npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.0 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/README.md +64 -22
package/bin/audit.js +21 -7
package/bin/cdxgen.js +238 -116
package/bin/convert.js +28 -13
package/bin/hbom.js +490 -0
package/bin/repl.js +580 -29
package/bin/validate.js +34 -4
package/bin/verify.js +40 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +209 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +506 -88
package/lib/cli/index.poku.js +1352 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +349 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +156 -45
package/lib/helpers/protobom.poku.js +140 -5
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +2 -27
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +192 -1
package/lib/stages/postgen/postgen.poku.js +321 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +62 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +3 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/data/rules/host-topology.yaml ADDED Viewed

@@ -0,0 +1,165 @@
+# Host Topology Rules
+# Category: host-topology
+# Evaluates strict, evidence-backed insights derived from merged HBOM + OBOM inventories.
+- id: HMX-001
+  name: "Active wired interface with live runtime addresses is operating degraded"
+  description: "A wired interface that is actually carrying runtime addresses but is negotiated at low bandwidth or half duplex represents a higher-confidence performance issue than hardware inventory alone."
+  severity: medium
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'network-interface'
+      and $number($firstNonEmpty($prop($, 'cdx:hostview:interface_addresses:count'), '0')) > 0
+      and (
+        $lowercase($safeStr($prop($, 'cdx:hbom:duplex'))) = 'half'
+        or (
+          $hasProp($, 'cdx:hbom:speedMbps')
+          and $number($prop($, 'cdx:hbom:speedMbps')) > 0
+          and $number($prop($, 'cdx:hbom:speedMbps')) < 1000
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Interface '{{ name }}' has live runtime address evidence but negotiated degraded duplex or bandwidth characteristics"
+  mitigation: "Inspect cabling, switch policy, NIC firmware/driver, and negotiated link settings before treating the issue as application-only latency."
+  evidence: |
+    {
+      "runtimeAddressCount": $prop($, 'cdx:hostview:interface_addresses:count'),
+      "driver": $prop($, 'cdx:hbom:driver'),
+      "speedMbps": $prop($, 'cdx:hbom:speedMbps'),
+      "duplex": $prop($, 'cdx:hbom:duplex'),
+      "operState": $prop($, 'cdx:hbom:operState')
+    }
+- id: HMX-002
+  name: "Wireless interface with live runtime address uses weak or missing link security"
+  description: "Weak wireless security on an interface that also has runtime address evidence is a stronger exposure signal than hardware inventory alone."
+  severity: high
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'wireless-adapter'
+        or (
+          $prop($, 'cdx:hbom:hardwareClass') = 'network-interface'
+          and $hasProp($, 'cdx:hbom:securityMode')
+        )
+      )
+      and $number($firstNonEmpty($prop($, 'cdx:hostview:interface_addresses:count'), '0')) > 0
+      and (
+        $safeStr($prop($, 'cdx:hbom:securityMode')) = ''
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'open')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'wep')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'none')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Wireless interface '{{ name }}' has live runtime address evidence while using weak or missing security mode '{{ $firstNonEmpty($prop($, 'cdx:hbom:securityMode'), 'unknown') }}'"
+  mitigation: "Move the interface to WPA2/WPA3-class protections, review SSID policy, and verify that actively routed wireless links meet enterprise security baselines."
+  evidence: |
+    {
+      "runtimeAddressCount": $prop($, 'cdx:hostview:interface_addresses:count'),
+      "securityMode": $prop($, 'cdx:hbom:securityMode'),
+      "channel": $prop($, 'cdx:hbom:channel'),
+      "phyMode": $prop($, 'cdx:hbom:phyMode')
+    }
+- id: HMX-003
+  name: "Merged host inventory lacks strict hardware/runtime topology links"
+  description: "When a merged HBOM+OBOM view contains no strict cross-domain topology links, reviewers should treat combined host conclusions cautiously and inspect collection coverage."
+  severity: medium
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $prop($, 'cdx:hostview:mode') = 'hbom-obom-merged'
+      and $number($firstNonEmpty($prop($, 'cdx:hostview:topologyLinkCount'), '0')) = 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Merged host inventory for '{{ name }}' contains no strict HBOM-to-OBOM topology links"
+  mitigation: "Review collector coverage, ensure runtime categories such as interface_addresses or kernel_modules are available, and prefer exact identifier-bearing probes over heuristic joins."
+  evidence: |
+    {
+      "hostViewMode": $prop($, 'cdx:hostview:mode'),
+      "hardwareComponentCount": $prop($, 'cdx:hostview:hardwareComponentCount'),
+      "runtimeComponentCount": $prop($, 'cdx:hostview:runtimeComponentCount'),
+      "topologyLinkCount": $prop($, 'cdx:hostview:topologyLinkCount')
+    }
+- id: HMX-004
+  name: "Mounted storage with explicit runtime evidence is reporting degraded health"
+  description: "Storage health issues become higher-confidence operational findings when the hardware component is also linked to an active runtime mount or logical drive using exact identifiers."
+  severity: high
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'storage'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-device'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      )
+      and (
+        $number($firstNonEmpty($prop($, 'cdx:hostview:mount_hardening:count'), '0')) > 0
+        or $number($firstNonEmpty($prop($, 'cdx:hostview:runtime-storage:count'), '0')) > 0
+      )
+      and (
+        $contains($lowercase($safeStr($prop($, 'cdx:hbom:smartStatus'))), 'fail')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:health'))), 'degrad')
+        or $number($firstNonEmpty($prop($, 'cdx:hbom:wearPercentageUsed'), '0')) >= 90
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Storage component '{{ name }}' is explicitly linked to a runtime mount or drive while reporting degraded health telemetry"
+  mitigation: "Prioritize remediation for the backing device because the linked runtime mount evidence shows the degraded storage is actively in use."
+  evidence: |
+    {
+      "mountCount": $prop($, 'cdx:hostview:mount_hardening:count'),
+      "runtimeStorageCount": $prop($, 'cdx:hostview:runtime-storage:count'),
+      "smartStatus": $prop($, 'cdx:hbom:smartStatus'),
+      "health": $prop($, 'cdx:hbom:health'),
+      "wearPercentageUsed": $prop($, 'cdx:hbom:wearPercentageUsed')
+    }
+- id: HMX-005
+  name: "Explicit HBOM secure-boot trust anchor matches a revoked runtime Secure Boot certificate"
+  description: "When HBOM metadata carries an explicit Secure Boot certificate identifier that strictly links to runtime secureboot_certificates data, revoked trust anchors indicate a higher-confidence firmware trust issue."
+  severity: high
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'secureboot_certificates'
+      and $number($firstNonEmpty($prop($, 'revoked'), '0')) > 0
+      and $number($firstNonEmpty($prop($$.metadata.component, 'cdx:hostview:secureboot_certificates:count'), '0')) > 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Secure Boot certificate '{{ name }}' is revoked and the host also has an explicit HBOM trust-anchor link for this Secure Boot surface"
+  mitigation: "Review firmware trust policy, remove revoked Secure Boot entries from active trust sets, and verify that the expected db/dbx anchors on the host still match the approved platform state."
+  evidence: |
+    {
+      "linkedSecureBootCertificateCount": $prop($, 'cdx:hostview:secureboot_certificates:count'),
+      "revokedCertificateCount": $count(bom.components[
+        $prop($, 'cdx:osquery:category') = 'secureboot_certificates'
+        and $number($firstNonEmpty($prop($, 'revoked'), '0')) > 0
+      ])
+    }

package/data/rules/mcp-servers.yaml CHANGED Viewed

@@ -3,13 +3,15 @@
   description: "HTTP-based MCP servers that expose tools without authentication let unauthenticated clients invoke model-controlled actions directly."
   severity: critical
   category: mcp-server
+  dry-run-support: full
   attack:
-    tactics: [TA0001, TA0004]
+    tactics: [TA0001, TA0002]
     techniques: [T1190, T1059]
   standards:
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Map"
       - "Manage"
@@ -44,6 +46,7 @@
   description: "Streamable HTTP MCP servers should authenticate incoming requests before serving prompts, resources, or tools."
   severity: high
   category: mcp-server
+  dry-run-support: full
   attack:
     tactics: [TA0001]
     techniques: [T1190]
@@ -81,13 +84,15 @@
   description: "MCP servers built on non-official SDKs or wrappers deserve extra review before being exposed over HTTP, especially when they register tools."
   severity: medium
   category: mcp-server
+  dry-run-support: full
   attack:
-    tactics: [TA0001, TA0005]
+    tactics: [TA0001]
     techniques: [T1195.001]
   standards:
     owasp-ai-top-10:
       - "LLM05: Supply Chain Vulnerabilities"
       - "LLM07: Insecure Plugin Design"
+      - "LLM03:2025 Supply Chain"
     nist-ai-rmf:
       - "Govern"
       - "Map"
@@ -124,6 +129,7 @@
   description: "MCP services discovered only from client configuration files still need explicit authentication or OAuth posture when they resolve to network-accessible HTTP endpoints."
   severity: high
   category: mcp-server
+  dry-run-support: full
   attack:
     tactics: [TA0001]
     techniques: [T1190]
@@ -131,6 +137,7 @@
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Map"
       - "Manage"
@@ -163,6 +170,7 @@
   description: "MCP configs that embed tokens, API keys, or other secrets directly in args, env values, or headers create immediate credential-handling and supply-chain review risk."
   severity: critical
   category: mcp-server
+  dry-run-support: full
   attack:
     tactics: [TA0006]
     techniques: [T1552]
@@ -170,6 +178,7 @@
     owasp-ai-top-10:
       - "LLM05: Supply Chain Vulnerabilities"
       - "LLM07: Insecure Plugin Design"
+      - "LLM03:2025 Supply Chain"
     nist-ai-rmf:
       - "Govern"
       - "Manage"
@@ -201,13 +210,15 @@
   description: "Dynamic client registration combined with a static configured client ID can create confused-deputy style authorization risk in MCP deployments."
   severity: high
   category: mcp-server
+  dry-run-support: full
   attack:
-    tactics: [TA0004]
+    tactics: [TA0006]
     techniques: [T1528]
   standards:
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Govern"
       - "Map"
@@ -238,6 +249,7 @@
   description: "Token-forwarding and passthrough settings in MCP configs deserve review because they can propagate delegated credentials across trust boundaries."
   severity: high
   category: mcp-server
+  dry-run-support: full
   attack:
     tactics: [TA0006]
     techniques: [T1528]
@@ -245,6 +257,7 @@
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Govern"
       - "Manage"
@@ -275,10 +288,12 @@
   description: "Committed MCP client configuration files can carry trust, auth, and distribution sensitivity even when they are not actively used during the current scan."
   severity: medium
   category: mcp-server
+  dry-run-support: full
   standards:
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Govern"
       - "Map"