbom:evidence:command",
+          "system-profiler-json|platform|/usr/sbin/system_profiler SPHardwareDataType -json",
+        ],
+        [
+          "cdx:hbom:evidence:command",
+          "battery-status|power|/usr/bin/pmset -g batt",
+        ],
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should detect HBOM command diagnostics for missing utilities and permission-denied enrichments", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const missingCommandsRule = rules.find((r) => r.id === "HBC-006");
+    const permissionDeniedRule = rules.find((r) => r.id === "HBC-007");
+    const firmwareRule = rules.find((r) => r.id === "HBC-008");
+    const boardRule = rules.find((r) => r.id === "HBC-009");
+    const displayRule = rules.find((r) => r.id === "HBC-010");
+    const bom = makeHbomBom(
+      [
+        makeHbomComponent("eDP-1", "display-connector", [
+          ["cdx:hbom:displayConnectorType", "eDP"],
+        ]),
+      ],
+      [
+        ["cdx:hbom:platform", "linux"],
+        ["cdx:hbom:architecture", "amd64"],
+      ],
+      [
+        ["cdx:hbom:collectorProfile", "linux-amd64-v1"],
+        ["cdx:hbom:analysis:missingCommandCount", "1"],
+        ["cdx:hbom:analysis:missingCommands", "lsusb"],
+        [
+          "cdx:hbom:analysis:missingCommandIds",
+          "fwupdmgr-devices-json,edid-decode",
+        ],
+        ["cdx:hbom:analysis:permissionDeniedCount", "1"],
+        ["cdx:hbom:analysis:permissionDeniedCommands", "drm_info"],
+        [
+          "cdx:hbom:analysis:permissionDeniedIds",
+          "dmidecode-firmware-board,drm-info-json",
+        ],
+        ["cdx:hbom:analysis:requiresPrivileged", "true"],
+      ],
+    );
+    const missingCommandsFindings = await evaluateRule(
+      missingCommandsRule,
+      bom,
+    );
+    const permissionDeniedFindings = await evaluateRule(
+      permissionDeniedRule,
+      bom,
+    );
+    const firmwareFindings = await evaluateRule(firmwareRule, bom);
+    const boardFindings = await evaluateRule(boardRule, bom);
+    const displayFindings = await evaluateRule(displayRule, bom);
+    assert.strictEqual(missingCommandsFindings.length, 1);
+    assert.strictEqual(missingCommandsFindings[0].ruleId, "HBC-006");
+    assert.strictEqual(permissionDeniedFindings.length, 1);
+    assert.strictEqual(permissionDeniedFindings[0].ruleId, "HBC-007");
+    assert.strictEqual(firmwareFindings.length, 1);
+    assert.strictEqual(firmwareFindings[0].ruleId, "HBC-008");
+    assert.strictEqual(boardFindings.length, 1);
+    assert.strictEqual(boardFindings[0].ruleId, "HBC-009");
+    assert.strictEqual(displayFindings.length, 1);
+    assert.strictEqual(displayFindings[0].ruleId, "HBC-010");
+  });
+  it("should not flag redacted HBOM identifiers for the raw-identifier exposure rule", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "HBS-004");
+    const bom = makeHbomBom(
+      [
+        makeHbomComponent("wifi0", "network-interface", [
+          ["cdx:hbom:macAddress", "redacted:macAddress"],
+        ]),
+      ],
+      [
+        ["cdx:hbom:platform", "darwin"],
+        ["cdx:hbom:architecture", "arm64"],
+        ["cdx:hbom:identifierPolicy", "redacted-by-default"],
+        ["cdx:hbom:serialNumber", "redacted:serialNumber"],
+        ["cdx:hbom:platformUuid", "redacted:platformUuid"],
+      ],
+      [["cdx:hbom:collectorProfile", "darwin-arm64"]],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should not flag redacted modem identifiers for the cellular exposure rule", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "HBS-006");
+    const bom = makeHbomBom(
+      [
+        makeHbomComponent("LTE Modem", "modem", [
+          ["cdx:hbom:imei", "redacted:imei"],
+          ["cdx:hbom:ownNumbers", "redacted:ownNumbers"],
+        ]),
+      ],
+      [["cdx:hbom:identifierPolicy", "redacted-by-default"]],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should not flag healthy storage telemetry for the degraded-storage HBOM rule", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "HBP-002");
+    const bom = makeHbomBom([
+      makeHbomComponent("nvme0", "storage", [
+        ["cdx:hbom:wearPercentageUsed", "12"],
+        ["cdx:hbom:smartStatus", "ok"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should safely handle human-readable online memory size values for the HBOM memory rule", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "HBP-006");
+    const bom = makeHbomBom([
+      makeHbomComponent("System Memory", "memory", [
+        ["cdx:hbom:sizeBytes", "32899006464"],
+        ["cdx:hbom:memoryOnlineSize", "32 GB"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should expand the hbom alias to all HBOM audit categories", async () => {
+    const bom = makeHbomBom(
+      [
+        makeHbomComponent("Main SSD", "storage", [
+          ["cdx:hbom:isEncrypted", "false"],
+          ["cdx:hbom:wearPercentageUsed", "90"],
+        ]),
+      ],
+      [
+        ["cdx:hbom:platform", "linux"],
+        ["cdx:hbom:identifierPolicy", "full"],
+      ],
+      [["cdx:hbom:collectorProfile", "linux-amd64"]],
+    );
+    const findings = await auditBom(bom, {
+      bomAuditCategories: "hbom",
+    });
+    const categories = new Set(findings.map((finding) => finding.category));
+    assert.ok(categories.has("hbom-security"));
+    assert.ok(categories.has("hbom-performance"));
+    assert.ok(categories.has("hbom-compliance"));
+  });
   it("should detect Collider packages missing valid wrap hashes (INT-014)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "INT-014");
@@ -393,6 +852,46 @@ describe("evaluateRule", () => {
     assert.strictEqual(findings[0].severity, "critical");
   });
+  it("should detect revoked Secure Boot certificates (OBOM-LNX-012)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-012");
+    assert.ok(rule, "OBOM-LNX-012 rule should exist");
+    const bom = makeBom([
+      makeComponent("dbx-entry", "key-id-1", [
+        ["cdx:osquery:category", "secureboot_certificates"],
+        ["revoked", "1"],
+        ["subject", "CN=Legacy Bootloader"],
+        ["issuer", "CN=Platform DBX"],
+        ["serial", "42"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect revoked Secure Boot cert");
+    assert.strictEqual(findings[0].severity, "high");
+  });
+  it("should detect expiring Secure Boot certificates (OBOM-LNX-013)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-013");
+    assert.ok(rule, "OBOM-LNX-013 rule should exist");
+    const bom = makeBom([
+      makeComponent("db-entry", "key-id-2", [
+        ["cdx:osquery:category", "secureboot_certificates"],
+        ["not_valid_after", `${Math.floor(Date.now() / 1000) + 86400}`],
+        ["not_valid_before", `${Math.floor(Date.now() / 1000) - 86400}`],
+        ["subject", "CN=Current Platform Key"],
+        ["issuer", "CN=Firmware CA"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect expiring Secure Boot cert");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
   it("should detect a network-exposed non-official MCP server (MCP-003)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "MCP-003");
@@ -1089,44 +1588,161 @@ describe("evaluateRule", () => {
     assert.strictEqual(findings[0].severity, "high");
   });
-  it("should return empty findings when no components match", async () => {
+  it("should detect eval-like archived JavaScript (ASAR-001)", async () => {
     const rules = await loadRules(RULES_DIR);
-    const rule = rules.find((r) => r.id === "CI-001");
-    const bom = makeBom([]);
+    const rule = rules.find((r) => r.id === "ASAR-001");
+    assert.ok(rule, "ASAR-001 rule should exist");
+    const bom = makeBom([
+      {
+        type: "file",
+        name: "main.js",
+        "bom-ref": "file:/tmp/app.asar#/main.js",
+        properties: [
+          { name: "cdx:file:kind", value: "asar-entry" },
+          { name: "SrcFile", value: "/tmp/app.asar" },
+          { name: "cdx:asar:path", value: "main.js" },
+          { name: "cdx:asar:js:hasEval", value: "true" },
+        ],
+      },
+    ]);
     const findings = await evaluateRule(rule, bom);
-    assert.strictEqual(findings.length, 0, "No components means no findings");
+    assert.ok(findings.length > 0, "Should detect ASAR eval signal");
+    assert.strictEqual(findings[0].ruleId, "ASAR-001");
   });
-  it("should detect unprotected BitLocker drive (OBOM-WIN-001)", async () => {
+  it("should detect archived JavaScript with network plus local access (ASAR-002)", async () => {
     const rules = await loadRules(RULES_DIR);
-    const rule = rules.find((r) => r.id === "OBOM-WIN-001");
-    assert.ok(rule, "OBOM-WIN-001 rule should exist");
+    const rule = rules.find((r) => r.id === "ASAR-002");
+    assert.ok(rule, "ASAR-002 rule should exist");
     const bom = makeBom([
-      makeComponent("disk-c", "C:", [
-        ["cdx:osquery:category", "windows_bitlocker_info"],
-        ["protection_status", "0"],
-        ["encryption_method", "XTS-AES 128"],
-      ]),
+      {
+        type: "file",
+        name: "main.js",
+        "bom-ref": "file:/tmp/app.asar#/main.js",
+        properties: [
+          { name: "cdx:file:kind", value: "asar-entry" },
+          { name: "SrcFile", value: "/tmp/app.asar" },
+          { name: "cdx:asar:path", value: "main.js" },
+          { name: "cdx:asar:js:capability:network", value: "true" },
+          { name: "cdx:asar:js:capability:fileAccess", value: "true" },
+          { name: "cdx:asar:js:networkIndicators", value: "fetch(dynamic)" },
+        ],
+      },
     ]);
     const findings = await evaluateRule(rule, bom);
-    assert.ok(
-      findings.length > 0,
-      "Should detect disabled BitLocker protection",
-    );
-    assert.strictEqual(findings[0].severity, "high");
+    assert.ok(findings.length > 0, "Should detect ASAR capability overlap");
+    assert.strictEqual(findings[0].ruleId, "ASAR-002");
   });
-  it("should detect suspicious Linux systemd unit path (OBOM-LNX-001)", async () => {
+  it("should detect ASAR integrity mismatches (ASAR-003)", async () => {
     const rules = await loadRules(RULES_DIR);
-    const rule = rules.find((r) => r.id === "OBOM-LNX-001");
-    assert.ok(rule, "OBOM-LNX-001 rule should exist");
+    const rule = rules.find((r) => r.id === "ASAR-003");
+    assert.ok(rule, "ASAR-003 rule should exist");
     const bom = makeBom([
       {
-        type: "data",
+        type: "file",
+        name: "settings.json",
+        "bom-ref": "file:/tmp/app.asar#/settings.json",
+        properties: [
+          { name: "cdx:file:kind", value: "asar-entry" },
+          { name: "SrcFile", value: "/tmp/app.asar" },
+          { name: "cdx:asar:path", value: "settings.json" },
+          { name: "cdx:asar:declaredIntegrityHash", value: "00" },
+          { name: "cdx:asar:integrityVerified", value: "false" },
+        ],
+      },
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect ASAR integrity mismatch");
+    assert.strictEqual(findings[0].ruleId, "ASAR-003");
+  });
+  it("should detect embedded install scripts from ASAR-derived npm components (ASAR-004)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "ASAR-004");
+    assert.ok(rule, "ASAR-004 rule should exist");
+    const bom = makeBom([
+      makeComponent("sketchy-addon", "0.1.0", [
+        ["SrcFile", "/tmp/app.asar#/package-lock.json"],
+        ["cdx:npm:hasInstallScript", "true"],
+        ["cdx:npm:risky_scripts", "preinstall"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should detect embedded ASAR install scripts",
+    );
+    assert.strictEqual(findings[0].ruleId, "ASAR-004");
+  });
+  it("should detect failed Electron ASAR signing verification (ASAR-005)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "ASAR-005");
+    assert.ok(rule, "ASAR-005 rule should exist");
+    const bom = makeBom([
+      {
+        type: "application",
+        name: "signed-app.asar",
+        "bom-ref": "file:/tmp/Signed.app/Contents/Resources/app.asar",
+        properties: [
+          { name: "cdx:file:kind", value: "asar-archive" },
+          {
+            name: "SrcFile",
+            value: "/tmp/Signed.app/Contents/Resources/app.asar",
+          },
+          { name: "cdx:asar:hasSigningMetadata", value: "true" },
+          { name: "cdx:asar:signingAlgorithm", value: "SHA256" },
+          { name: "cdx:asar:signingDeclaredHash", value: "deadbeef" },
+          { name: "cdx:asar:signingSource", value: "Info.plist" },
+          { name: "cdx:asar:signingScope", value: "header-only" },
+          { name: "cdx:asar:signingVerified", value: "false" },
+        ],
+      },
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect failed ASAR signing");
+    assert.strictEqual(findings[0].ruleId, "ASAR-005");
+  });
+  it("should return empty findings when no components match", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "CI-001");
+    const bom = makeBom([]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0, "No components means no findings");
+  });
+  it("should detect unprotected BitLocker drive (OBOM-WIN-001)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-001");
+    assert.ok(rule, "OBOM-WIN-001 rule should exist");
+    const bom = makeBom([
+      makeComponent("disk-c", "C:", [
+        ["cdx:osquery:category", "windows_bitlocker_info"],
+        ["protection_status", "0"],
+        ["encryption_method", "XTS-AES 128"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should detect disabled BitLocker protection",
+    );
+    assert.strictEqual(findings[0].severity, "high");
+  });
+  it("should detect suspicious Linux systemd unit path (OBOM-LNX-001)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-001");
+    assert.ok(rule, "OBOM-LNX-001 rule should exist");
+    const bom = makeBom([
+      {
+        type: "data",
         name: "evil.service",
         version: "",
         description: "",
@@ -1304,11 +1920,7 @@ describe("evaluateRule", () => {
     const findings = await evaluateRule(rule, bom);
     assert.ok(findings.length > 0, "Should detect runner-state mutation");
-    assert.deepStrictEqual(findings[0].attackTactics, [
-      "TA0003",
-      "TA0004",
-      "TA0005",
-    ]);
+    assert.deepStrictEqual(findings[0].attackTactics, ["TA0002"]);
   });
   it("should detect outbound commands that reference sensitive context (CI-015)", async () => {
@@ -2584,7 +3196,7 @@ describe("evaluateRule", () => {
     const findings = await evaluateRule(rule, bom);
     assert.ok(findings.length > 0, "Should detect privileged listener risk");
-    assert.strictEqual(findings[0].severity, "high");
+    assert.strictEqual(findings[0].severity, "medium");
   });
   it("should detect interactive sudo execution of package tooling (OBOM-LNX-008)", async () => {
@@ -2757,6 +3369,103 @@ describe("evaluateRule", () => {
     assert.strictEqual(findings[0].severity, "high");
   });
+  it("should flag scheduled tasks that invoke LOLBAS helpers even when they live under managed Windows namespaces (OBOM-WIN-006)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-006");
+    assert.ok(rule, "OBOM-WIN-006 rule should exist");
+    const row = {
+      action:
+        "%windir%\\system32\\rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState",
+      enabled: "0",
+      hidden: "0",
+      path: "\\Microsoft\\Windows\\applicationdata\\CleanupTemporaryState",
+    };
+    const bom = makeBom([
+      {
+        type: "data",
+        name: "CleanupTemporaryState",
+        version: "",
+        description: "",
+        "bom-ref": "osquery:scheduled_tasks:data:CleanupTemporaryState@unknown",
+        properties: [
+          { name: "cdx:osquery:category", value: "scheduled_tasks" },
+          ...createLolbasProperties("scheduled_tasks", row),
+          { name: "path", value: row.path },
+          { name: "action", value: row.action },
+          { name: "enabled", value: row.enabled },
+          { name: "hidden", value: row.hidden },
+        ],
+      },
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.match(findings[0].message, /CleanupTemporaryState|rundll32\.exe/);
+  });
+  it("should ignore Windows services whose descriptions merely mention PowerShell or cmd tooling (OBOM-WIN-006)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-006");
+    assert.ok(rule, "OBOM-WIN-006 rule should exist");
+    const row = {
+      description:
+        "Windows Remote Management can be configured with winrm.cmd and queried from PowerShell.",
+      display_name: "Windows Remote Management",
+      module_path: "C:\\Windows\\System32\\WsmSvc.dll",
+      path: "C:\\Windows\\System32\\svchost.exe -k NetworkService -p",
+    };
+    const bom = makeBom([
+      {
+        type: "data",
+        name: "WinRM",
+        version: "4012",
+        description: row.description,
+        "bom-ref": "osquery:services_snapshot:data:WinRM@4012",
+        properties: [
+          { name: "cdx:osquery:category", value: "services_snapshot" },
+          ...createLolbasProperties("services_snapshot", row),
+          { name: "path", value: row.path },
+          { name: "module_path", value: row.module_path },
+          { name: "start_type", value: "AUTO_START" },
+        ],
+      },
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should keep suspicious Windows services that launch LOLBAS from user-controlled paths (OBOM-WIN-006)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-006");
+    assert.ok(rule, "OBOM-WIN-006 rule should exist");
+    const row = {
+      path: "C:\\Users\\Public\\evil\\powershell.exe -enc AAAA",
+    };
+    const bom = makeBom([
+      {
+        type: "data",
+        name: "EvilService",
+        version: "1234",
+        description: "",
+        "bom-ref": "osquery:services_snapshot:data:EvilService@1234",
+        properties: [
+          { name: "cdx:osquery:category", value: "services_snapshot" },
+          ...createLolbasProperties("services_snapshot", row),
+          { name: "path", value: row.path },
+          { name: "start_type", value: "AUTO_START" },
+        ],
+      },
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.match(findings[0].message, /EvilService|powershell\.exe/);
+  });
   it("should detect WMI or AppCompat LOLBAS persistence (OBOM-WIN-007)", async () => {
     const rules = await loadRules(RULES_DIR);
     const rule = rules.find((r) => r.id === "OBOM-WIN-007");
@@ -2941,6 +3650,31 @@ describe("evaluateRules", () => {
     if (findings.length >= 2) {
       const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
       for (let i = 1; i < findings.length; i++) {
+        it("should detect weakened macOS Gatekeeper posture (OBOM-MAC-005)", async () => {
+          const rules = await loadRules(RULES_DIR);
+          const rule = rules.find((r) => r.id === "OBOM-MAC-005");
+          assert.ok(rule, "OBOM-MAC-005 rule should exist");
+          const bom = makeBom([
+            {
+              type: "data",
+              name: "gatekeeper",
+              version: "",
+              description: "94",
+              purl: "pkg:swid/gatekeeper",
+              "bom-ref": "pkg:swid/gatekeeper",
+              properties: [
+                { name: "cdx:osquery:category", value: "gatekeeper" },
+                { name: "assessments_enabled", value: "0" },
+                { name: "dev_id_enabled", value: "1" },
+              ],
+            },
+          ]);
+          const findings = await evaluateRule(rule, bom);
+          assert.ok(findings.length > 0, "Should detect weakened Gatekeeper");
+          assert.strictEqual(findings[0].severity, "high");
+        });
         const prev = severityOrder[findings[i - 1].severity] ?? 4;
         const curr = severityOrder[findings[i].severity] ?? 4;
         assert.ok(
@@ -3068,6 +3802,22 @@ describe("auditBom", () => {
     }
   });
+  it("reports active dry-run support counts for package-integrity rules", async () => {
+    const summary = await getBomAuditDryRunSupportSummary({
+      bomAuditCategories: "package-integrity",
+    });
+    assert.deepStrictEqual(summary, {
+      fullCount: 10,
+      noCount: 3,
+      partialCount: 1,
+      totalRules: 14,
+    });
+    assert.match(
+      formatDryRunSupportSummary(summary),
+      /3 rule\(s\) do not support dry-run, 1 rule\(s\) have partial dry-run support, 14 active rule\(s\) total/,
+    );
+  });
   it("does not flag CI-006 for a safe content-addressed PR cache workflow", async () => {
     const bom = makeBomFromWorkflowFixture("cache-pull-request.yml");
@@ -3373,3 +4123,588 @@ describe("hasCriticalFindings", () => {
     assert.ok(!hasCriticalFindings(null, {}));
   });
 });
+describe("additional OBOM and rootfs hardening rules", () => {
+  it("should detect reverse shell behavior (OBOM-LNX-014)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-014");
+    assert.ok(rule, "OBOM-LNX-014 rule should exist");
+    const bom = makeBom([
+      {
+        type: "data",
+        name: "bash",
+        version: "1234",
+        description: "",
+        purl: "pkg:swid/bash@1234",
+        "bom-ref": "pkg:swid/bash@1234",
+        properties: [
+          { name: "cdx:osquery:category", value: "behavioral_reverse_shell" },
+          { name: "path", value: "/usr/bin/bash" },
+          { name: "cmdline", value: "bash -i" },
+          { name: "parent_cmdline", value: "python -c pty.spawn('bash')" },
+          { name: "remote_address", value: "203.0.113.10" },
+          { name: "remote_port", value: "4444" },
+        ],
+      },
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect reverse shell behavior");
+    assert.strictEqual(findings[0].severity, "critical");
+  });
+  it("should detect weak sysctl hardening posture (OBOM-LNX-017)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-017");
+    assert.ok(rule, "OBOM-LNX-017 rule should exist");
+    const bom = makeBom([
+      makeComponent("kernel.randomize_va_space", "1", [
+        ["cdx:osquery:category", "sysctl_hardening"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect weak sysctl posture");
+    assert.strictEqual(findings[0].severity, "medium");
+  });
+  it("should detect weak temporary mount protections (OBOM-LNX-018)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-018");
+    assert.ok(rule, "OBOM-LNX-018 rule should exist");
+    const bom = makeBom([
+      makeComponent("/tmp", "rw,nosuid,nodev", [
+        ["cdx:osquery:category", "mount_hardening"],
+        ["type", "tmpfs"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect missing noexec flag");
+    assert.strictEqual(findings[0].severity, "high");
+  });
+  it("should detect GTFOBins-linked privileged runtime activity (OBOM-LNX-019)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-019");
+    assert.ok(rule, "OBOM-LNX-019 rule should exist");
+    const bom = makeBom([
+      makeComponent("bash", "", [
+        ["cdx:osquery:category", "sudo_executions"],
+        ["cdx:gtfobins:matched", "true"],
+        ["cdx:gtfobins:names", "bash"],
+        ["cdx:gtfobins:functions", "shell,command"],
+        ["cdx:gtfobins:contexts", "sudo,suid"],
+        ["cdx:gtfobins:riskTags", "lateral-movement,privilege-escalation"],
+        ["path", "/usr/bin/bash"],
+        ["cmdline", "bash -c id"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should detect GTFOBins helper in privileged runtime context",
+    );
+    assert.strictEqual(findings[0].severity, "high");
+  });
+  it("should ignore elevated root processes without suspicious path evidence (OBOM-LNX-010)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-010");
+    assert.ok(rule, "OBOM-LNX-010 rule should exist");
+    const bom = makeBom([
+      makeComponent("agetty", "1063", [
+        ["cdx:osquery:category", "elevated_processes"],
+        ["uid", "0"],
+        ["package_source_hint", "unclassified-path"],
+        ["cmdline", "/sbin/agetty -o -p -- \\u --noclear - linux"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(
+      findings.length,
+      0,
+      "Should ignore root processes that lack concrete suspicious path evidence",
+    );
+  });
+  it("should detect elevated root processes from user-controlled command paths (OBOM-LNX-010)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-010");
+    assert.ok(rule, "OBOM-LNX-010 rule should exist");
+    const bom = makeBom([
+      makeComponent("evil-root-job", "1", [
+        ["cdx:osquery:category", "elevated_processes"],
+        ["uid", "0"],
+        ["package_source_hint", "user-writable-path"],
+        ["cmdline", "/home/demo/.local/bin/evil-root-job --daemon"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should detect root processes sourced from user-controlled command paths",
+    );
+    assert.match(findings[0].message, /evil-root-job/);
+  });
+  it("should ignore routine elevated GTFOBins services without suspicious path evidence (OBOM-LNX-019)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-019");
+    assert.ok(rule, "OBOM-LNX-019 rule should exist");
+    const bom = makeBom([
+      makeComponent("fail2ban-server", "1", [
+        ["cdx:osquery:category", "elevated_processes"],
+        ["cdx:gtfobins:matched", "true"],
+        ["cdx:gtfobins:names", "python"],
+        ["cdx:gtfobins:functions", "shell,reverse-shell"],
+        ["cdx:gtfobins:contexts", "sudo,suid,unprivileged"],
+        ["package_source_hint", "unclassified-path"],
+        ["cmdline", "/usr/bin/python3 /usr/bin/fail2ban-server -xf start"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(
+      findings.length,
+      0,
+      "Should ignore routine elevated GTFOBins matches without suspicious path context",
+    );
+  });
+  it("should detect APT sources that still use plaintext HTTP transport (OBOM-LNX-021)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-021");
+    assert.ok(rule, "OBOM-LNX-021 rule should exist");
+    const bom = makeBom([
+      makeComponent("gb.archive.ubuntu.com/ubuntu+noble", "24.04", [
+        ["cdx:osquery:category", "apt_sources"],
+        ["base_uri", "http://gb.archive.ubuntu.com/ubuntu"],
+        ["components", "main restricted universe multiverse"],
+        ["maintainer", "Ubuntu"],
+        ["release", "noble"],
+        ["source", "/etc/apt/sources.list.d/ubuntu.sources"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should flag HTTP-backed APT sources");
+    assert.strictEqual(findings[0].severity, "medium");
+    assert.match(findings[0].message, /plaintext HTTP transport/);
+  });
+  it("should detect authorized_keys entries that still use ssh-rsa (OBOM-LNX-022)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-022");
+    assert.ok(rule, "OBOM-LNX-022 rule should exist");
+    const bom = makeBom([
+      makeComponent("appthreat", "ssh-rsa", [
+        ["cdx:osquery:category", "authorized_keys_snapshot"],
+        ["key_file", "/home/appthreat/.ssh/authorized_keys"],
+        ["uid", "1000"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should flag deprecated ssh-rsa authorized_keys entries",
+    );
+    assert.strictEqual(findings[0].severity, "medium");
+    assert.match(findings[0].message, /deprecated ssh-rsa/);
+  });
+  it("should classify managed privileged listeners as medium exposure review (OBOM-LNX-006)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-006");
+    assert.ok(rule, "OBOM-LNX-006 rule should exist");
+    const bom = makeBom([
+      makeComponent("nginx", "", [
+        ["cdx:osquery:category", "privileged_listening_ports"],
+        ["address", "0.0.0.0"],
+        ["port", "443"],
+        ["path", "/usr/sbin/nginx"],
+        ["account", "root"],
+        ["package_source_hint", "package-managed"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should flag non-local privileged listener");
+    assert.strictEqual(findings[0].severity, "medium");
+    assert.match(findings[0].message, /\/usr\/sbin\/nginx/);
+  });
+  it("should keep writable-path privileged listeners as high-signal findings (OBOM-LNX-020)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-LNX-020");
+    assert.ok(rule, "OBOM-LNX-020 rule should exist");
+    const bom = makeBom([
+      makeComponent("evil-listener", "", [
+        ["cdx:osquery:category", "privileged_listening_ports"],
+        ["address", "0.0.0.0"],
+        ["port", "8443"],
+        ["path", "/home/demo/.local/bin/evil-listener"],
+        ["account", "root"],
+        ["package_source_hint", "user-writable-path"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should flag privileged listener from writable path",
+    );
+    assert.strictEqual(findings[0].severity, "high");
+    assert.match(findings[0].message, /evil-listener/);
+  });
+  it("should detect risky Public profile firewall rules (OBOM-WIN-011)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-011");
+    assert.ok(rule, "OBOM-WIN-011 rule should exist");
+    const bom = makeBom([
+      makeComponent("RDP public allow", "", [
+        ["cdx:osquery:category", "windows_firewall_rules"],
+        ["enabled", "true"],
+        ["direction", "in"],
+        ["action", "allow"],
+        ["profile", "Public"],
+        ["local_ports", "3389"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect Public inbound allow rule");
+    assert.strictEqual(findings[0].severity, "high");
+  });
+  it("should detect invalid Authenticode on startup artifacts (OBOM-WIN-012)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-012");
+    assert.ok(rule, "OBOM-WIN-012 rule should exist");
+    const bom = makeBom([
+      makeComponent("Updater", "", [
+        ["cdx:osquery:category", "windows_run_keys"],
+        ["path", "C:\\Users\\Public\\updater.exe"],
+        ["cdx:windows:authenticode:status", "NotSigned"],
+        ["cdx:windows:authenticode:signerSubject", ""],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect invalid Authenticode status");
+    assert.strictEqual(findings[0].severity, "critical");
+  });
+  it("should not treat unresolved Authenticode status as definitively invalid (OBOM-WIN-012)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-012");
+    assert.ok(rule, "OBOM-WIN-012 rule should exist");
+    const bom = makeBom([
+      makeComponent("Updater", "", [
+        ["cdx:osquery:category", "windows_run_keys"],
+        ["path", "C:\\Users\\Public\\updater.exe"],
+        ["cdx:windows:authenticode:status", "UnknownError"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should detect missing WDAC policy enforcement (OBOM-WIN-013)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-013");
+    assert.ok(rule, "OBOM-WIN-013 rule should exist");
+    const bom = makeBom([
+      makeComponent("wdac-active-policies", "observed", [
+        ["cdx:windows:wdac:activePolicyCount", "0"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should detect missing WDAC policy enforcement",
+    );
+    assert.strictEqual(findings[0].severity, "high");
+  });
+  it("should detect failed macOS notarization assessments with registration and target paths (OBOM-MAC-007)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-MAC-007");
+    assert.ok(rule, "OBOM-MAC-007 rule should exist");
+    const bom = makeBom([
+      makeComponent("org.example.agent", "", [
+        ["cdx:osquery:category", "launchd_services"],
+        ["path", "/Library/LaunchDaemons/org.example.agent.plist"],
+        ["program", "/Applications/Suspicious.app/Contents/MacOS/Suspicious"],
+        ["cdx:darwin:codesign:teamIdentifier", "ABCDE12345"],
+        ["cdx:darwin:notarization:assessment", "rejected"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should detect failed notarization assessment",
+    );
+    assert.strictEqual(findings[0].severity, "high");
+    assert.match(
+      findings[0].message,
+      /\/Library\/LaunchDaemons\/org\.example\.agent\.plist/,
+    );
+    assert.match(
+      findings[0].message,
+      /\/Applications\/Suspicious\.app\/Contents\/MacOS\/Suspicious/,
+    );
+    assert.strictEqual(
+      findings[0].evidence.registrationPath,
+      "/Library/LaunchDaemons/org.example.agent.plist",
+    );
+    assert.strictEqual(
+      findings[0].evidence.targetPath,
+      "/Applications/Suspicious.app/Contents/MacOS/Suspicious",
+    );
+  });
+  it("should ignore unknown notarization assessments for Apple-managed system apps (OBOM-MAC-008)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-MAC-008");
+    assert.ok(rule, "OBOM-MAC-008 rule should exist");
+    const bom = makeBom([
+      makeComponent("Finder.app", "", [
+        ["cdx:osquery:category", "running_apps"],
+        ["bundle_path", "/System/Library/CoreServices/Finder.app"],
+        [
+          "bundle_executable",
+          "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder",
+        ],
+        ["cdx:darwin:notarization:assessment", "unknown"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(
+      findings.length,
+      0,
+      "Should not alert on Apple-managed system apps with unknown assessment",
+    );
+  });
+  it("should ignore rejected notarization on generic installed macOS app inventory (OBOM-MAC-007)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-MAC-007");
+    assert.ok(rule, "OBOM-MAC-007 rule should exist");
+    const bom = makeBom([
+      makeComponent("Installed.app", "", [
+        ["cdx:osquery:category", "apps"],
+        ["bundle_path", "/Applications/Installed.app"],
+        [
+          "bundle_executable",
+          "/Applications/Installed.app/Contents/MacOS/Installed",
+        ],
+        ["cdx:darwin:notarization:assessment", "rejected"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(
+      findings.length,
+      0,
+      "Should not alert on generic installed app inventory",
+    );
+  });
+  it("should ignore Apple-managed system launchd services for notarization review (OBOM-MAC-007)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-MAC-007");
+    assert.ok(rule, "OBOM-MAC-007 rule should exist");
+    const bom = makeBom([
+      makeComponent("com.apple.test", "", [
+        ["cdx:osquery:category", "launchd_services"],
+        ["path", "/System/Library/LaunchDaemons/com.apple.test.plist"],
+        ["program", "/usr/libexec/testd"],
+        ["cdx:darwin:notarization:assessment", "rejected"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(
+      findings.length,
+      0,
+      "Should not alert on Apple-managed system launchd services",
+    );
+  });
+  it("should keep unknown notarization findings for user-controlled macOS launch agents (OBOM-MAC-008)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-MAC-008");
+    assert.ok(rule, "OBOM-MAC-008 rule should exist");
+    const bom = makeBom([
+      makeComponent("com.jetbrains.AppCode.BridgeService.plist", "", [
+        ["cdx:osquery:category", "launchd_services"],
+        [
+          "path",
+          "/Users/prabhu/Library/LaunchAgents/com.jetbrains.AppCode.BridgeService.plist",
+        ],
+        [
+          "program",
+          "/Users/prabhu/Applications/Rider.app/Contents/bin/Bridge.framework/Versions/A/Resources/BridgeService",
+        ],
+        ["cdx:darwin:notarization:assessment", "unknown"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 1);
+    assert.strictEqual(findings[0].severity, "medium");
+    assert.match(findings[0].message, /Users\/prabhu\/Library\/LaunchAgents/);
+    assert.match(
+      findings[0].message,
+      /Users\/prabhu\/Applications\/Rider\.app/,
+    );
+  });
+  it("should render actionable Windows Authenticode findings with registration and target paths (OBOM-WIN-014)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-014");
+    assert.ok(rule, "OBOM-WIN-014 rule should exist");
+    const bom = makeBom([
+      makeComponent("\\Vendor\\Updater", "", [
+        ["cdx:osquery:category", "scheduled_tasks"],
+        ["path", "\\Vendor\\Updater"],
+        ["action", "C:\\ProgramData\\Vendor\\updater.exe"],
+        ["cdx:windows:authenticode:status", "UnknownError"],
+        ["cdx:windows:authenticode:signerSubject", "CN=Unknown"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should detect unresolved Authenticode status on user-controlled path",
+    );
+    assert.strictEqual(findings[0].severity, "high");
+    assert.match(findings[0].message, /\\Vendor\\Updater/);
+    assert.match(findings[0].message, /C:\\ProgramData\\Vendor\\updater\.exe/);
+    assert.strictEqual(
+      findings[0].evidence.registrationPath,
+      "\\Vendor\\Updater",
+    );
+    assert.strictEqual(
+      findings[0].evidence.targetPath,
+      "C:\\ProgramData\\Vendor\\updater.exe",
+    );
+  });
+  it("should ignore unresolved Authenticode on Windows startup shortcut files (OBOM-WIN-014)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "OBOM-WIN-014");
+    assert.ok(rule, "OBOM-WIN-014 rule should exist");
+    const bom = makeBom([
+      makeComponent("Service Fabric Local Cluster Manager.lnk", "", [
+        ["cdx:osquery:category", "startup_items"],
+        [
+          "path",
+          "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Service Fabric Local Cluster Manager.lnk",
+        ],
+        ["cdx:windows:authenticode:status", "UnknownError"],
+      ]),
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.strictEqual(findings.length, 0);
+  });
+  it("should detect yum repositories with gpgcheck disabled (RFS-002)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "RFS-002");
+    assert.ok(rule, "RFS-002 rule should exist");
+    const bom = makeBom([
+      {
+        type: "data",
+        name: "internal.repo",
+        version: "configured",
+        purl: "pkg:generic/os-repository/internal.repo@configured",
+        "bom-ref": "pkg:generic/os-repository/internal.repo@configured",
+        properties: [
+          { name: "SrcFile", value: "/etc/yum.repos.d/internal.repo" },
+          { name: "cdx:os:repo:type", value: "yum-repository" },
+          { name: "cdx:os:repo:enabled", value: "true" },
+          {
+            name: "cdx:os:repo:url",
+            value: "https://repo.example.invalid/baseos",
+          },
+          { name: "cdx:os:repo:gpgcheck", value: "0" },
+        ],
+      },
+    ]);
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(findings.length > 0, "Should detect disabled gpgcheck");
+    assert.strictEqual(findings[0].severity, "critical");
+  });
+  it("should detect services executing from temporary paths (RFS-005)", async () => {
+    const rules = await loadRules(RULES_DIR);
+    const rule = rules.find((r) => r.id === "RFS-005");
+    assert.ok(rule, "RFS-005 rule should exist");
+    const bom = makeBom(
+      [],
+      [],
+      [],
+      [
+        {
+          name: "evil-service",
+          version: "1.0.0",
+          "bom-ref": "urn:service:systemd:test:evil-service",
+          properties: [
+            { name: "SrcFile", value: "/etc/systemd/system/evil.service" },
+            { name: "cdx:service:manager", value: "systemd" },
+            { name: "cdx:service:ExecStart", value: "/tmp/run-evil.sh" },
+            {
+              name: "cdx:service:packageRef",
+              value: "pkg:deb/debian/evil@1.0.0",
+            },
+          ],
+        },
+      ],
+    );
+    const findings = await evaluateRule(rule, bom);
+    assert.ok(
+      findings.length > 0,
+      "Should detect writable-path service execution",
+    );
+    assert.strictEqual(findings[0].severity, "critical");
+  });
+});