@cyclonedx/cdxgen 12.3.3 → 12.4.0

package/data/rules/container-risk.yaml

@@ -3,6 +3,7 @@
   description: "Known GTFOBins execution helpers become materially riskier when the image keeps the binary setuid or setgid."
   severity: critical
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -26,7 +27,7 @@
   message: "Executable '{{ name }}' at '{{ $prop($, 'SrcFile') }}' combines GTFOBins execution features with setuid/setgid permissions"
   mitigation: "Remove the setuid/setgid bit, replace the image with a slimmer base, and keep container privilege boundaries strict (no host mounts, no privileged mode, no extra capabilities)."
   attack:
-    tactics: [TA0004, TA0008]
+    tactics: [TA0004]
     techniques: [T1548, T1611]
   evidence: |
     {
@@ -43,6 +44,7 @@
   description: "Container runtime or namespace-management helpers that are already classified as GTFOBins can accelerate container breakout when runtime isolation is weakened."
   severity: critical
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -62,7 +64,7 @@
   message: "Container-escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' with elevated execution semantics"
   mitigation: "Remove container runtime and namespace-management tooling from application images, avoid CAP_SYS_ADMIN-like capability grants, and block access to the Docker/containerd sockets."
   attack:
-    tactics: [TA0004, TA0008]
+    tactics: [TA0004]
     techniques: [T1611]
   evidence: |
     {
@@ -77,6 +79,7 @@
   description: "GTFOBins entries that can load attacker-controlled shared libraries or directly escalate privileges are strong hardening failures in container images."
   severity: high
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -101,7 +104,7 @@
   message: "Binary '{{ name }}' exposes GTFOBins privilege-escalation or library-load behavior in a privileged execution context"
   mitigation: "Remove the helper from the image where possible, strip privileged bits/capabilities, and keep writable mounts away from privileged processes."
   attack:
-    tactics: [TA0003, TA0004]
+    tactics: [TA0002, TA0004, TA0005]
     techniques: [T1574, T1548]
   evidence: |
     {
@@ -116,6 +119,7 @@
   description: "A GTFOBins helper that can read local files or upload data becomes especially dangerous when it also runs with setuid/setgid or other elevated contexts."
   severity: high
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -140,7 +144,7 @@
   message: "Binary '{{ name }}' can read or exfiltrate local data from a privileged execution path"
   mitigation: "Drop privileged bits, keep secrets off the image filesystem, and remove unnecessary upload/file-read helpers from runtime images."
   attack:
-    tactics: [TA0006, TA0010]
+    tactics: [TA0009, TA0010]
     techniques: [T1005, T1041]
   evidence: |
     {
@@ -155,6 +159,7 @@
   description: "Remote-execution-capable GTFOBins helpers under mutable or non-standard image paths often indicate an avoidable attack toolkit or image tampering."
   severity: medium
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:gtfobins:matched') = 'true'
@@ -191,7 +196,7 @@
   message: "GTFOBins remote-execution helper '{{ name }}' is present in mutable image path '{{ $prop($, 'SrcFile') }}'"
   mitigation: "Keep runtime images immutable and minimal, move administrative tooling to separate debug images, and investigate how the helper entered the image."
   attack:
-    tactics: [TA0001, TA0008]
+    tactics: [TA0008, TA0011]
     techniques: [T1105, T1570]
   evidence: |
     {
@@ -206,6 +211,7 @@
   description: "Dedicated container or Kubernetes intrusion toolkits such as Peirates, CDK, or DEEPCE should not ship inside production runtime images."
   severity: high
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:container:matched') = 'true'
@@ -220,7 +226,7 @@
   message: "Dedicated offensive toolkit '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}'"
   mitigation: "Remove offensive testing binaries from runtime images, rebuild from a minimal trusted base, and keep container debugging or red-team tooling in separate break-glass images."
   attack:
-    tactics: [TA0003, TA0004, TA0006, TA0007, TA0008]
+    tactics: [TA0002, TA0004, TA0006, TA0007]
     techniques: [T1552.007, T1609, T1611, T1613]
   evidence: |
     {
@@ -237,6 +243,7 @@
   description: "Helpers that rely on syscalls blocked by Docker's default seccomp profile become materially riskier when operators use `seccomp=unconfined` or permissive custom profiles."
   severity: medium
   category: container-risk
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:container:matched') = 'true'
@@ -256,7 +263,7 @@
   message: "Seccomp-sensitive escape helper '{{ name }}' is present at '{{ $prop($, 'SrcFile') }}' and depends on syscalls blocked by the Docker default seccomp profile"
   mitigation: "Keep Docker or OCI runtimes on the default seccomp profile, never use `seccomp=unconfined` for app workloads, and review custom profiles so they do not allow namespace or host-escape syscalls without a clear need."
   attack:
-    tactics: [TA0004, TA0008]
+    tactics: [TA0004]
     techniques: [T1611]
   evidence: |
     {

package/data/rules/dependency-sources.yaml

@@ -6,6 +6,7 @@
   description: "npm packages with install scripts declared from git, URL, or local path sources in the manifest increase supply chain attack surface"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:npm:hasInstallScript') = 'true'
@@ -28,6 +29,7 @@
   description: "Go modules with local_dir replacements are non-hermetic and may not be reproducible"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:go:local_dir')
@@ -46,6 +48,7 @@
   description: "Swift packages with localCheckoutPath indicate developer-only dependencies not suitable for release"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:swift:localCheckoutPath')
@@ -64,6 +67,7 @@
   description: "Nix dependencies without revision or nar_hash cannot be verified for content integrity"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:nix/')
@@ -88,6 +92,7 @@
   description: "Ruby gems sourced from git branches (without revision pin) can change unexpectedly"
   severity: medium
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:gem:remoteBranch')
@@ -108,6 +113,7 @@
   description: "PyPI packages from unapproved registries may introduce unvetted code"
   severity: low
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:pypi:registry')
@@ -128,6 +134,7 @@
   description: "Cargo git dependencies without revision or tag pinning can change unexpectedly and reduce build reproducibility"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:cargo:git')
@@ -150,6 +157,7 @@
   description: "Cargo path dependencies are local source references that reduce release reproducibility and may bypass registry review controls"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:cargo:path')
@@ -169,6 +177,7 @@
   description: "Collider lock entries that resolve from HTTP origins can be observed or modified in transit before wrap-hash verification occurs"
   severity: medium
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:collider:originScheme') = 'http'
@@ -188,6 +197,7 @@
   description: "Collider lock origin URLs should not carry credentials, query strings, or fragments because those values may embed secrets or unstable signed URLs"
   severity: low
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $prop($, 'cdx:collider:originSanitized') = 'true'
@@ -207,6 +217,7 @@
   description: "Python dependencies declared via git, direct URL, or local path in requirements or pyproject files bypass normal registry version mediation"
   severity: high
   category: dependency-source
+  dry-run-support: full
   condition: |
     components[
       $hasProp($, 'cdx:pypi:manifestSourceType')

package/data/rules/hbom-compliance.yaml

@@ -0,0 +1,325 @@
+# HBOM Compliance and Governance Rules
+# Category: hbom-compliance
+# Evaluates hardware inventory completeness, redaction posture, and governance-ready evidence.
+
+- id: HBC-001
+  name: "HBOM inventory lacks firmware or board provenance"
+  description: "Incomplete firmware or board provenance weakens auditability for hardware refresh, attestation, and patch-governance workflows."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SI-7 Software, Firmware, and Information Integrity"
+    cis-controls-v8:
+      - "1.1 Establish and Maintain Detailed Enterprise Asset Inventory"
+  condition: |
+    metadata.component[
+      $safeStr($prop($, 'cdx:hbom:platform')) = 'linux'
+      and $count(
+        $$.components[
+          $prop($, 'cdx:hbom:hardwareClass') = 'board'
+          and (
+            $hasProp($, 'cdx:hbom:boardVendor')
+            or $hasProp($, 'cdx:hbom:boardName')
+            or $hasProp($, 'cdx:hbom:biosVendor')
+            or $hasProp($, 'cdx:hbom:biosVersion')
+            or $hasProp($, 'cdx:hbom:firmwareDate')
+          )
+        ]
+      ) = 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' lacks board or firmware provenance fields needed for governance review"
+  mitigation: "Enable richer firmware/board collection on supported Linux hosts, validate SMBIOS access, and ensure the inventory captures board vendor, board name, BIOS vendor, BIOS version, and firmware date where available."
+  evidence: |
+    {
+      "platform": $prop($, 'cdx:hbom:platform'),
+      "architecture": $prop($, 'cdx:hbom:architecture'),
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "boardComponentCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'board'])
+    }
+
+- id: HBC-002
+  name: "Managed asset identity is incomplete"
+  description: "HBOMs used for fleet governance should capture stable host identity fields such as model, platform, and serial or asset identifiers."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+    cis-controls-v8:
+      - "1.1 Establish and Maintain Detailed Enterprise Asset Inventory"
+    iso-27001:
+      - "A.5.9 Inventory of information and other associated assets"
+  condition: |
+    metadata.component[
+      type = 'device'
+      and (
+        $hasProp($, 'cdx:hbom:platform') = false
+        or $hasProp($, 'cdx:hbom:architecture') = false
+        or (
+          $hasProp($, 'cdx:hbom:serialNumber') = false
+          and $hasProp($, 'cdx:hbom:platformUuid') = false
+          and $hasProp($, 'cdx:hbom:assetTag') = false
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM metadata for '{{ name }}' is missing stable asset identity fields required for governance workflows"
+  mitigation: "Capture platform, architecture, and at least one durable host identifier (serial, platform UUID, or asset tag) so the device can be reconciled with CMDB and lifecycle systems."
+  evidence: |
+    {
+      "platform": $prop($, 'cdx:hbom:platform'),
+      "architecture": $prop($, 'cdx:hbom:architecture'),
+      "serialNumber": $prop($, 'cdx:hbom:serialNumber'),
+      "platformUuid": $prop($, 'cdx:hbom:platformUuid'),
+      "assetTag": $prop($, 'cdx:hbom:assetTag')
+    }
+
+- id: HBC-003
+  name: "HBOM collector evidence is incomplete"
+  description: "Governance review is weaker when the BOM omits the collector command evidence used to derive the hardware inventory."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  condition: |
+    metadata.component[
+      type = 'device'
+      and (
+        $hasProp($$, 'cdx:hbom:evidence:commandCount') = false
+        or $number($firstNonEmpty($prop($$, 'cdx:hbom:evidence:commandCount'), '0')) = 0
+        or $hasProp($$, 'cdx:hbom:evidence:command') = false
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' is missing collector command evidence needed for reproducible review"
+  mitigation: "Retain command-evidence metadata in the distributed BOM, or attach equivalent collection provenance so reviewers can understand how the hardware inventory was derived."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "commandCount": $prop(bom, 'cdx:hbom:evidence:commandCount'),
+      "commandEvidence": $prop(bom, 'cdx:hbom:evidence:command')
+    }
+
+- id: HBC-004
+  name: "Storage inventory lacks encryption posture evidence"
+  description: "Storage volumes without explicit encryption posture make it difficult to prove compliance with device and media protection requirements."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "SC-28 Protection of Information at Rest"
+      - "CM-8 System Component Inventory"
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'storage-volume']) > 0
+      and $count(
+        $$.components[
+          $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+          and (
+            $hasProp($, 'cdx:hbom:isEncrypted')
+            or $hasProp($, 'cdx:hbom:fileVault')
+          )
+        ]
+      ) = 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' includes storage volumes but no explicit encryption posture evidence"
+  mitigation: "Enable volume-level enrichment on supported platforms or pair the HBOM with equivalent host controls evidence so encryption compliance can be verified."
+  evidence: |
+    {
+      "storageVolumeCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'storage-volume']),
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "platform": $prop($, 'cdx:hbom:platform')
+    }
+
+- id: HBC-005
+  name: "HBOM uses non-redacted identifier policy"
+  description: "HBOMs intended for broad distribution should avoid a non-redacted identifier policy unless raw identifiers are explicitly required by the receiving workflow."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $hasProp($, 'cdx:hbom:identifierPolicy')
+      and $not($startsWith($lowercase($safeStr($prop($, 'cdx:hbom:identifierPolicy'))), 'redacted'))
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' uses identifier policy '{{ $prop($, 'cdx:hbom:identifierPolicy') }}' instead of a redacted posture"
+  mitigation: "Default distributed HBOMs to redacted identifiers and keep raw hardware identity values confined to internal asset-governance workflows with a documented need-to-know."
+  evidence: |
+    {
+      "identifierPolicy": $prop($, 'cdx:hbom:identifierPolicy'),
+      "serialNumber": $prop($, 'cdx:hbom:serialNumber'),
+      "platformUuid": $prop($, 'cdx:hbom:platformUuid')
+    }
+
+- id: HBC-006
+  name: "HBOM collector is missing optional enrichment commands"
+  description: "Missing native utilities reduce the hardware evidence available to governance, assurance, and troubleshooting workflows."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $number($firstNonEmpty($prop($$, 'cdx:hbom:analysis:missingCommandCount'), '0')) > 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' reported missing native enrichment commands"
+  mitigation: "Install the reported utilities on the target host and rerun the HBOM collection so the inventory includes the richer structured hardware evidence those commands provide."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "missingCommandCount": $prop(bom, 'cdx:hbom:analysis:missingCommandCount'),
+      "missingCommands": $propList(bom, 'cdx:hbom:analysis:missingCommands'),
+      "diagnosticIssues": $propList(bom, 'cdx:hbom:analysis:diagnosticIssues')
+    }
+
+- id: HBC-007
+  name: "HBOM collector hit permission-denied enrichments"
+  description: "Permission-sensitive enrichments that fail during collection often leave firmware, graphics, or SMBIOS evidence incomplete until the host is rerun with the documented privileged mode."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SI-7 Software, Firmware, and Information Integrity"
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $number($firstNonEmpty($prop($$, 'cdx:hbom:analysis:permissionDeniedCount'), '0')) > 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' hit permission-denied enrichments that likely require a rerun with --privileged"
+  mitigation: "Where policy allows, rerun HBOM collection with --privileged so cdx-hbom can use the documented non-interactive sudo path for permission-sensitive Linux enrichments."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "permissionDeniedCount": $prop(bom, 'cdx:hbom:analysis:permissionDeniedCount'),
+      "permissionDeniedCommands": $propList(bom, 'cdx:hbom:analysis:permissionDeniedCommands'),
+      "requiresPrivileged": $prop(bom, 'cdx:hbom:analysis:requiresPrivileged')
+    }
+
+- id: HBC-008
+  name: "HBOM collector is missing firmware-management enrichment"
+  description: "Without fwupd-derived metadata, governance teams lose update-protocol, firmware GUID, and device lifecycle context that is useful for firmware assurance and remediation planning."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SI-7 Software, Firmware, and Information Integrity"
+  condition: |
+    metadata.component[
+      $safeStr($prop($, 'cdx:hbom:platform')) = 'linux'
+      and $listContains($propList($$, 'cdx:hbom:analysis:missingCommandIds'), 'fwupdmgr-devices-json')
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' is missing firmware-management enrichment because fwupdmgr was unavailable"
+  mitigation: "Install fwupd on the target host and rerun the collection so the BOM can capture protocol, flags, GUIDs, and related firmware-management properties where supported."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "missingCommandIds": $propList(bom, 'cdx:hbom:analysis:missingCommandIds'),
+      "missingCommands": $propList(bom, 'cdx:hbom:analysis:missingCommands'),
+      "installHintCount": $prop(bom, 'cdx:hbom:analysis:installHintCount')
+    }
+
+- id: HBC-009
+  name: "HBOM board and BIOS provenance was blocked by permissions"
+  description: "When dmidecode-backed firmware and board enrichment is blocked, the HBOM may miss board-vendor, board-name, BIOS-version, and related governance evidence."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SI-7 Software, Firmware, and Information Integrity"
+  condition: |
+    metadata.component[
+      $safeStr($prop($, 'cdx:hbom:platform')) = 'linux'
+      and $listContains($propList($$, 'cdx:hbom:analysis:permissionDeniedIds'), 'dmidecode-firmware-board')
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' could not capture full board and BIOS provenance because dmidecode enrichment was blocked"
+  mitigation: "Where policy allows, rerun with --privileged or equivalent access so the collector can gather firmware vendor, BIOS version, board vendor, and board name data."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "permissionDeniedIds": $propList(bom, 'cdx:hbom:analysis:permissionDeniedIds'),
+      "permissionDeniedCommands": $propList(bom, 'cdx:hbom:analysis:permissionDeniedCommands'),
+      "boardComponentCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'board'])
+    }
+
+- id: HBC-010
+  name: "HBOM display and DRM evidence is incomplete"
+  description: "Missing EDID decoding or blocked DRM enrichment reduces the fidelity of display, connector, and content-protection metadata used during workstation and kiosk governance reviews."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  condition: |
+    metadata.component[
+      $count(
+        $$.components[
+          $prop($, 'cdx:hbom:hardwareClass') = 'display-connector'
+          or $prop($, 'cdx:hbom:hardwareClass') = 'display-adapter'
+        ]
+      ) > 0
+      and (
+        $listContains($propList($$, 'cdx:hbom:analysis:missingCommandIds'), 'edid-decode')
+        or $listContains($propList($$, 'cdx:hbom:analysis:permissionDeniedIds'), 'drm-info-json')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' includes display hardware but the richer DRM or EDID evidence is incomplete"
+  mitigation: "Install edid-decode where available and, if policy permits, rerun with --privileged so the collector can capture connector, mode, and content-protection metadata for Linux displays."
+  evidence: |
+    {
+      "displayComponentCount": $count(
+        $$.components[
+          $prop($, 'cdx:hbom:hardwareClass') = 'display-connector'
+          or $prop($, 'cdx:hbom:hardwareClass') = 'display-adapter'
+        ]
+      ),
+      "missingCommandIds": $propList(bom, 'cdx:hbom:analysis:missingCommandIds'),
+      "permissionDeniedIds": $propList(bom, 'cdx:hbom:analysis:permissionDeniedIds')
+    }