@cyclonedx/cdxgen 12.3.3 → 12.4.0

package/bin/validate.js

@@ -28,6 +28,7 @@ import {
   retrieveCdxgenVersion,
   safeExistsSync,
   safeMkdirSync,
+  safeWriteSync,
 } from "../lib/helpers/utils.js";
 import { getBomWithOras } from "../lib/managers/oci.js";
 import { shouldFail, validateBomAdvanced } from "../lib/validator/index.js";
@@ -39,7 +40,7 @@ const args = _yargs
   .option("input", {
     alias: "i",
     default: "bom.json",
-    description: "Input SBOM JSON file or OCI reference.",
+    description: "Input SBOM JSON or protobuf file, or an OCI reference.",
   })
   .option("platform", {
     description:
@@ -128,9 +129,18 @@ const args = _yargs
   .help()
   .wrap(Math.min(120, yargs().terminalWidth())).argv;
 
-function loadBom(input, platform) {
+async function loadBom(input, platform) {
   if (safeExistsSync(input)) {
+    const normalizedInput = `${input}`.toLowerCase();
     try {
+      if (
+        normalizedInput.endsWith(".cdx") ||
+        normalizedInput.endsWith(".cdx.bin") ||
+        normalizedInput.endsWith(".proto")
+      ) {
+        const { readBinary } = await import("../lib/helpers/protobom.js");
+        return readBinary(input, true);
+      }
       return JSON.parse(fs.readFileSync(input, "utf8"));
     } catch (err) {
       console.error(`Failed to parse ${input}: ${err.message}`);
@@ -176,16 +186,36 @@ function writeOrPrint(content, outputPath) {
   if (parent && !safeExistsSync(parent)) {
     safeMkdirSync(parent, { recursive: true });
   }
-  fs.writeFileSync(outputPath, content);
+  safeWriteSync(outputPath, content);
 }
 
-const bomJson = loadBom(args.input, args.platform);
+function isLocalProtoBomInput(input) {
+  if (!safeExistsSync(input)) {
+    return false;
+  }
+  const normalizedInput = `${input}`.toLowerCase();
+  return (
+    normalizedInput.endsWith(".cdx") ||
+    normalizedInput.endsWith(".cdx.bin") ||
+    normalizedInput.endsWith(".proto")
+  );
+}
+
+const bomJson = await loadBom(args.input, args.platform);
 const publicKeyStr = loadPublicKey(args.publicKey);
+const inputIsLocalProtoBom = isLocalProtoBomInput(args.input);
 if (!isCycloneDxBom(bomJson)) {
   console.error(getNonCycloneDxErrorMessage(bomJson, "cdx-validate"));
   process.exit(1);
 }
 
+if (inputIsLocalProtoBom && publicKeyStr) {
+  console.error(
+    "cdx-validate: protobuf BOM input does not currently preserve JSF signature blocks. Verify signatures against the source JSON BOM instead.",
+  );
+  process.exit(args.requireSignature ? 4 : 1);
+}
+
 const report = validateBomAdvanced(bomJson, {
   schema: args.schema,
   deep: args.deep,

package/bin/verify.js

@@ -27,7 +27,8 @@ const args = _yargs
   .option("input", {
     alias: "i",
     default: "bom.json",
-    description: "Input json to validate. Default bom.json",
+    description:
+      "Input CycloneDX JSON or protobuf BOM to verify. Default bom.json",
   })
   .option("platform", {
     description: "The platform to validate. No default",
@@ -75,9 +76,23 @@ if (process.env?.CDXGEN_NODE_OPTIONS) {
   process.env.NODE_OPTIONS = `${process.env.NODE_OPTIONS || ""} ${process.env.CDXGEN_NODE_OPTIONS}`;
 }
 
-function getBom(args) {
-  if (fs.existsSync(args.input)) {
-    return JSON.parse(fs.readFileSync(args.input, "utf8"));
+async function getBom(args) {
+  if (safeExistsSync(args.input)) {
+    const normalizedInput = `${args.input}`.toLowerCase();
+    try {
+      if (
+        normalizedInput.endsWith(".cdx") ||
+        normalizedInput.endsWith(".cdx.bin") ||
+        normalizedInput.endsWith(".proto")
+      ) {
+        const { readBinary } = await import("../lib/helpers/protobom.js");
+        return readBinary(args.input, true);
+      }
+      return JSON.parse(fs.readFileSync(args.input, "utf8"));
+    } catch (error) {
+      console.log(`Failed to parse '${args.input}': ${error.message}`);
+      process.exit(1);
+    }
   }
   if (
     args.input.includes(":") ||
@@ -89,7 +104,20 @@ function getBom(args) {
   return undefined;
 }
 
-const bomJson = getBom(args);
+function isLocalProtoBomInput(input) {
+  if (!safeExistsSync(input)) {
+    return false;
+  }
+  const normalizedInput = `${input}`.toLowerCase();
+  return (
+    normalizedInput.endsWith(".cdx") ||
+    normalizedInput.endsWith(".cdx.bin") ||
+    normalizedInput.endsWith(".proto")
+  );
+}
+
+const bomJson = await getBom(args);
+const inputIsLocalProtoBom = isLocalProtoBomInput(args.input);
 
 if (!bomJson) {
   console.log(`${args.input} is invalid!`);
@@ -100,6 +128,13 @@ if (!isCycloneDxBom(bomJson)) {
   process.exit(1);
 }
 
+if (inputIsLocalProtoBom) {
+  console.log(
+    "cdx-verify: protobuf BOM input does not currently preserve JSF signature blocks. Verify signatures against the source JSON BOM instead.",
+  );
+  process.exit(1);
+}
+
 if (bomJson && !safeExistsSync(args.publicKey)) {
   console.log("Public key for signature verification is missing!");
   process.exit(1);

package/data/README.md

@@ -1,27 +1,300 @@
 # Introduction
 
-Contents of data directory and their purpose.
-
-| Filename                | Purpose                                                                                                  |
-| ----------------------- | -------------------------------------------------------------------------------------------------------- |
-| bom-1.4.schema.json     | CycloneDX 1.4 jsonschema for validation                                                                  |
-| bom-1.5.schema.json     | CycloneDX 1.5 jsonschema for validation                                                                  |
-| cosdb-queries.json      | osquery useful for identifying OS packages for C                                                         |
-| cbomosdb-queries.json   | osquery for identifying ssl packages in OS                                                               |
-| jsf-0.82.schema.json    | jsonschema for validation                                                                                |
-| known-licenses.json     | Hard coded list to correct any license id. Not maintained.                                               |
-| lic-mapping.json        | Hard coded list to match a license id based on name                                                      |
-| pypi-pkg-aliases.json   | Hard coded list to match a pypi package name from module name                                            |
-| python-stdlib.json      | Standard libraries that can be filtered out in python                                                    |
-| queries-win.json        | osquery used to generate obom for windows                                                                |
-| queries.json            | osquery used to generate obom for linux                                                                  |
-| queries-darwin.json     | osquery used to generate obom for darwin                                                                 |
-| spdx-licenses.json      | valid spdx id                                                                                            |
-| spdx.schema.json        | jsonschema for validation                                                                                |
-| vendor-alias.json       | List to correct the group names. Used while parsing .jar files                                           |
-| wrapdb-releases.json    | Database of all available meson wraps. Generated using contrib/wrapdb.py.                                |
-| frameworks-list.json    | List of string fragments to categorize components into frameworks                                        |
-| crypto-oid.json         | Peter Gutmann's crypto oid [mapping](https://www.cs.auckland.ac.nz/~pgut001). GPL, BSD, or CC BY license |
-| glibc-stdlib.json       | Standard libraries that can be filtered out in C++                                                       |
-| component-tags.json     | List of tags to extract from component description text for easy classification.                         |
-| ruby-known-modules.json | Module names for certain known gems. Example: rails                                                      |
+This directory contains static knowledge that cdxgen uses at runtime. Some files are passive reference data. Others directly shape behavior, especially query packs, rule files, schemas, aliases, and component-tag metadata.
+
+## Purpose of this directory
+
+Treat `data/` as product behavior, not as a convenient dump of reference files. If a file here is stale, incomplete, or incorrectly sourced, it can change runtime output, validation behavior, or audit findings.
+
+## Contribution policy
+
+Direct pull requests that only hand-edit curated data in `data/` are not accepted. Start with an issue or a broader change proposal that explains:
+
+1. the upstream source of truth
+2. whether the file is upstream, derived, or hand-curated
+3. how it should be refreshed
+4. what tests or validation prove the update is safe
+
+Prefer adding or improving automation under `contrib/` over one-off manual edits.
+
+## Directory contents
+
+| Filename | Purpose | Source | Curation / refresh path |
+|---|---|---|---|
+| `bom-1.4.schema.json` | CycloneDX 1.4 JSON schema for legacy compatibility validation | CycloneDX specification schema | upstream-derived compatibility copy; active feature work should target 1.5–1.7 |
+| `bom-1.5.schema.json` | CycloneDX 1.5 JSON schema for validation | CycloneDX specification schema | upstream-derived |
+| `bom-1.6.schema.json` | CycloneDX 1.6 JSON schema for validation | CycloneDX specification schema | upstream-derived |
+| `bom-1.7.schema.json` | CycloneDX 1.7 JSON schema for validation | CycloneDX specification schema | upstream-derived |
+| `cbomosdb-queries.json` | osquery queries for identifying SSL packages in OS contexts | project-maintained query pack | hand-curated with tests; should evolve with query-pack review |
+| `component-tags.json` | tags extracted from component descriptions for classification | project-maintained derived dataset | partially curated; automation opportunities remain |
+| `container-knowledge-index.json` | reference knowledge for container analysis | project-maintained derived dataset | partially curated; automation opportunities remain |
+| `cosdb-queries.json` | osquery queries useful for identifying OS packages for C | project-maintained query pack | hand-curated with tests |
+| `crypto-oid.json` | OID mapping reference used for crypto-aware output | standards and project-maintained mapping inputs | curated compatibility dataset |
+| `cryptography-defs.json` | cryptography inventory definitions | project-maintained definitions | curated; should be kept aligned with analyzer and CBOM logic |
+| `frameworks-list.json` | string fragments used to classify framework components | project-maintained heuristics | hand-curated; good candidate for future automation |
+| `gtfobins-index.json` | GTFOBins reference data used for Linux container and runtime executable enrichment | GTFOBins project data plus project normalization | derived and normalized for cdxgen |
+| `known-licenses.json` | hard-coded license corrections | project-maintained compatibility fixes | hand-curated escape hatch; prefer upstream/source fixes when possible |
+| `lic-mapping.json` | fallback license-name to identifier mapping | project-maintained mapping | hand-curated compatibility layer |
+| `lolbas-index.json` | LOLBAS reference data used for Windows runtime findings | LOLBAS project data plus project normalization | derived and normalized for cdxgen |
+| `predictive-audit-allowlist.json` | allowlist data for audit behavior | project-maintained heuristics | curated; should be reviewed alongside audit targeting logic |
+| `pypi-pkg-aliases.json` | Python package-name alias data | project-maintained alias mapping | hand-curated compatibility layer |
+| `python-stdlib.json` | Python standard-library entries that can be filtered out | Python stdlib references plus project normalization | derived list; automation opportunities remain |
+| `queries.json` | Linux osquery query pack for OBOM and runtime inventory | project-maintained query pack | hand-curated with tests |
+| `queries-win.json` | Windows osquery query pack | project-maintained query pack | hand-curated with tests |
+| `queries-darwin.json` | macOS osquery query pack | project-maintained query pack | hand-curated with tests |
+| `rules/` | built-in BOM audit rule packs in YAML | project-maintained rule packs | hand-authored rules validated by tests; users can also supply their own rule packs |
+| `spdx-licenses.json` | SPDX license identifiers | SPDX License List data | upstream-derived |
+| `spdx-export.schema.json` | SPDX 3.0.1 schema used during export validation | project-derived export schema generated from SPDX model artifacts | derived artifact; there is not a single upstream-published JSON schema that exactly matches this export use case |
+| `spdx.schema.json` | SPDX schema for validation | SPDX JSON schema inputs used by the project | upstream-derived compatibility copy |
+| `vendor-alias.json` | vendor or group-name alias fixes | project-maintained alias mapping | hand-curated compatibility layer; should eventually be reduced as heuristics improve |
+| `wrapdb-releases.json` | Meson WrapDB release data | Meson WrapDB | derived artifact; refresh automation still needs to be formalized and maintained |
+
+## How this directory fits into the architecture
+
+### ASCII view
+
+```text
+runtime code
+   |
+   +--> lib/cli/* -----------> alias files, framework lists, tag maps
+   |
+   +--> lib/stages/postgen/* -> rule packs, standards data, schemas
+   |
+   +--> lib/audit/* ---------> rules/, allowlists, scoring support data
+   |
+   +--> lib/validator/* -----> CycloneDX and SPDX schemas
+   |
+   +--> OBOM flows ----------> queries*.json, GTFOBins, LOLBAS, knowledge indexes
+```
+
+### Mermaid view
+
+```mermaid
+flowchart TD
+    A[data/] --> B[schemas]
+    A --> C[query packs]
+    A --> D[rule files]
+    A --> E[alias and mapping files]
+    A --> F[knowledge indexes]
+    B --> G[validator]
+    C --> H[OBOM and runtime inventory]
+    D --> I[audit engine]
+    E --> J[parsers and metadata helpers]
+    F --> K[container and runtime enrichment]
+```
+
+## Query-pack files
+
+The three `queries*.json` files are platform-specific osquery packs. They describe what cdxgen should ask osquery for when generating OS and runtime inventory.
+
+### Query-pack shape
+
+| Field | Required | Purpose |
+|---|---|---|
+| `query` | yes | SQL executed against osquery |
+| `description` | yes | human-readable explanation of the collection intent |
+| `purlType` | yes | package URL type used for derived components |
+| `componentType` | no | CycloneDX component type when `library` is not appropriate |
+| `name` | no | component-name override for result sets that do not naturally expose one |
+
+### Example mental model
+
+```text
+queries.json entry
+      |
+      v
+osquery runs SQL
+      |
+      v
+rows come back
+      |
+      v
+cdxgen maps rows into components using purlType and componentType
+```
+
+### Good query-pack hygiene
+
+| Practice | Why it matters |
+|---|---|
+| keep descriptions specific | helps users understand collected categories |
+| choose `componentType` carefully | affects how consumers interpret results |
+| mirror cross-platform entries intentionally | reduces accidental platform drift |
+| keep query scope safe and bounded | avoids expensive or unsafe collection |
+
+## Rule files under `data/rules/`
+
+Rule files are YAML packs consumed by the audit flow. Each file groups rules by a shared theme such as container risk, rootfs hardening, OBOM runtime posture, or AI agent governance.
+
+### Rule evaluation flow
+
+#### ASCII view
+
+```text
+input BOM
+   |
+   v
+load YAML rule pack
+   |
+   v
+for each rule
+   |
+   +--> evaluate JSONata condition against BOM
+   +--> collect matching components
+   +--> build location object
+   +--> render message template
+   +--> attach mitigation, evidence, ATT&CK, and standards metadata
+   |
+   v
+audit findings
+```
+
+#### Mermaid view
+
+```mermaid
+flowchart TD
+    A[BOM input] --> B[load rule YAML]
+    B --> C[evaluate condition]
+    C --> D{matched components?}
+    D -->|no| E[no finding]
+    D -->|yes| F[build location and message]
+    F --> G[attach mitigation and evidence]
+    G --> H[emit finding]
+```
+
+## Rule schema in practice
+
+Each rule is a YAML list item. These fields matter most.
+
+| Field | Required | Purpose |
+|---|---|---|
+| `id` | yes | unique stable identifier such as `CTR-001` |
+| `name` | yes | short title used in findings |
+| `description` | yes | why the rule exists and what it detects |
+| `severity` | yes | risk level such as `critical`, `high`, `medium`, `low`, `info` |
+| `category` | yes | thematic category that usually aligns with the file grouping |
+| `dry-run-support` | yes | whether the rule can work on dry-run style BOMs |
+| `condition` | yes | JSONata expression that selects matching components |
+| `location` | yes | JSONata expression that builds a location object for the match |
+| `message` | yes | rendered finding text, including placeholders |
+| `mitigation` | yes | remediation guidance shown with the finding |
+| `evidence` | no | extra structured data carried with the finding |
+| `attack` | no | MITRE ATT&CK mapping data |
+| `standards` | no | mapping of standard names to reference identifiers; surfaced in audit annotations as `cdx:audit:standards:*` metadata |
+
+## Writing `condition` expressions
+
+Conditions are written in JSONata and evaluated against the BOM document. In practice, most rules filter the `components` array.
+
+```yaml
+condition: |
+  components[
+    $prop($, 'cdx:some:property') = 'expected-value'
+    and type = 'library'
+  ]
+```
+
+### Helper functions commonly used in rules
+
+| Function | Purpose |
+|---|---|
+| `$prop(component, name)` | fetches a CycloneDX property by name |
+| `$nullSafeProp(component, name)` | null-safe property fetch for comparisons |
+| `$listContains(list, value)` | checks list-like property text for a specific entry |
+| `$firstNonEmpty(a, b, ...)` | returns the first non-empty value |
+
+### Thinking about rule conditions
+
+A good condition is usually:
+
+1. specific enough to avoid noise
+2. readable enough for reviewers to reason about
+3. based on stable properties that cdxgen already emits consistently
+
+## Message rendering
+
+The `message` field supports template placeholders using double braces.
+
+```yaml
+message: "Package '{{ name }}' at version '{{ version }}' is affected"
+```
+
+Those expressions are evaluated in the context of the matched component. Keep messages clear and reviewer-friendly. The message should explain the risk without requiring the reader to decode the raw JSONata condition.
+
+## Authoring rules with the REPL
+
+Use `cdxi` when you want a tight feedback loop while authoring or debugging a rule. A practical flow is:
+
+```text
+cdxi bom.json
+.query components[type = 'library']
+.query components[$prop($, 'cdx:github:action:isShaPinned') = 'false']
+.auditfindings
+.validate
+```
+
+Why this helps:
+
+| REPL command | Use while authoring rules |
+|---|---|
+| `.query <jsonata>` | test the JSONata shape before copying it into a YAML rule |
+| `.inspect <name-or-purl>` | inspect a concrete component when a condition is too broad or too narrow |
+| `.auditfindings` | review existing annotations produced by `--bom-audit` or `cdx-audit` |
+| `.validate` | quickly validate the loaded BOM before concluding the rule is wrong |
+
+## Using custom rule packs
+
+Users can maintain their own rule packs outside this repository and supply the directory at runtime.
+
+```bash
+# Apply custom rules during BOM generation
+cdxgen --bom-audit --bom-audit-rules-dir ./my-rules -o bom.json
+
+# Apply custom rules with the standalone audit command
+cdx-audit --bom bom.json --direct-bom-audit --rules-dir ./my-rules
+```
+
+This is the preferred path for organization-specific policy rather than submitting narrowly scoped custom rules into `data/rules/`.
+
+## Adding a new rule safely
+
+Use this sequence.
+
+1. choose the correct category file under `data/rules/`
+2. draft the condition against a real BOM sample
+3. keep the location object small and actionable
+4. add mitigation text that tells the user what to do next
+5. add or update tests in `lib/stages/postgen/auditBom.poku.js`
+
+## Choosing between a rule, a query-pack entry, and a helper-data file
+
+| If you need to add... | It probably belongs in... |
+|---|---|
+| a new risk detection idea over existing BOM fields | `data/rules/*.yaml` |
+| a new host or runtime collection source | `queries*.json` |
+| a new alias, mapping, or classifier list | another JSON file in `data/` |
+| a new schema or validation artifact | `data/*schema*.json` |
+
+## Automation and maintenance gaps
+
+Some files in `data/` are still compatibility layers, hand-curated heuristics, or locally derived artifacts. The goal should be to reduce those hacks over time, not normalize them.
+
+Current expectations:
+
+1. open an issue before proposing a new refresh process or replacing a derived artifact
+2. document the upstream source and whether the file is hand-curated, upstream, or locally derived
+3. prefer a repeatable refresh script under `contrib/` where practical
+4. keep tests close to any rule or query-pack change
+
+`wrapdb-releases.json` remains a derived artifact, but its refresh path still needs to be formalized and maintained like the rest of the curated datasets. Those gaps should be tracked as issue-first follow-up work rather than solved with silent one-off edits.
+
+## Maintenance advice
+
+This directory changes slowly, but small mistakes here can affect a lot of runtime behavior. Treat edits as code, not content.
+
+| Habit | Why it helps |
+|---|---|
+| keep examples close to real emitted fields | avoids stale rules |
+| review platform symmetry for query packs | avoids one-OS regressions |
+| test new rules with realistic BOM fixtures | catches false positives early |
+| document new files here | keeps contributors oriented |
+| replace hacks with sourced or scripted refresh paths when possible | keeps long-term maintenance manageable |

package/data/component-tags.json

@@ -158,6 +158,7 @@
       "processor",
       "services_snapshot",
       "apt_sources",
+      "apt_ppa_sources",
       "behavioral_reverse_shell",
       "certificates",
       "chrome_extensions",
@@ -169,6 +170,7 @@
       "docker_volumes",
       "etc_hosts",
       "firefox_addons",
+      "gatekeeper",
       "vscode_extensions",
       "homebrew_packages",
       "installed_applications",
@@ -183,13 +185,16 @@
       "pipes_snapshot",
       "portage_packages",
       "process_events",
+      "secureboot_certificates",
       "processes",
       "python_packages",
+      "npm_packages",
       "rpm_packages",
       "scheduled_tasks",
       "services_snapshot",
       "startup_items",
       "system_info_snapshot",
+      "trusted_gpg_keys",
       "windows_drivers",
       "windows_patches",
       "windows_programs",
@@ -207,6 +212,7 @@
       "npm_packages",
       "opera_extensions",
       "pipes_snapshot",
+      "process_open_handles_snapshot",
       "process_open_sockets",
       "safari_extensions",
       "scheduled_tasks",

package/data/crypto-oid.json

@@ -1023,6 +1023,22 @@
     "oid": "1.3.101.113",
     "description": "EdDSA 448 signature algorithm"
   },
+  "Ed25519": {
+    "oid": "1.3.101.112",
+    "description": "EdDSA 25519 signature algorithm"
+  },
+  "ed25519": {
+    "oid": "1.3.101.112",
+    "description": "EdDSA 25519 signature algorithm"
+  },
+  "Ed448": {
+    "oid": "1.3.101.113",
+    "description": "EdDSA 448 signature algorithm"
+  },
+  "ed448": {
+    "oid": "1.3.101.113",
+    "description": "EdDSA 448 signature algorithm"
+  },
   "curveEd25519ph": {
     "oid": "1.3.101.114",
     "description": "EdDSA 25519 pre-hash signature algorithm"

package/data/predictive-audit-allowlist.json

@@ -0,0 +1,11 @@
+[
+  "pkg:npm/%40babel",
+  "pkg:npm/%40eslint",
+  "pkg:npm/%40istanbuljs",
+  "pkg:npm/%40jest",
+  "pkg:npm/%40npmcli",
+  "pkg:npm/%40rollup",
+  "pkg:npm/%40types",
+  "pkg:npm/%40typescript-eslint",
+  "pkg:npm/npm"
+]

package/data/queries-darwin.json

@@ -35,6 +35,12 @@
     "purlType": "swid",
     "componentType": "application"
   },
+  "gatekeeper": {
+    "query": "SELECT 'gatekeeper' as name, COALESCE(NULLIF(version, ''), opaque_version) as version, opaque_version as description, assessments_enabled, dev_id_enabled FROM gatekeeper;",
+    "description": "macOS Gatekeeper policy status, including assessment enforcement and identified-developer allowance.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "system_extensions": {
     "query": "select * from system_extensions;",
     "description": "macOS (>= 10.15) system extension table.",
@@ -71,6 +77,11 @@
     "purlType": "swid",
     "componentType": "application"
   },
+  "npm_packages": {
+    "query": "SELECT * FROM npm_packages;",
+    "description": "Node packages installed on the system, including recursively discovered modern package manager layouts.",
+    "purlType": "npm"
+  },
   "launchd_services": {
     "query": "SELECT name, label, path, program, run_at_load, keep_alive, disabled, username, groupname, stdout_path, stderr_path, start_interval, program_arguments, watch_paths, queue_directories, start_on_mount, working_directory, process_type FROM launchd;",
     "description": "LaunchAgents and LaunchDaemons configuration used for macOS persistence.",
@@ -108,7 +119,7 @@
     "componentType": "data"
   },
   "package_bom": {
-    "query": "SELECT * FROM package_bom;",
+    "query": "SELECT * FROM package_bom WHERE path IN (SELECT REPLACE(package_receipts.path, '.plist', '.bom') FROM package_receipts JOIN file ON file.path = REPLACE(package_receipts.path, '.plist', '.bom') WHERE package_receipts.path LIKE '%.plist' AND file.size <= 52428800);",
     "description": "macOS package bill of materials (BOM) file list.",
     "purlType": "swid",
     "componentType": "application"

package/data/queries-win.json

@@ -36,7 +36,7 @@
     "purlType": "swid"
   },
   "ie_extensions": {
-    "query": "select ie_extensions.* from users join ie_extensions using (uid);",
+    "query": "select * from ie_extensions;",
     "description": "Retrieves the list of extensions for IE in the target system.",
     "purlType": "swid"
   },
@@ -112,6 +112,12 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "process_open_handles_snapshot": {
+    "query": "SELECT processes.name, process_open_handles.type as version, process_open_handles.name as description, processes.path, processes.cmdline, processes.pid, process_open_handles.value, process_open_handles.type, process_open_handles.name as handle_name, process_open_handles.access, process_open_handles.attributes, process_open_handles.count, process_open_handles.raw_pointer_count, process_open_handles.error_stage, process_open_handles.error_code FROM processes JOIN process_open_handles USING (pid) WHERE process_open_handles.name != '' AND processes.name IN ('powershell.exe', 'pwsh.exe', 'cmd.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe', 'rundll32.exe', 'regsvr32.exe', 'wmic.exe', 'certutil.exe', 'bitsadmin.exe') AND ((process_open_handles.type = 'File' AND (lower(process_open_handles.name) LIKE '%\\appdata\\local\\temp\\%' OR lower(process_open_handles.name) LIKE '%\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\%' OR lower(process_open_handles.name) LIKE '%\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\%' OR lower(process_open_handles.name) LIKE '%\\windows\\tasks\\%' OR lower(process_open_handles.name) LIKE '%\\system32\\tasks\\%' OR lower(process_open_handles.name) LIKE '%\\wbem\\repository\\%')) OR (process_open_handles.type = 'Key' AND (lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows\\currentversion\\run%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows\\currentversion\\runonce%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows nt\\currentversion\\winlogon%' OR lower(process_open_handles.name) LIKE '%\\system\\currentcontrolset\\services\\%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows nt\\currentversion\\schedule\\taskcache\\%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\wbem\\cimom%')));",
+    "description": "Open handles owned by high-signal scripting and proxy-execution processes, filtered to persistence-oriented file and registry locations on Windows endpoints.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "services_snapshot": {
     "query": "SELECT * FROM services;",
     "description": "Services snapshot query.",