npm - @cyclonedx/cdxgen - Versions diffs - 12.3.3 → 12.4.1 - Mend

@cyclonedx/cdxgen 12.3.3 → 12.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/README.md +69 -25
package/bin/audit.js +21 -7
package/bin/cdxgen.js +270 -127
package/bin/convert.js +34 -15
package/bin/hbom.js +495 -0
package/bin/repl.js +592 -37
package/bin/validate.js +31 -4
package/bin/verify.js +18 -5
package/data/README.md +298 -25
package/data/component-tags.json +6 -0
package/data/crypto-oid.json +16 -0
package/data/cyclonedx-2.0-bundled.schema.json +7182 -0
package/data/predictive-audit-allowlist.json +11 -0
package/data/queries-darwin.json +12 -1
package/data/queries-win.json +7 -1
package/data/queries.json +39 -2
package/data/rules/ai-agent-governance.yaml +16 -0
package/data/rules/asar-archives.yaml +150 -0
package/data/rules/chrome-extensions.yaml +8 -0
package/data/rules/ci-permissions.yaml +42 -18
package/data/rules/container-risk.yaml +14 -7
package/data/rules/dependency-sources.yaml +11 -0
package/data/rules/hbom-compliance.yaml +325 -0
package/data/rules/hbom-performance.yaml +307 -0
package/data/rules/hbom-security.yaml +248 -0
package/data/rules/host-topology.yaml +165 -0
package/data/rules/mcp-servers.yaml +18 -3
package/data/rules/obom-runtime.yaml +907 -22
package/data/rules/package-integrity.yaml +14 -0
package/data/rules/rootfs-hardening.yaml +179 -0
package/data/rules/vscode-extensions.yaml +9 -0
package/lib/audit/index.js +210 -8
package/lib/audit/index.poku.js +332 -0
package/lib/audit/reporters.js +222 -0
package/lib/audit/targets.js +146 -1
package/lib/audit/targets.poku.js +186 -0
package/lib/cli/asar.poku.js +328 -0
package/lib/cli/index.js +527 -99
package/lib/cli/index.poku.js +1469 -212
package/lib/evinser/evinser.js +14 -9
package/lib/helpers/analyzer.js +1406 -29
package/lib/helpers/analyzer.poku.js +342 -0
package/lib/helpers/analyzerScope.js +712 -0
package/lib/helpers/asarutils.js +1556 -0
package/lib/helpers/asarutils.poku.js +443 -0
package/lib/helpers/auditCategories.js +12 -0
package/lib/helpers/auditCategories.poku.js +32 -0
package/lib/helpers/bomUtils.js +155 -1
package/lib/helpers/bomUtils.poku.js +79 -1
package/lib/helpers/cbomutils.js +271 -1
package/lib/helpers/cbomutils.poku.js +248 -5
package/lib/helpers/display.js +291 -1
package/lib/helpers/display.poku.js +149 -0
package/lib/helpers/evidenceUtils.js +58 -0
package/lib/helpers/evidenceUtils.poku.js +54 -0
package/lib/helpers/exportUtils.js +9 -0
package/lib/helpers/gtfobins.js +142 -8
package/lib/helpers/gtfobins.poku.js +24 -1
package/lib/helpers/hbom.js +710 -0
package/lib/helpers/hbom.poku.js +496 -0
package/lib/helpers/hbomAnalysis.js +268 -0
package/lib/helpers/hbomAnalysis.poku.js +249 -0
package/lib/helpers/hbomLoader.js +35 -0
package/lib/helpers/hostTopology.js +803 -0
package/lib/helpers/hostTopology.poku.js +363 -0
package/lib/helpers/inventoryStats.js +69 -0
package/lib/helpers/inventoryStats.poku.js +86 -0
package/lib/helpers/lolbas.js +19 -1
package/lib/helpers/lolbas.poku.js +23 -0
package/lib/helpers/osqueryTransform.js +47 -0
package/lib/helpers/osqueryTransform.poku.js +47 -0
package/lib/helpers/plugins.js +350 -0
package/lib/helpers/plugins.poku.js +57 -0
package/lib/helpers/protobom.js +209 -45
package/lib/helpers/protobom.poku.js +183 -5
package/lib/helpers/protobomLoader.js +43 -0
package/lib/helpers/protobomLoader.poku.js +31 -0
package/lib/helpers/remote/dependency-track.js +36 -3
package/lib/helpers/remote/dependency-track.poku.js +44 -0
package/lib/helpers/source.js +24 -0
package/lib/helpers/source.poku.js +32 -0
package/lib/helpers/utils.js +1438 -93
package/lib/helpers/utils.poku.js +846 -4
package/lib/managers/binary.e2e.poku.js +367 -0
package/lib/managers/binary.js +2293 -353
package/lib/managers/binary.poku.js +1699 -1
package/lib/managers/docker.js +201 -79
package/lib/managers/docker.poku.js +337 -12
package/lib/server/server.js +4 -28
package/lib/stages/postgen/annotator.js +38 -0
package/lib/stages/postgen/annotator.poku.js +107 -1
package/lib/stages/postgen/auditBom.js +121 -18
package/lib/stages/postgen/auditBom.poku.js +1366 -31
package/lib/stages/postgen/hostTopologyAudit.poku.js +186 -0
package/lib/stages/postgen/postgen.js +406 -8
package/lib/stages/postgen/postgen.poku.js +484 -0
package/lib/stages/postgen/ruleEngine.js +116 -0
package/lib/stages/pregen/envAudit.js +14 -3
package/lib/validator/bomValidator.js +90 -38
package/lib/validator/bomValidator.poku.js +90 -0
package/lib/validator/complianceRules.js +4 -2
package/lib/validator/index.poku.js +14 -0
package/package.json +23 -21
package/types/bin/hbom.d.ts +3 -0
package/types/bin/hbom.d.ts.map +1 -0
package/types/bin/repl.d.ts +1 -1
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +44 -0
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts +16 -0
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +16 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts +4 -0
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +33 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/analyzerScope.d.ts +11 -0
package/types/lib/helpers/analyzerScope.d.ts.map +1 -0
package/types/lib/helpers/asarutils.d.ts +34 -0
package/types/lib/helpers/asarutils.d.ts.map +1 -0
package/types/lib/helpers/auditCategories.d.ts +5 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -1
package/types/lib/helpers/bomUtils.d.ts +10 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -1
package/types/lib/helpers/cbomutils.d.ts +3 -2
package/types/lib/helpers/cbomutils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/evidenceUtils.d.ts +8 -0
package/types/lib/helpers/evidenceUtils.d.ts.map +1 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +8 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -1
package/types/lib/helpers/hbom.d.ts +49 -0
package/types/lib/helpers/hbom.d.ts.map +1 -0
package/types/lib/helpers/hbomAnalysis.d.ts +76 -0
package/types/lib/helpers/hbomAnalysis.d.ts.map +1 -0
package/types/lib/helpers/hbomLoader.d.ts +7 -0
package/types/lib/helpers/hbomLoader.d.ts.map +1 -0
package/types/lib/helpers/hostTopology.d.ts +12 -0
package/types/lib/helpers/hostTopology.d.ts.map +1 -0
package/types/lib/helpers/inventoryStats.d.ts +11 -0
package/types/lib/helpers/inventoryStats.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -1
package/types/lib/helpers/osqueryTransform.d.ts +3 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -1
package/types/lib/helpers/plugins.d.ts +58 -0
package/types/lib/helpers/plugins.d.ts.map +1 -0
package/types/lib/helpers/protobom.d.ts +5 -4
package/types/lib/helpers/protobom.d.ts.map +1 -1
package/types/lib/helpers/protobomLoader.d.ts +17 -0
package/types/lib/helpers/protobomLoader.d.ts.map +1 -0
package/types/lib/helpers/remote/dependency-track.d.ts +10 -3
package/types/lib/helpers/remote/dependency-track.d.ts.map +1 -1
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +45 -8
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts +5 -0
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/server/server.d.ts +2 -1
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts +26 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts +2 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/envAudit.d.ts.map +1 -1
package/types/lib/third-party/arborist/lib/node.d.ts +23 -0
package/types/lib/third-party/arborist/lib/node.d.ts.map +1 -1
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/data/spdx-model-v3.0.1.jsonld +0 -15999

package/data/predictive-audit-allowlist.json ADDED Viewed

@@ -0,0 +1,11 @@
+[
+  "pkg:npm/%40babel",
+  "pkg:npm/%40eslint",
+  "pkg:npm/%40istanbuljs",
+  "pkg:npm/%40jest",
+  "pkg:npm/%40npmcli",
+  "pkg:npm/%40rollup",
+  "pkg:npm/%40types",
+  "pkg:npm/%40typescript-eslint",
+  "pkg:npm/npm"
+]

package/data/queries-darwin.json CHANGED Viewed

@@ -35,6 +35,12 @@
     "purlType": "swid",
     "componentType": "application"
   },
+  "gatekeeper": {
+    "query": "SELECT 'gatekeeper' as name, COALESCE(NULLIF(version, ''), opaque_version) as version, opaque_version as description, assessments_enabled, dev_id_enabled FROM gatekeeper;",
+    "description": "macOS Gatekeeper policy status, including assessment enforcement and identified-developer allowance.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "system_extensions": {
     "query": "select * from system_extensions;",
     "description": "macOS (>= 10.15) system extension table.",
@@ -71,6 +77,11 @@
     "purlType": "swid",
     "componentType": "application"
   },
+  "npm_packages": {
+    "query": "SELECT * FROM npm_packages;",
+    "description": "Node packages installed on the system, including recursively discovered modern package manager layouts.",
+    "purlType": "npm"
+  },
   "launchd_services": {
     "query": "SELECT name, label, path, program, run_at_load, keep_alive, disabled, username, groupname, stdout_path, stderr_path, start_interval, program_arguments, watch_paths, queue_directories, start_on_mount, working_directory, process_type FROM launchd;",
     "description": "LaunchAgents and LaunchDaemons configuration used for macOS persistence.",
@@ -108,7 +119,7 @@
     "componentType": "data"
   },
   "package_bom": {
-    "query": "SELECT * FROM package_bom;",
+    "query": "SELECT * FROM package_bom WHERE path IN (SELECT REPLACE(package_receipts.path, '.plist', '.bom') FROM package_receipts JOIN file ON file.path = REPLACE(package_receipts.path, '.plist', '.bom') WHERE package_receipts.path LIKE '%.plist' AND file.size <= 52428800);",
     "description": "macOS package bill of materials (BOM) file list.",
     "purlType": "swid",
     "componentType": "application"

package/data/queries-win.json CHANGED Viewed

@@ -36,7 +36,7 @@
     "purlType": "swid"
   },
   "ie_extensions": {
-    "query": "select ie_extensions.* from users join ie_extensions using (uid);",
+    "query": "select * from ie_extensions;",
     "description": "Retrieves the list of extensions for IE in the target system.",
     "purlType": "swid"
   },
@@ -112,6 +112,12 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "process_open_handles_snapshot": {
+    "query": "SELECT processes.name, process_open_handles.type as version, process_open_handles.name as description, processes.path, processes.cmdline, processes.pid, process_open_handles.value, process_open_handles.type, process_open_handles.name as handle_name, process_open_handles.access, process_open_handles.attributes, process_open_handles.count, process_open_handles.raw_pointer_count, process_open_handles.error_stage, process_open_handles.error_code FROM processes JOIN process_open_handles USING (pid) WHERE process_open_handles.name != '' AND processes.name IN ('powershell.exe', 'pwsh.exe', 'cmd.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe', 'rundll32.exe', 'regsvr32.exe', 'wmic.exe', 'certutil.exe', 'bitsadmin.exe') AND ((process_open_handles.type = 'File' AND (lower(process_open_handles.name) LIKE '%\\appdata\\local\\temp\\%' OR lower(process_open_handles.name) LIKE '%\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\%' OR lower(process_open_handles.name) LIKE '%\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\%' OR lower(process_open_handles.name) LIKE '%\\windows\\tasks\\%' OR lower(process_open_handles.name) LIKE '%\\system32\\tasks\\%' OR lower(process_open_handles.name) LIKE '%\\wbem\\repository\\%')) OR (process_open_handles.type = 'Key' AND (lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows\\currentversion\\run%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows\\currentversion\\runonce%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows nt\\currentversion\\winlogon%' OR lower(process_open_handles.name) LIKE '%\\system\\currentcontrolset\\services\\%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\windows nt\\currentversion\\schedule\\taskcache\\%' OR lower(process_open_handles.name) LIKE '%\\software\\microsoft\\wbem\\cimom%')));",
+    "description": "Open handles owned by high-signal scripting and proxy-execution processes, filtered to persistence-oriented file and registry locations on Windows endpoints.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "services_snapshot": {
     "query": "SELECT * FROM services;",
     "description": "Services snapshot query.",

package/data/queries.json CHANGED Viewed

@@ -38,12 +38,26 @@
   "apt_sources": {
     "query": "select * from apt_sources;",
     "description": "Retrieves all the APT sources to install packages from in the target Linux system.",
-    "purlType": "deb"
+    "purlType": "generic",
+    "componentType": "data"
+  },
+  "apt_ppa_sources": {
+    "query": "SELECT COALESCE(name, base_uri, source) as name, release as version, maintainer as publisher, source as description, source, base_uri, release, components, architectures FROM apt_sources WHERE base_uri LIKE '%ppa.launchpadcontent.net%' OR base_uri LIKE '%ppa.launchpad.net%';",
+    "description": "APT Personal Package Archive (PPA) sources configured on the target Linux system.",
+    "purlType": "generic",
+    "componentType": "data"
   },
   "yum_sources": {
     "query": "select * from yum_sources;",
     "description": "Display yum package manager sources.",
-    "purlType": "yum"
+    "purlType": "generic",
+    "componentType": "data"
+  },
+  "trusted_gpg_keys": {
+    "query": "SELECT COALESCE(file.filename, file.path) as name, hash.sha256 as version, file.path as description, file.path, file.directory, file.filename, file.uid, file.gid, file.mode, file.size, file.mtime, hash.sha1, hash.sha256, CASE WHEN file.path LIKE '/etc/apt/%' OR file.path LIKE '/usr/share/keyrings/%' THEN 'apt' WHEN file.path LIKE '/etc/pki/rpm-gpg/%' OR file.path LIKE '/usr/share/distribution-gpg-keys/%' THEN 'rpm' WHEN file.path LIKE '/etc/apk/keys/%' THEN 'apk' ELSE 'generic' END AS trust_domain FROM file JOIN hash USING (path) WHERE (file.path = '/etc/apt/trusted.gpg' OR file.path LIKE '/etc/apt/trusted.gpg.d/%' OR file.path LIKE '/usr/share/keyrings/%' OR file.path LIKE '/etc/pki/rpm-gpg/%' OR file.path LIKE '/usr/share/distribution-gpg-keys/%' OR file.path LIKE '/etc/apk/keys/%') AND file.type = 'regular';",
+    "description": "Trusted repository keyring material for APT, RPM/DNF, and APK package trust validation.",
+    "purlType": "generic",
+    "componentType": "cryptographic-asset"
   },
   "portage_packages": {
     "query": "select * from portage_packages;",
@@ -60,6 +74,11 @@
     "description": "Python packages installed on system.",
     "purlType": "pypi"
   },
+  "npm_packages": {
+    "query": "SELECT * FROM npm_packages;",
+    "description": "Node packages installed on the system, including recursively discovered modern package manager layouts.",
+    "purlType": "npm"
+  },
   "system_info_snapshot": {
     "query": "SELECT * FROM system_info;",
     "description": "System info snapshot query.",
@@ -108,12 +127,30 @@
     "purlType": "swid",
     "componentType": "data"
   },
+  "sysctl_hardening": {
+    "query": "SELECT name, current_value as version, name as sysctl_key, current_value FROM sysctl WHERE name IN ('kernel.randomize_va_space', 'kernel.kptr_restrict', 'net.ipv4.conf.all.accept_redirects', 'net.ipv4.conf.default.accept_redirects', 'net.ipv4.conf.all.send_redirects', 'net.ipv4.conf.default.send_redirects');",
+    "description": "Linux sysctl posture entries aligned with common hardening baselines.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "kernel_modules": {
     "query": "SELECT * FROM kernel_modules;",
     "description": "Linux kernel modules both loaded and within the load search path.",
     "purlType": "swid",
     "componentType": "data"
   },
+  "secureboot_certificates": {
+    "query": "SELECT COALESCE(common_name, subject, sha1) as name, COALESCE(subject_key_id, sha1) as version, issuer as publisher, subject as description, common_name, subject, issuer, serial, sha1, revoked, path, is_ca, self_signed, key_usage, authority_key_id, subject_key_id, signing_algorithm, key_algorithm, key_strength, not_valid_before, not_valid_after FROM secureboot_certificates;",
+    "description": "UEFI Secure Boot certificate inventory, including trusted and revoked entries, for firmware trust posture reviews.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "mount_hardening": {
+    "query": "SELECT path as name, flags as version, device as description, path, device, type, flags FROM mounts WHERE path IN ('/tmp', '/var/tmp', '/dev/shm', '/home');",
+    "description": "Linux mount points commonly reviewed for noexec, nodev, and nosuid hardening.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
   "systemd_units": {
     "query": "SELECT id as name, active_state as version, description, load_state, sub_state, unit_file_state, user, fragment_path, source_path FROM systemd_units;",
     "description": "Systemd unit state and execution source inventory.",

package/data/rules/ai-agent-governance.yaml CHANGED Viewed

@@ -3,9 +3,11 @@
   description: "Hidden Unicode in AI agent instructions or skill files can conceal misleading prompts, hidden tool behavior, or review-evasion content."
   severity: medium
   category: ai-agent
+  dry-run-support: full
   standards:
     owasp-ai-top-10:
       - "LLM05: Supply Chain Vulnerabilities"
+      - "LLM03:2025 Supply Chain"
     nist-ai-rmf:
       - "Govern"
       - "Manage"
@@ -35,6 +37,7 @@
   description: "Public MCP endpoints referenced from agent or skill files deserve review when the instruction surface does not indicate any bearer, token, or OAuth controls."
   severity: high
   category: ai-agent
+  dry-run-support: full
   attack:
     tactics: [TA0001]
     techniques: [T1190]
@@ -42,6 +45,7 @@
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Map"
       - "Manage"
@@ -72,10 +76,13 @@
   description: "Agent files that mention MCP servers, packages, or endpoints without corresponding MCP package inventory or source-derived MCP services can hide runtime trust dependencies from reviewers."
   severity: medium
   category: ai-agent
+  dry-run-support: full
   standards:
     owasp-ai-top-10:
       - "LLM05: Supply Chain Vulnerabilities"
       - "LLM08: Excessive Agency"
+      - "LLM03:2025 Supply Chain"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Map"
       - "Govern"
@@ -107,6 +114,7 @@
   description: "Localhost tunneling and reverse-proxy references in agent files can turn development-only MCP servers into remotely reachable control surfaces."
   severity: high
   category: ai-agent
+  dry-run-support: full
   attack:
     tactics: [TA0001, TA0011]
     techniques: [T1190, T1071]
@@ -114,6 +122,7 @@
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Map"
       - "Manage"
@@ -142,10 +151,12 @@
   description: "Non-official MCP wrappers referenced directly from agent instructions deserve extra review before they are trusted in developer tooling or automation flows."
   severity: medium
   category: ai-agent
+  dry-run-support: full
   standards:
     owasp-ai-top-10:
       - "LLM05: Supply Chain Vulnerabilities"
       - "LLM07: Insecure Plugin Design"
+      - "LLM03:2025 Supply Chain"
     nist-ai-rmf:
       - "Govern"
       - "Map"
@@ -174,6 +185,7 @@
   description: "Agent or skill files that embed bearer tokens, API keys, or similar secrets create immediate review and credential-rotation risk."
   severity: critical
   category: ai-agent
+  dry-run-support: full
   attack:
     tactics: [TA0006]
     techniques: [T1552]
@@ -181,6 +193,7 @@
     owasp-ai-top-10:
       - "LLM05: Supply Chain Vulnerabilities"
       - "LLM07: Insecure Plugin Design"
+      - "LLM03:2025 Supply Chain"
     nist-ai-rmf:
       - "Govern"
       - "Manage"
@@ -210,10 +223,13 @@
   description: "Shipped AI instruction and skill files deserve explicit review because they can alter developer tooling, release-time automation, and downstream runtime behavior."
   severity: medium
   category: ai-agent
+  dry-run-support: full
   standards:
     owasp-ai-top-10:
       - "LLM05: Supply Chain Vulnerabilities"
       - "LLM08: Excessive Agency"
+      - "LLM03:2025 Supply Chain"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Govern"
       - "Map"

package/data/rules/asar-archives.yaml ADDED Viewed

@@ -0,0 +1,150 @@
+# Electron ASAR archive security rules
+# Category: asar-archive
+# Evaluates packaged Electron application archives for dynamic execution,
+# capability overlap, integrity mismatches, and embedded install-time scripts.
+- id: ASAR-001
+  name: "Archived JavaScript with eval or dynamic loading"
+  description: "ASAR-packaged JavaScript using eval, Function, or dynamic import/require deserves review for arbitrary code execution and remote payload loading risk."
+  severity: high
+  category: asar-archive
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:file:kind') = 'asar-entry'
+      and (
+        $propBool($, 'cdx:asar:js:hasEval') = true
+        or $propBool($, 'cdx:asar:js:capability:dynamicImport') = true
+        or $listContains($propList($, 'cdx:asar:js:executionIndicators'), 'eval')
+        or $listContains($propList($, 'cdx:asar:js:executionIndicators'), 'function-constructor')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $. "bom-ref",
+      "srcFile": $prop($, 'SrcFile'),
+      "archivePath": $prop($, 'cdx:asar:path')
+    }
+  message: "Archived JavaScript '{{ name }}' uses eval-like or dynamic loading behavior inside an ASAR package"
+  mitigation: "Review the packaged source for eval, Function, dynamic import, or runtime module resolution. Prefer static imports and signed update channels."
+  evidence: |
+    {
+      "archivePath": $prop($, 'cdx:asar:path'),
+      "executionIndicators": $prop($, 'cdx:asar:js:executionIndicators'),
+      "dynamicImport": $prop($, 'cdx:asar:js:capability:dynamicImport'),
+      "hasEval": $prop($, 'cdx:asar:js:hasEval')
+    }
+- id: ASAR-002
+  name: "Archived JavaScript with network plus file or hardware access"
+  description: "Packaged JavaScript that combines outbound network capability with filesystem or hardware access can materially increase exfiltration or device-control risk."
+  severity: high
+  category: asar-archive
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:file:kind') = 'asar-entry'
+      and $propBool($, 'cdx:asar:js:capability:network') = true
+      and (
+        $propBool($, 'cdx:asar:js:capability:fileAccess') = true
+        or $propBool($, 'cdx:asar:js:capability:hardware') = true
+        or $propBool($, 'cdx:asar:js:hasDynamicFetch') = true
+      )
+    ]
+  location: |
+    {
+      "bomRef": $. "bom-ref",
+      "srcFile": $prop($, 'SrcFile'),
+      "archivePath": $prop($, 'cdx:asar:path')
+    }
+  message: "Archived JavaScript '{{ name }}' combines network behavior with sensitive local access capabilities"
+  mitigation: "Review outbound endpoints, local file access, and hardware APIs. Limit packaged code to explicit allowlisted operations and sign release artifacts."
+  evidence: |
+    {
+      "archivePath": $prop($, 'cdx:asar:path'),
+      "capabilities": $prop($, 'cdx:asar:js:capabilities'),
+      "networkIndicators": $prop($, 'cdx:asar:js:networkIndicators'),
+      "hardwareIndicators": $prop($, 'cdx:asar:js:hardwareIndicators'),
+      "fileAccessIndicators": $prop($, 'cdx:asar:js:fileAccessIndicators')
+    }
+- id: ASAR-003
+  name: "Declared ASAR integrity mismatch"
+  description: "An ASAR entry whose declared integrity hash does not match the computed file hash may indicate tampering or packaging defects."
+  severity: high
+  category: asar-archive
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:file:kind') = 'asar-entry'
+      and $prop($, 'cdx:asar:integrityVerified') = 'false'
+    ]
+  location: |
+    {
+      "bomRef": $. "bom-ref",
+      "srcFile": $prop($, 'SrcFile'),
+      "archivePath": $prop($, 'cdx:asar:path')
+    }
+  message: "Archived entry '{{ name }}' has a declared integrity hash mismatch inside an ASAR package"
+  mitigation: "Rebuild the archive from trusted sources, verify signing provenance, and compare the packaged file to the expected release artifact."
+  evidence: |
+    {
+      "archivePath": $prop($, 'cdx:asar:path'),
+      "declaredHash": $prop($, 'cdx:asar:declaredIntegrityHash'),
+      "verified": $prop($, 'cdx:asar:integrityVerified')
+    }
+- id: ASAR-004
+  name: "Embedded npm package with install-time scripts inside ASAR"
+  description: "Node packages shipped inside ASAR archives that declare install/preinstall hooks are still useful compromise indicators during artifact review."
+  severity: high
+  category: asar-archive
+  dry-run-support: partial
+  condition: |
+    components[
+      $propBool($, 'cdx:npm:hasInstallScript') = true
+      and $contains($prop($, 'SrcFile'), '.asar#/')
+    ]
+  location: |
+    {
+      "bomRef": $. "bom-ref",
+      "purl": purl,
+      "srcFile": $prop($, 'SrcFile')
+    }
+  message: "Embedded npm package '{{ name }}@{{ version }}' inside ASAR declares install-time lifecycle scripts"
+  mitigation: "Review the embedded package source and build provenance. Remove unnecessary lifecycle hooks or vendor only prebuilt trusted artifacts."
+  evidence: |
+    {
+      "srcFile": $prop($, 'SrcFile'),
+      "lifecycleScripts": $prop($, 'cdx:npm:risky_scripts'),
+      "executionIndicators": $prop($, 'cdx:npm:lifecycleExecutionIndicators'),
+      "obfuscationIndicators": $prop($, 'cdx:npm:lifecycleObfuscationIndicators')
+    }
+- id: ASAR-005
+  name: "Electron ASAR signing metadata failed verification"
+  description: "Electron Info.plist signing metadata that fails verification is a high-signal indicator of packaging defects or release-artifact tampering."
+  severity: high
+  category: asar-archive
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:file:kind') = 'asar-archive'
+      and $propBool($, 'cdx:asar:hasSigningMetadata') = true
+      and $prop($, 'cdx:asar:signingVerified') = 'false'
+    ]
+  location: |
+    {
+      "bomRef": $. "bom-ref",
+      "srcFile": $prop($, 'SrcFile')
+    }
+  message: "ASAR archive '{{ name }}' has Electron signing metadata that failed verification"
+  mitigation: "Rebuild the Electron package from trusted sources, verify the Info.plist ElectronAsarIntegrity data, and confirm the shipped ASAR matches the expected signed release artifact."
+  evidence: |
+    {
+      "signingDeclaredHash": $prop($, 'cdx:asar:signingDeclaredHash'),
+      "signingAlgorithm": $prop($, 'cdx:asar:signingAlgorithm'),
+      "signingSource": $prop($, 'cdx:asar:signingSource'),
+      "signingScope": $prop($, 'cdx:asar:signingScope'),
+      "signingVerified": $prop($, 'cdx:asar:signingVerified')
+    }

package/data/rules/chrome-extensions.yaml CHANGED Viewed

@@ -7,6 +7,7 @@
   description: "Browser extensions with <all_urls> or wildcard host permissions can access and manipulate content on most websites"
   severity: high
   category: chrome-extension
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:chrome-extension/')
@@ -35,6 +36,7 @@
   description: "Extensions that combine webRequest and webRequestBlocking can intercept and modify browser network traffic"
   severity: critical
   category: chrome-extension
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:chrome-extension/')
@@ -60,6 +62,7 @@
   description: "Extensions injecting content scripts at document_start together with broad host permissions increase pre-DOM execution risk"
   severity: high
   category: chrome-extension
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:chrome-extension/')
@@ -89,6 +92,7 @@
   description: "Autofill features handling credential or PII flows should be reviewed when broad host permissions are granted"
   severity: medium
   category: chrome-extension
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:chrome-extension/')
@@ -119,6 +123,7 @@
   description: "Extensions requesting file or device-adjacent capabilities alongside broad host scope can increase data collection and exfiltration risk."
   severity: high
   category: chrome-extension
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:chrome-extension/')
@@ -153,6 +158,7 @@
   description: "Extensions with explicit code-injection capability and broad host scope may execute arbitrary script logic across many origins."
   severity: critical
   category: chrome-extension
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:chrome-extension/')
@@ -183,6 +189,7 @@
   description: "Fingerprinting-related capability indicators combined with broad host access can increase tracking and privacy risk."
   severity: high
   category: chrome-extension
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:chrome-extension/')
@@ -213,6 +220,7 @@
   description: "Extensions targeting AI assistant domains (OpenAI/ChatGPT/Claude/Copilot) with code-injection capability should be reviewed for prompt/session manipulation risk."
   severity: high
   category: chrome-extension
+  dry-run-support: full
   condition: |
     components[
       $startsWith(purl, 'pkg:chrome-extension/')