@cyclonedx/cdxgen 12.3.3 → 12.4.0

package/data/rules/hbom-performance.yaml

@@ -0,0 +1,307 @@
+# HBOM Performance Rules
+# Category: hbom-performance
+# Evaluates hardware inventory for storage, thermal, battery, network, and memory degradation signals.
+
+- id: HBP-001
+  name: "Storage volume has low free capacity headroom"
+  description: "Low free storage headroom can degrade builds, patching, logging, indexing, and general host responsiveness."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      and $hasProp($, 'cdx:hbom:capacityBytes')
+      and $hasProp($, 'cdx:hbom:freeBytes')
+      and $number($prop($, 'cdx:hbom:capacityBytes')) > 0
+      and ($number($prop($, 'cdx:hbom:freeBytes')) / $number($prop($, 'cdx:hbom:capacityBytes'))) < 0.15
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Storage volume '{{ name }}' has less than 15% free capacity remaining"
+  mitigation: "Free local capacity, move caches or logs off the volume, or expand storage before performance and maintenance tasks degrade further."
+  evidence: |
+    {
+      "capacityBytes": $prop($, 'cdx:hbom:capacityBytes'),
+      "freeBytes": $prop($, 'cdx:hbom:freeBytes'),
+      "sizeBytes": $prop($, 'cdx:hbom:sizeBytes'),
+      "volumeUuid": $prop($, 'cdx:hbom:volumeUuid')
+    }
+
+- id: HBP-002
+  name: "Storage health is degraded or wear is near exhaustion"
+  description: "Degraded SMART state or high wear percentage is a strong leading indicator of latency, failure, or replacement pressure."
+  severity: high
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'storage'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-device'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      )
+      and (
+        (
+          $hasProp($, 'cdx:hbom:smartStatus')
+          and $lowercase($safeStr($prop($, 'cdx:hbom:smartStatus'))) != 'verified'
+          and $lowercase($safeStr($prop($, 'cdx:hbom:smartStatus'))) != 'ok'
+          and $lowercase($safeStr($prop($, 'cdx:hbom:smartStatus'))) != 'passed'
+        )
+        or (
+          $hasProp($, 'cdx:hbom:wearPercentageUsed')
+          and $number($prop($, 'cdx:hbom:wearPercentageUsed')) >= 80
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Storage component '{{ name }}' shows degraded health or high wear"
+  mitigation: "Review SMART telemetry, schedule replacement for worn media, and move latency-sensitive workloads off the affected device."
+  evidence: |
+    {
+      "smartStatus": $prop($, 'cdx:hbom:smartStatus'),
+      "wearPercentageUsed": $prop($, 'cdx:hbom:wearPercentageUsed'),
+      "revision": $prop($, 'cdx:hbom:revision'),
+      "deviceSerial": $prop($, 'cdx:hbom:deviceSerial')
+    }
+
+- id: HBP-003
+  name: "Thermal zone reports sustained high temperature"
+  description: "High thermal-zone temperatures can trigger throttling, instability, and accelerated hardware wear."
+  severity: high
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'thermal-zone'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'sensor'
+      )
+      and $hasProp($, 'cdx:hbom:temperatureCelsius')
+      and $number($prop($, 'cdx:hbom:temperatureCelsius')) >= 85
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Thermal component '{{ name }}' reports high temperature '{{ $prop($, 'cdx:hbom:temperatureCelsius') }}°C'"
+  mitigation: "Inspect cooling, fan policy, dust buildup, and workload placement before the host begins sustained throttling or thermal shutdown behavior."
+  evidence: |
+    {
+      "temperatureCelsius": $prop($, 'cdx:hbom:temperatureCelsius'),
+      "temperatureReadings": $prop($, 'cdx:hbom:temperatureReadings'),
+      "fanCount": $prop($, 'cdx:hbom:fanCount'),
+      "fanReadings": $prop($, 'cdx:hbom:fanReadings')
+    }
+
+- id: HBP-004
+  name: "Battery health is degraded"
+  description: "Battery packs with low maximum capacity, poor health, or extreme cycle counts can materially degrade mobile system performance and runtime."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'power'
+      and (
+        (
+          $hasProp($, 'cdx:hbom:maximumCapacity')
+          and $number($substringBefore($prop($, 'cdx:hbom:maximumCapacity'), '%')) < 80
+        )
+        or (
+          $hasProp($, 'cdx:hbom:health')
+          and $not($lowercase($safeStr($prop($, 'cdx:hbom:health'))) = 'good')
+        )
+        or (
+          $hasProp($, 'cdx:hbom:cycleCount')
+          and $number($prop($, 'cdx:hbom:cycleCount')) >= 1000
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Battery component '{{ name }}' shows degraded health or elevated lifecycle wear"
+  mitigation: "Recalibrate or replace the battery, verify charging policy, and keep performance-sensitive mobile workloads off batteries nearing replacement thresholds."
+  evidence: |
+    {
+      "maximumCapacity": $prop($, 'cdx:hbom:maximumCapacity'),
+      "health": $prop($, 'cdx:hbom:health'),
+      "cycleCount": $prop($, 'cdx:hbom:cycleCount'),
+      "chargePercent": $prop($, 'cdx:hbom:chargePercent')
+    }
+
+- id: HBP-005
+  name: "Active wired link is operating below expected duplex or bandwidth"
+  description: "Half-duplex or very low negotiated wired-link speed often correlates with cable, switch, or interface misconfiguration that hurts throughput and latency."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'network-interface'
+      and (
+        $lowercase($safeStr($prop($, 'cdx:hbom:status'))) = 'active'
+        or $lowercase($safeStr($prop($, 'cdx:hbom:operState'))) = 'up'
+      )
+      and (
+        $lowercase($safeStr($prop($, 'cdx:hbom:duplex'))) = 'half'
+        or (
+          $hasProp($, 'cdx:hbom:speedMbps')
+          and $number($prop($, 'cdx:hbom:speedMbps')) > 0
+          and $number($prop($, 'cdx:hbom:speedMbps')) < 1000
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Active wired interface '{{ name }}' is operating with degraded duplex or bandwidth characteristics"
+  mitigation: "Check cabling, switch configuration, NIC driver/firmware, and negotiated link settings before treating application latency as purely software-related."
+  evidence: |
+    {
+      "duplex": $prop($, 'cdx:hbom:duplex'),
+      "speedMbps": $prop($, 'cdx:hbom:speedMbps'),
+      "status": $prop($, 'cdx:hbom:status'),
+      "operState": $prop($, 'cdx:hbom:operState'),
+      "driver": $prop($, 'cdx:hbom:driver')
+    }
+
+- id: HBP-006
+  name: "Installed memory is only partially online"
+  description: "A significant gap between installed and online memory suggests capacity loss, firmware drift, or topology issues that can affect performance-critical workloads."
+  severity: high
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'memory'
+      and $hasProp($, 'cdx:hbom:sizeBytes')
+      and $hasProp($, 'cdx:hbom:memoryOnlineSize')
+      and $number($prop($, 'cdx:hbom:sizeBytes')) > 0
+      and $parseSizeBytes($prop($, 'cdx:hbom:memoryOnlineSize')) != null
+      and ($parseSizeBytes($prop($, 'cdx:hbom:memoryOnlineSize')) / $number($prop($, 'cdx:hbom:sizeBytes'))) < 0.9
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Memory component '{{ name }}' reports materially less online capacity than installed capacity"
+  mitigation: "Review DIMM population, firmware, NUMA/memory-hotplug settings, and kernel memory-online state before scaling workloads on the host."
+  evidence: |
+    {
+      "sizeBytes": $prop($, 'cdx:hbom:sizeBytes'),
+      "memoryOnlineSize": $prop($, 'cdx:hbom:memoryOnlineSize'),
+      "memoryRangeCount": $prop($, 'cdx:hbom:memoryRangeCount'),
+      "addressSizes": $prop($, 'cdx:hbom:addressSizes')
+    }
+
+- id: HBP-007
+  name: "Battery design capacity has materially degraded"
+  description: "Detailed Linux battery telemetry can reveal packs whose full-charge capacity has fallen materially below their design baseline, reducing runtime and stability under load."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'power'
+      and (
+        (
+          $hasProp($, 'cdx:hbom:designCapacityPercent')
+          and $number($prop($, 'cdx:hbom:designCapacityPercent')) > 0
+          and $number($prop($, 'cdx:hbom:designCapacityPercent')) < 80
+        )
+        or (
+          $hasProp($, 'cdx:hbom:energyFull')
+          and $hasProp($, 'cdx:hbom:energyFullDesign')
+          and $number($prop($, 'cdx:hbom:energyFullDesign')) > 0
+          and ($number($prop($, 'cdx:hbom:energyFull')) / $number($prop($, 'cdx:hbom:energyFullDesign'))) < 0.8
+        )
+        or (
+          $hasProp($, 'cdx:hbom:chargeFull')
+          and $hasProp($, 'cdx:hbom:chargeFullDesign')
+          and $number($prop($, 'cdx:hbom:chargeFullDesign')) > 0
+          and ($number($prop($, 'cdx:hbom:chargeFull')) / $number($prop($, 'cdx:hbom:chargeFullDesign'))) < 0.8
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Battery component '{{ name }}' has materially degraded relative to its design capacity"
+  mitigation: "Plan battery replacement or recalibration, review charging policy, and keep performance-sensitive mobile workloads away from hosts with heavily degraded packs."
+  evidence: |
+    {
+      "designCapacityPercent": $prop($, 'cdx:hbom:designCapacityPercent'),
+      "energyFull": $prop($, 'cdx:hbom:energyFull'),
+      "energyFullDesign": $prop($, 'cdx:hbom:energyFullDesign'),
+      "chargeFull": $prop($, 'cdx:hbom:chargeFull'),
+      "chargeFullDesign": $prop($, 'cdx:hbom:chargeFullDesign'),
+      "warningLevel": $prop($, 'cdx:hbom:warningLevel')
+    }
+
+- id: HBP-008
+  name: "USB device requires more current than the bus reports available"
+  description: "A USB device that requires more current than the bus exposes as available can behave unreliably, disconnect under load, or trigger peripheral instability."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'usb-device'
+      and $hasProp($, 'cdx:hbom:currentRequired')
+      and $hasProp($, 'cdx:hbom:currentAvailable')
+      and $number($prop($, 'cdx:hbom:currentRequired')) > $number($prop($, 'cdx:hbom:currentAvailable'))
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "USB component '{{ name }}' reports higher current demand than the bus currently provides"
+  mitigation: "Move the device to a powered hub or higher-capacity port, reduce competing bus load, and verify peripheral power expectations before troubleshooting higher-layer software issues."
+  evidence: |
+    {
+      "currentRequired": $prop($, 'cdx:hbom:currentRequired'),
+      "currentAvailable": $prop($, 'cdx:hbom:currentAvailable'),
+      "maxPowerMilliAmps": $prop($, 'cdx:hbom:maxPowerMilliAmps'),
+      "selfPowered": $prop($, 'cdx:hbom:selfPowered'),
+      "remoteWakeup": $prop($, 'cdx:hbom:remoteWakeup')
+    }
+
+- id: HBP-009
+  name: "Cellular modem reports weak signal quality"
+  description: "A modem with very weak reported signal quality can cause intermittent connectivity, poor throughput, and degraded remote-management reliability."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'modem'
+        or $hasProp($, 'cdx:hbom:signalQuality')
+      )
+      and $hasProp($, 'cdx:hbom:signalQuality')
+      and $number($prop($, 'cdx:hbom:signalQuality')) >= 0
+      and $number($prop($, 'cdx:hbom:signalQuality')) < 25
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Cellular component '{{ name }}' reports weak signal quality that may impair connectivity"
+  mitigation: "Review antenna placement, carrier coverage, modem firmware, and access-technology selection before treating transport instability as an application-only issue."
+  evidence: |
+    {
+      "signalQuality": $prop($, 'cdx:hbom:signalQuality'),
+      "accessTechnologies": $prop($, 'cdx:hbom:accessTechnologies'),
+      "operatorName": $prop($, 'cdx:hbom:operatorName'),
+      "plugin": $prop($, 'cdx:hbom:plugin')
+    }

package/data/rules/hbom-security.yaml

@@ -0,0 +1,248 @@
+# HBOM Security Rules
+# Category: hbom-security
+# Evaluates host hardware inventory for encryption, removable-media, wireless, and disclosure risks.
+
+- id: HBS-001
+  name: "Storage component is explicitly unencrypted"
+  description: "System or attached storage reported as unencrypted increases exposure for lost, stolen, or offline-access devices."
+  severity: high
+  category: hbom-security
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "SC-28 Protection of Information at Rest"
+    cis-controls-v8:
+      - "3.11 Encrypt Sensitive Data at Rest"
+    iso-27001:
+      - "A.8.24 Use of cryptography"
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'storage'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      )
+      and (
+        $safeStr($prop($, 'cdx:hbom:isEncrypted')) = 'false'
+        or $safeStr($prop($, 'cdx:hbom:fileVault')) = 'false'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Storage component '{{ name }}' is reported as unencrypted"
+  mitigation: "Enable full-disk or volume encryption, verify escrow/recovery procedures, and confirm the device is enrolled in the intended encryption baseline."
+  evidence: |
+    {
+      "hardwareClass": $prop($, 'cdx:hbom:hardwareClass'),
+      "isEncrypted": $prop($, 'cdx:hbom:isEncrypted'),
+      "fileVault": $prop($, 'cdx:hbom:fileVault'),
+      "volumeUuid": $prop($, 'cdx:hbom:volumeUuid'),
+      "deviceSerial": $prop($, 'cdx:hbom:deviceSerial')
+    }
+
+- id: HBS-002
+  name: "Connected wireless adapter uses weak or missing link security"
+  description: "Wireless adapters connected without strong link security indicate elevated interception and unauthorized access risk."
+  severity: high
+  category: hbom-security
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "AC-18 Wireless Access"
+      - "SC-13 Cryptographic Protection"
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'wireless-adapter'
+      and $safeStr($prop($, 'cdx:hbom:connected')) = 'true'
+      and (
+        $safeStr($prop($, 'cdx:hbom:securityMode')) = ''
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'open')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'wep')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'none')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Wireless adapter '{{ name }}' is connected with weak or missing security mode '{{ $firstNonEmpty($prop($, 'cdx:hbom:securityMode'), 'unknown') }}'"
+  mitigation: "Move the device to WPA2/WPA3-class protections, review SSID policy, and confirm that open or legacy wireless modes are not permitted for the host profile."
+  evidence: |
+    {
+      "securityMode": $prop($, 'cdx:hbom:securityMode'),
+      "channel": $prop($, 'cdx:hbom:channel'),
+      "phyMode": $prop($, 'cdx:hbom:phyMode'),
+      "countryCode": $prop($, 'cdx:hbom:countryCode'),
+      "firmwareVersion": $prop($, 'cdx:hbom:firmwareVersion')
+    }
+
+- id: HBS-003
+  name: "Removable storage is attached without encryption or lock evidence"
+  description: "Attached removable storage that is explicitly unlocked or unencrypted increases data-exfiltration and malware-ingress risk."
+  severity: high
+  category: hbom-security
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "MP-7 Media Use"
+      - "SC-28 Protection of Information at Rest"
+    cis-controls-v8:
+      - "3.9 Encrypt Data on Removable Media"
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'storage'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      )
+      and $safeStr($prop($, 'cdx:hbom:isRemovable')) = 'true'
+      and (
+        $safeStr($prop($, 'cdx:hbom:isEncrypted')) = 'false'
+        or $safeStr($prop($, 'cdx:hbom:isLocked')) = 'false'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Removable storage '{{ name }}' is attached without encryption or lock assurance"
+  mitigation: "Remove unapproved removable media, require encrypted removable devices, and verify the host's removable-media control policy."
+  evidence: |
+    {
+      "isRemovable": $prop($, 'cdx:hbom:isRemovable'),
+      "isEncrypted": $prop($, 'cdx:hbom:isEncrypted'),
+      "isLocked": $prop($, 'cdx:hbom:isLocked'),
+      "connectionType": $prop($, 'cdx:hbom:connectionType'),
+      "transport": $prop($, 'cdx:hbom:transport')
+    }
+
+- id: HBS-004
+  name: "HBOM exposes raw hardware identifiers"
+  description: "Raw serial numbers, MAC addresses, or platform UUIDs in the BOM can leak asset intelligence beyond the intended audience."
+  severity: medium
+  category: hbom-security
+  dry-run-support: full
+  condition: |
+    $append(
+      metadata.component[
+        (
+          $hasProp($, 'cdx:hbom:serialNumber')
+          and $startsWith($safeStr($prop($, 'cdx:hbom:serialNumber')), 'redacted') = false
+        )
+        or (
+          $hasProp($, 'cdx:hbom:platformUuid')
+          and $startsWith($safeStr($prop($, 'cdx:hbom:platformUuid')), 'redacted') = false
+        )
+      ],
+      components[
+      (
+        $hasProp($, 'cdx:hbom:serialNumber')
+        and $startsWith($safeStr($prop($, 'cdx:hbom:serialNumber')), 'redacted') = false
+      )
+      or (
+        $hasProp($, 'cdx:hbom:macAddress')
+        and $startsWith($safeStr($prop($, 'cdx:hbom:macAddress')), 'redacted') = false
+      )
+      or (
+        $hasProp($, 'cdx:hbom:deviceSerial')
+        and $startsWith($safeStr($prop($, 'cdx:hbom:deviceSerial')), 'redacted') = false
+      )
+      ]
+    )
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", metadata.component."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM entry '{{ name }}' exposes raw hardware identifiers that should be reviewed before distribution"
+  mitigation: "Use redacted identifier mode for externally shared HBOMs and restrict raw identifiers to tightly controlled internal asset workflows."
+  evidence: |
+    {
+      "identifierPolicy": $firstNonEmpty($prop($, 'cdx:hbom:identifierPolicy'), $prop(metadata.component, 'cdx:hbom:identifierPolicy')),
+      "serialNumber": $prop($, 'cdx:hbom:serialNumber'),
+      "macAddress": $prop($, 'cdx:hbom:macAddress'),
+      "deviceSerial": $prop($, 'cdx:hbom:deviceSerial'),
+      "platformUuid": $prop(metadata.component, 'cdx:hbom:platformUuid')
+    }
+
+- id: HBS-005
+  name: "External expansion bus reports permissive security posture"
+  description: "A Thunderbolt or USB4 path with permissive security level or disabled IOMMU protection increases the risk of DMA-style or rogue-device attack paths."
+  severity: high
+  category: hbom-security
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SC-7 Boundary Protection"
+      - "SI-16 Memory Protection"
+  condition: |
+    components[
+      (
+        $hasProp($, 'cdx:hbom:securityLevel')
+        or $hasProp($, 'cdx:hbom:iommuProtection')
+        or $hasProp($, 'cdx:hbom:policy')
+      )
+      and (
+        $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityLevel'))), 'none')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityLevel'))), 'legacy')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityLevel'))), 'user')
+        or $safeStr($prop($, 'cdx:hbom:iommuProtection')) = 'false'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "External expansion component '{{ name }}' reports a permissive security posture or missing IOMMU protection"
+  mitigation: "Require a stronger Thunderbolt/USB4 security level, verify IOMMU protection is enabled, and review auto-authorization policy before trusting hot-plug external devices."
+  evidence: |
+    {
+      "securityLevel": $prop($, 'cdx:hbom:securityLevel'),
+      "iommuProtection": $prop($, 'cdx:hbom:iommuProtection'),
+      "policy": $prop($, 'cdx:hbom:policy'),
+      "authorized": $prop($, 'cdx:hbom:authorized'),
+      "bootAclCount": $prop($, 'cdx:hbom:bootAclCount')
+    }
+
+- id: HBS-006
+  name: "HBOM exposes raw cellular or subscriber identifiers"
+  description: "Raw modem equipment identifiers, IMEIs, or subscriber numbers in the BOM can leak privacy-sensitive fleet and subscriber intelligence."
+  severity: medium
+  category: hbom-security
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'modem'
+        or $hasProp($, 'cdx:hbom:equipmentIdentifier')
+        or $hasProp($, 'cdx:hbom:imei')
+        or $hasProp($, 'cdx:hbom:ownNumbers')
+      )
+      and (
+        (
+          $hasProp($, 'cdx:hbom:equipmentIdentifier')
+          and $startsWith($lowercase($safeStr($prop($, 'cdx:hbom:equipmentIdentifier'))), 'redacted') = false
+        )
+        or (
+          $hasProp($, 'cdx:hbom:imei')
+          and $startsWith($lowercase($safeStr($prop($, 'cdx:hbom:imei'))), 'redacted') = false
+        )
+        or (
+          $hasProp($, 'cdx:hbom:ownNumbers')
+          and $startsWith($lowercase($safeStr($prop($, 'cdx:hbom:ownNumbers'))), 'redacted') = false
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Cellular component '{{ name }}' exposes raw modem or subscriber identifiers that should be reviewed before distribution"
+  mitigation: "Keep modem identifiers redacted in shared HBOMs and restrict raw IMEI, equipment, or subscriber number exposure to tightly controlled internal device-management workflows."
+  evidence: |
+    {
+      "equipmentIdentifier": $prop($, 'cdx:hbom:equipmentIdentifier'),
+      "imei": $prop($, 'cdx:hbom:imei'),
+      "ownNumbers": $prop($, 'cdx:hbom:ownNumbers'),
+      "identifierPolicy": $firstNonEmpty($prop($, 'cdx:hbom:identifierPolicy'), $prop(metadata.component, 'cdx:hbom:identifierPolicy'))
+    }