@cyclonedx/cdxgen 12.3.3 → 12.4.1

package/data/rules/hbom-compliance.yaml

@@ -0,0 +1,325 @@
+# HBOM Compliance and Governance Rules
+# Category: hbom-compliance
+# Evaluates hardware inventory completeness, redaction posture, and governance-ready evidence.
+
+- id: HBC-001
+  name: "HBOM inventory lacks firmware or board provenance"
+  description: "Incomplete firmware or board provenance weakens auditability for hardware refresh, attestation, and patch-governance workflows."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SI-7 Software, Firmware, and Information Integrity"
+    cis-controls-v8:
+      - "1.1 Establish and Maintain Detailed Enterprise Asset Inventory"
+  condition: |
+    metadata.component[
+      $safeStr($prop($, 'cdx:hbom:platform')) = 'linux'
+      and $count(
+        $$.components[
+          $prop($, 'cdx:hbom:hardwareClass') = 'board'
+          and (
+            $hasProp($, 'cdx:hbom:boardVendor')
+            or $hasProp($, 'cdx:hbom:boardName')
+            or $hasProp($, 'cdx:hbom:biosVendor')
+            or $hasProp($, 'cdx:hbom:biosVersion')
+            or $hasProp($, 'cdx:hbom:firmwareDate')
+          )
+        ]
+      ) = 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' lacks board or firmware provenance fields needed for governance review"
+  mitigation: "Enable richer firmware/board collection on supported Linux hosts, validate SMBIOS access, and ensure the inventory captures board vendor, board name, BIOS vendor, BIOS version, and firmware date where available."
+  evidence: |
+    {
+      "platform": $prop($, 'cdx:hbom:platform'),
+      "architecture": $prop($, 'cdx:hbom:architecture'),
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "boardComponentCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'board'])
+    }
+
+- id: HBC-002
+  name: "Managed asset identity is incomplete"
+  description: "HBOMs used for fleet governance should capture stable host identity fields such as model, platform, and serial or asset identifiers."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+    cis-controls-v8:
+      - "1.1 Establish and Maintain Detailed Enterprise Asset Inventory"
+    iso-27001:
+      - "A.5.9 Inventory of information and other associated assets"
+  condition: |
+    metadata.component[
+      type = 'device'
+      and (
+        $hasProp($, 'cdx:hbom:platform') = false
+        or $hasProp($, 'cdx:hbom:architecture') = false
+        or (
+          $hasProp($, 'cdx:hbom:serialNumber') = false
+          and $hasProp($, 'cdx:hbom:platformUuid') = false
+          and $hasProp($, 'cdx:hbom:assetTag') = false
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM metadata for '{{ name }}' is missing stable asset identity fields required for governance workflows"
+  mitigation: "Capture platform, architecture, and at least one durable host identifier (serial, platform UUID, or asset tag) so the device can be reconciled with CMDB and lifecycle systems."
+  evidence: |
+    {
+      "platform": $prop($, 'cdx:hbom:platform'),
+      "architecture": $prop($, 'cdx:hbom:architecture'),
+      "serialNumber": $prop($, 'cdx:hbom:serialNumber'),
+      "platformUuid": $prop($, 'cdx:hbom:platformUuid'),
+      "assetTag": $prop($, 'cdx:hbom:assetTag')
+    }
+
+- id: HBC-003
+  name: "HBOM collector evidence is incomplete"
+  description: "Governance review is weaker when the BOM omits the collector command evidence used to derive the hardware inventory."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  condition: |
+    metadata.component[
+      type = 'device'
+      and (
+        $hasProp($$, 'cdx:hbom:evidence:commandCount') = false
+        or $number($firstNonEmpty($prop($$, 'cdx:hbom:evidence:commandCount'), '0')) = 0
+        or $hasProp($$, 'cdx:hbom:evidence:command') = false
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' is missing collector command evidence needed for reproducible review"
+  mitigation: "Retain command-evidence metadata in the distributed BOM, or attach equivalent collection provenance so reviewers can understand how the hardware inventory was derived."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "commandCount": $prop(bom, 'cdx:hbom:evidence:commandCount'),
+      "commandEvidence": $prop(bom, 'cdx:hbom:evidence:command')
+    }
+
+- id: HBC-004
+  name: "Storage inventory lacks encryption posture evidence"
+  description: "Storage volumes without explicit encryption posture make it difficult to prove compliance with device and media protection requirements."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "SC-28 Protection of Information at Rest"
+      - "CM-8 System Component Inventory"
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'storage-volume']) > 0
+      and $count(
+        $$.components[
+          $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+          and (
+            $hasProp($, 'cdx:hbom:isEncrypted')
+            or $hasProp($, 'cdx:hbom:fileVault')
+          )
+        ]
+      ) = 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' includes storage volumes but no explicit encryption posture evidence"
+  mitigation: "Enable volume-level enrichment on supported platforms or pair the HBOM with equivalent host controls evidence so encryption compliance can be verified."
+  evidence: |
+    {
+      "storageVolumeCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'storage-volume']),
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "platform": $prop($, 'cdx:hbom:platform')
+    }
+
+- id: HBC-005
+  name: "HBOM uses non-redacted identifier policy"
+  description: "HBOMs intended for broad distribution should avoid a non-redacted identifier policy unless raw identifiers are explicitly required by the receiving workflow."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $hasProp($, 'cdx:hbom:identifierPolicy')
+      and $not($startsWith($lowercase($safeStr($prop($, 'cdx:hbom:identifierPolicy'))), 'redacted'))
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' uses identifier policy '{{ $prop($, 'cdx:hbom:identifierPolicy') }}' instead of a redacted posture"
+  mitigation: "Default distributed HBOMs to redacted identifiers and keep raw hardware identity values confined to internal asset-governance workflows with a documented need-to-know."
+  evidence: |
+    {
+      "identifierPolicy": $prop($, 'cdx:hbom:identifierPolicy'),
+      "serialNumber": $prop($, 'cdx:hbom:serialNumber'),
+      "platformUuid": $prop($, 'cdx:hbom:platformUuid')
+    }
+
+- id: HBC-006
+  name: "HBOM collector is missing optional enrichment commands"
+  description: "Missing native utilities reduce the hardware evidence available to governance, assurance, and troubleshooting workflows."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $number($firstNonEmpty($prop($$, 'cdx:hbom:analysis:missingCommandCount'), '0')) > 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' reported missing native enrichment commands"
+  mitigation: "Install the reported utilities on the target host and rerun the HBOM collection so the inventory includes the richer structured hardware evidence those commands provide."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "missingCommandCount": $prop(bom, 'cdx:hbom:analysis:missingCommandCount'),
+      "missingCommands": $propList(bom, 'cdx:hbom:analysis:missingCommands'),
+      "diagnosticIssues": $propList(bom, 'cdx:hbom:analysis:diagnosticIssues')
+    }
+
+- id: HBC-007
+  name: "HBOM collector hit permission-denied enrichments"
+  description: "Permission-sensitive enrichments that fail during collection often leave firmware, graphics, or SMBIOS evidence incomplete until the host is rerun with the documented privileged mode."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SI-7 Software, Firmware, and Information Integrity"
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $number($firstNonEmpty($prop($$, 'cdx:hbom:analysis:permissionDeniedCount'), '0')) > 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' hit permission-denied enrichments that likely require a rerun with --privileged"
+  mitigation: "Where policy allows, rerun HBOM collection with --privileged so cdx-hbom can use the documented non-interactive sudo path for permission-sensitive Linux enrichments."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "permissionDeniedCount": $prop(bom, 'cdx:hbom:analysis:permissionDeniedCount'),
+      "permissionDeniedCommands": $propList(bom, 'cdx:hbom:analysis:permissionDeniedCommands'),
+      "requiresPrivileged": $prop(bom, 'cdx:hbom:analysis:requiresPrivileged')
+    }
+
+- id: HBC-008
+  name: "HBOM collector is missing firmware-management enrichment"
+  description: "Without fwupd-derived metadata, governance teams lose update-protocol, firmware GUID, and device lifecycle context that is useful for firmware assurance and remediation planning."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SI-7 Software, Firmware, and Information Integrity"
+  condition: |
+    metadata.component[
+      $safeStr($prop($, 'cdx:hbom:platform')) = 'linux'
+      and $listContains($propList($$, 'cdx:hbom:analysis:missingCommandIds'), 'fwupdmgr-devices-json')
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' is missing firmware-management enrichment because fwupdmgr was unavailable"
+  mitigation: "Install fwupd on the target host and rerun the collection so the BOM can capture protocol, flags, GUIDs, and related firmware-management properties where supported."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "missingCommandIds": $propList(bom, 'cdx:hbom:analysis:missingCommandIds'),
+      "missingCommands": $propList(bom, 'cdx:hbom:analysis:missingCommands'),
+      "installHintCount": $prop(bom, 'cdx:hbom:analysis:installHintCount')
+    }
+
+- id: HBC-009
+  name: "HBOM board and BIOS provenance was blocked by permissions"
+  description: "When dmidecode-backed firmware and board enrichment is blocked, the HBOM may miss board-vendor, board-name, BIOS-version, and related governance evidence."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SI-7 Software, Firmware, and Information Integrity"
+  condition: |
+    metadata.component[
+      $safeStr($prop($, 'cdx:hbom:platform')) = 'linux'
+      and $listContains($propList($$, 'cdx:hbom:analysis:permissionDeniedIds'), 'dmidecode-firmware-board')
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' could not capture full board and BIOS provenance because dmidecode enrichment was blocked"
+  mitigation: "Where policy allows, rerun with --privileged or equivalent access so the collector can gather firmware vendor, BIOS version, board vendor, and board name data."
+  evidence: |
+    {
+      "collectorProfile": $prop(bom, 'cdx:hbom:collectorProfile'),
+      "permissionDeniedIds": $propList(bom, 'cdx:hbom:analysis:permissionDeniedIds'),
+      "permissionDeniedCommands": $propList(bom, 'cdx:hbom:analysis:permissionDeniedCommands'),
+      "boardComponentCount": $count($$.components[$prop($, 'cdx:hbom:hardwareClass') = 'board'])
+    }
+
+- id: HBC-010
+  name: "HBOM display and DRM evidence is incomplete"
+  description: "Missing EDID decoding or blocked DRM enrichment reduces the fidelity of display, connector, and content-protection metadata used during workstation and kiosk governance reviews."
+  severity: medium
+  category: hbom-compliance
+  dry-run-support: full
+  condition: |
+    metadata.component[
+      $count(
+        $$.components[
+          $prop($, 'cdx:hbom:hardwareClass') = 'display-connector'
+          or $prop($, 'cdx:hbom:hardwareClass') = 'display-adapter'
+        ]
+      ) > 0
+      and (
+        $listContains($propList($$, 'cdx:hbom:analysis:missingCommandIds'), 'edid-decode')
+        or $listContains($propList($$, 'cdx:hbom:analysis:permissionDeniedIds'), 'drm-info-json')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM for '{{ name }}' includes display hardware but the richer DRM or EDID evidence is incomplete"
+  mitigation: "Install edid-decode where available and, if policy permits, rerun with --privileged so the collector can capture connector, mode, and content-protection metadata for Linux displays."
+  evidence: |
+    {
+      "displayComponentCount": $count(
+        $$.components[
+          $prop($, 'cdx:hbom:hardwareClass') = 'display-connector'
+          or $prop($, 'cdx:hbom:hardwareClass') = 'display-adapter'
+        ]
+      ),
+      "missingCommandIds": $propList(bom, 'cdx:hbom:analysis:missingCommandIds'),
+      "permissionDeniedIds": $propList(bom, 'cdx:hbom:analysis:permissionDeniedIds')
+    }

package/data/rules/hbom-performance.yaml

@@ -0,0 +1,307 @@
+# HBOM Performance Rules
+# Category: hbom-performance
+# Evaluates hardware inventory for storage, thermal, battery, network, and memory degradation signals.
+
+- id: HBP-001
+  name: "Storage volume has low free capacity headroom"
+  description: "Low free storage headroom can degrade builds, patching, logging, indexing, and general host responsiveness."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      and $hasProp($, 'cdx:hbom:capacityBytes')
+      and $hasProp($, 'cdx:hbom:freeBytes')
+      and $number($prop($, 'cdx:hbom:capacityBytes')) > 0
+      and ($number($prop($, 'cdx:hbom:freeBytes')) / $number($prop($, 'cdx:hbom:capacityBytes'))) < 0.15
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Storage volume '{{ name }}' has less than 15% free capacity remaining"
+  mitigation: "Free local capacity, move caches or logs off the volume, or expand storage before performance and maintenance tasks degrade further."
+  evidence: |
+    {
+      "capacityBytes": $prop($, 'cdx:hbom:capacityBytes'),
+      "freeBytes": $prop($, 'cdx:hbom:freeBytes'),
+      "sizeBytes": $prop($, 'cdx:hbom:sizeBytes'),
+      "volumeUuid": $prop($, 'cdx:hbom:volumeUuid')
+    }
+
+- id: HBP-002
+  name: "Storage health is degraded or wear is near exhaustion"
+  description: "Degraded SMART state or high wear percentage is a strong leading indicator of latency, failure, or replacement pressure."
+  severity: high
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'storage'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-device'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      )
+      and (
+        (
+          $hasProp($, 'cdx:hbom:smartStatus')
+          and $lowercase($safeStr($prop($, 'cdx:hbom:smartStatus'))) != 'verified'
+          and $lowercase($safeStr($prop($, 'cdx:hbom:smartStatus'))) != 'ok'
+          and $lowercase($safeStr($prop($, 'cdx:hbom:smartStatus'))) != 'passed'
+        )
+        or (
+          $hasProp($, 'cdx:hbom:wearPercentageUsed')
+          and $number($prop($, 'cdx:hbom:wearPercentageUsed')) >= 80
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Storage component '{{ name }}' shows degraded health or high wear"
+  mitigation: "Review SMART telemetry, schedule replacement for worn media, and move latency-sensitive workloads off the affected device."
+  evidence: |
+    {
+      "smartStatus": $prop($, 'cdx:hbom:smartStatus'),
+      "wearPercentageUsed": $prop($, 'cdx:hbom:wearPercentageUsed'),
+      "revision": $prop($, 'cdx:hbom:revision'),
+      "deviceSerial": $prop($, 'cdx:hbom:deviceSerial')
+    }
+
+- id: HBP-003
+  name: "Thermal zone reports sustained high temperature"
+  description: "High thermal-zone temperatures can trigger throttling, instability, and accelerated hardware wear."
+  severity: high
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'thermal-zone'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'sensor'
+      )
+      and $hasProp($, 'cdx:hbom:temperatureCelsius')
+      and $number($prop($, 'cdx:hbom:temperatureCelsius')) >= 85
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Thermal component '{{ name }}' reports high temperature '{{ $prop($, 'cdx:hbom:temperatureCelsius') }}°C'"
+  mitigation: "Inspect cooling, fan policy, dust buildup, and workload placement before the host begins sustained throttling or thermal shutdown behavior."
+  evidence: |
+    {
+      "temperatureCelsius": $prop($, 'cdx:hbom:temperatureCelsius'),
+      "temperatureReadings": $prop($, 'cdx:hbom:temperatureReadings'),
+      "fanCount": $prop($, 'cdx:hbom:fanCount'),
+      "fanReadings": $prop($, 'cdx:hbom:fanReadings')
+    }
+
+- id: HBP-004
+  name: "Battery health is degraded"
+  description: "Battery packs with low maximum capacity, poor health, or extreme cycle counts can materially degrade mobile system performance and runtime."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'power'
+      and (
+        (
+          $hasProp($, 'cdx:hbom:maximumCapacity')
+          and $number($substringBefore($prop($, 'cdx:hbom:maximumCapacity'), '%')) < 80
+        )
+        or (
+          $hasProp($, 'cdx:hbom:health')
+          and $not($lowercase($safeStr($prop($, 'cdx:hbom:health'))) = 'good')
+        )
+        or (
+          $hasProp($, 'cdx:hbom:cycleCount')
+          and $number($prop($, 'cdx:hbom:cycleCount')) >= 1000
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Battery component '{{ name }}' shows degraded health or elevated lifecycle wear"
+  mitigation: "Recalibrate or replace the battery, verify charging policy, and keep performance-sensitive mobile workloads off batteries nearing replacement thresholds."
+  evidence: |
+    {
+      "maximumCapacity": $prop($, 'cdx:hbom:maximumCapacity'),
+      "health": $prop($, 'cdx:hbom:health'),
+      "cycleCount": $prop($, 'cdx:hbom:cycleCount'),
+      "chargePercent": $prop($, 'cdx:hbom:chargePercent')
+    }
+
+- id: HBP-005
+  name: "Active wired link is operating below expected duplex or bandwidth"
+  description: "Half-duplex or very low negotiated wired-link speed often correlates with cable, switch, or interface misconfiguration that hurts throughput and latency."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'network-interface'
+      and (
+        $lowercase($safeStr($prop($, 'cdx:hbom:status'))) = 'active'
+        or $lowercase($safeStr($prop($, 'cdx:hbom:operState'))) = 'up'
+      )
+      and (
+        $lowercase($safeStr($prop($, 'cdx:hbom:duplex'))) = 'half'
+        or (
+          $hasProp($, 'cdx:hbom:speedMbps')
+          and $number($prop($, 'cdx:hbom:speedMbps')) > 0
+          and $number($prop($, 'cdx:hbom:speedMbps')) < 1000
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Active wired interface '{{ name }}' is operating with degraded duplex or bandwidth characteristics"
+  mitigation: "Check cabling, switch configuration, NIC driver/firmware, and negotiated link settings before treating application latency as purely software-related."
+  evidence: |
+    {
+      "duplex": $prop($, 'cdx:hbom:duplex'),
+      "speedMbps": $prop($, 'cdx:hbom:speedMbps'),
+      "status": $prop($, 'cdx:hbom:status'),
+      "operState": $prop($, 'cdx:hbom:operState'),
+      "driver": $prop($, 'cdx:hbom:driver')
+    }
+
+- id: HBP-006
+  name: "Installed memory is only partially online"
+  description: "A significant gap between installed and online memory suggests capacity loss, firmware drift, or topology issues that can affect performance-critical workloads."
+  severity: high
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'memory'
+      and $hasProp($, 'cdx:hbom:sizeBytes')
+      and $hasProp($, 'cdx:hbom:memoryOnlineSize')
+      and $number($prop($, 'cdx:hbom:sizeBytes')) > 0
+      and $parseSizeBytes($prop($, 'cdx:hbom:memoryOnlineSize')) != null
+      and ($parseSizeBytes($prop($, 'cdx:hbom:memoryOnlineSize')) / $number($prop($, 'cdx:hbom:sizeBytes'))) < 0.9
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Memory component '{{ name }}' reports materially less online capacity than installed capacity"
+  mitigation: "Review DIMM population, firmware, NUMA/memory-hotplug settings, and kernel memory-online state before scaling workloads on the host."
+  evidence: |
+    {
+      "sizeBytes": $prop($, 'cdx:hbom:sizeBytes'),
+      "memoryOnlineSize": $prop($, 'cdx:hbom:memoryOnlineSize'),
+      "memoryRangeCount": $prop($, 'cdx:hbom:memoryRangeCount'),
+      "addressSizes": $prop($, 'cdx:hbom:addressSizes')
+    }
+
+- id: HBP-007
+  name: "Battery design capacity has materially degraded"
+  description: "Detailed Linux battery telemetry can reveal packs whose full-charge capacity has fallen materially below their design baseline, reducing runtime and stability under load."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'power'
+      and (
+        (
+          $hasProp($, 'cdx:hbom:designCapacityPercent')
+          and $number($prop($, 'cdx:hbom:designCapacityPercent')) > 0
+          and $number($prop($, 'cdx:hbom:designCapacityPercent')) < 80
+        )
+        or (
+          $hasProp($, 'cdx:hbom:energyFull')
+          and $hasProp($, 'cdx:hbom:energyFullDesign')
+          and $number($prop($, 'cdx:hbom:energyFullDesign')) > 0
+          and ($number($prop($, 'cdx:hbom:energyFull')) / $number($prop($, 'cdx:hbom:energyFullDesign'))) < 0.8
+        )
+        or (
+          $hasProp($, 'cdx:hbom:chargeFull')
+          and $hasProp($, 'cdx:hbom:chargeFullDesign')
+          and $number($prop($, 'cdx:hbom:chargeFullDesign')) > 0
+          and ($number($prop($, 'cdx:hbom:chargeFull')) / $number($prop($, 'cdx:hbom:chargeFullDesign'))) < 0.8
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Battery component '{{ name }}' has materially degraded relative to its design capacity"
+  mitigation: "Plan battery replacement or recalibration, review charging policy, and keep performance-sensitive mobile workloads away from hosts with heavily degraded packs."
+  evidence: |
+    {
+      "designCapacityPercent": $prop($, 'cdx:hbom:designCapacityPercent'),
+      "energyFull": $prop($, 'cdx:hbom:energyFull'),
+      "energyFullDesign": $prop($, 'cdx:hbom:energyFullDesign'),
+      "chargeFull": $prop($, 'cdx:hbom:chargeFull'),
+      "chargeFullDesign": $prop($, 'cdx:hbom:chargeFullDesign'),
+      "warningLevel": $prop($, 'cdx:hbom:warningLevel')
+    }
+
+- id: HBP-008
+  name: "USB device requires more current than the bus reports available"
+  description: "A USB device that requires more current than the bus exposes as available can behave unreliably, disconnect under load, or trigger peripheral instability."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'usb-device'
+      and $hasProp($, 'cdx:hbom:currentRequired')
+      and $hasProp($, 'cdx:hbom:currentAvailable')
+      and $number($prop($, 'cdx:hbom:currentRequired')) > $number($prop($, 'cdx:hbom:currentAvailable'))
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "USB component '{{ name }}' reports higher current demand than the bus currently provides"
+  mitigation: "Move the device to a powered hub or higher-capacity port, reduce competing bus load, and verify peripheral power expectations before troubleshooting higher-layer software issues."
+  evidence: |
+    {
+      "currentRequired": $prop($, 'cdx:hbom:currentRequired'),
+      "currentAvailable": $prop($, 'cdx:hbom:currentAvailable'),
+      "maxPowerMilliAmps": $prop($, 'cdx:hbom:maxPowerMilliAmps'),
+      "selfPowered": $prop($, 'cdx:hbom:selfPowered'),
+      "remoteWakeup": $prop($, 'cdx:hbom:remoteWakeup')
+    }
+
+- id: HBP-009
+  name: "Cellular modem reports weak signal quality"
+  description: "A modem with very weak reported signal quality can cause intermittent connectivity, poor throughput, and degraded remote-management reliability."
+  severity: medium
+  category: hbom-performance
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'modem'
+        or $hasProp($, 'cdx:hbom:signalQuality')
+      )
+      and $hasProp($, 'cdx:hbom:signalQuality')
+      and $number($prop($, 'cdx:hbom:signalQuality')) >= 0
+      and $number($prop($, 'cdx:hbom:signalQuality')) < 25
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Cellular component '{{ name }}' reports weak signal quality that may impair connectivity"
+  mitigation: "Review antenna placement, carrier coverage, modem firmware, and access-technology selection before treating transport instability as an application-only issue."
+  evidence: |
+    {
+      "signalQuality": $prop($, 'cdx:hbom:signalQuality'),
+      "accessTechnologies": $prop($, 'cdx:hbom:accessTechnologies'),
+      "operatorName": $prop($, 'cdx:hbom:operatorName'),
+      "plugin": $prop($, 'cdx:hbom:plugin')
+    }