@cyclonedx/cdxgen 9.6.0 → 9.7.0

package/README.md

@@ -4,7 +4,7 @@
 
 cdxgen is a cli tool, library, [REPL](./ADVANCED.md) and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
 
-When used with plugins, cdxgen could generate an SBoM for Linux docker images and even VMs running Linux or Windows operating system. cdxgen also includes a tool called `evinse` that can generate component evidences for some languages.
+When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating system. cdxgen also includes a tool called `evinse` that can generate component evidences and SaaSBoM for some languages.
 
 NOTE:
 
@@ -127,9 +127,7 @@ Options:
   -r, --recurse                Recurse mode suitable for mono-repos. Defaults to
                                 true. Pass --no-recurse to disable.
                                                        [boolean] [default: true]
-  -p, --print                  Print the SBoM as a table with tree. Defaults to
-                               true if output file is not specified with -o
-                                                                       [boolean]
+  -p, --print                  Print the SBoM as a table with tree.    [boolean]
   -c, --resolve-class          Resolve class names for packages. jars only for n
                                ow.                                     [boolean]
       --deep                   Perform deep searches for components. Useful whil
@@ -294,6 +292,7 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | MVN_CMD                      | Set to override maven command                                                                                                        |
 | MVN_ARGS                     | Set to pass additional arguments such as profile or settings to maven                                                                |
 | MAVEN_HOME                   | Specify maven home                                                                                                                   |
+| MAVEN_CENTRAL_URL            | Specify URL of Maven Central for metadata fetching (e.g. when private repo is used)                                                  |
 | GRADLE_CACHE_DIR             | Specify gradle cache directory. Useful for class name resolving                                                                      |
 | GRADLE_MULTI_PROJECT_MODE    | Unused. Automatically handled                                                                                                        |
 | GRADLE_ARGS                  | Set to pass additional arguments such as profile or settings to gradle (all tasks). Eg: --configuration runtimeClassPath             |
@@ -366,17 +365,17 @@ systemctl --user start podman.socket
 podman system service -t 0 &
 ```
 
-### Generate SBoM for a live system
+### Generate OBoM for a live system
 
-You can use cdxgen to generate SBoM for a live system or a VM for compliance and vulnerability management purposes by passing the argument `-t os`.
+You can use cdxgen to generate an OBoM for a live system or a VM for compliance and vulnerability management purposes by passing the argument `-t os`. Windows and Linux operating systems are supported in this mode.
 
 ```shell
 cdxgen -t os
 ```
 
-This feature is powered by osquery which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components.
+This feature is powered by osquery which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types such as operating-system, device-drivers, files, and data.
 
-## Generating component evidence
+## Generating SaaSBoM and component evidences
 
 See [evinse mode](./ADVANCED.md) in the advanced documentation.
 

package/bin/cdxgen.js

@@ -41,8 +41,7 @@ const args = yargs(hideBin(process.argv))
   .option("print", {
     alias: "p",
     type: "boolean",
-    description:
-      "Print the SBoM as a table with tree. Defaults to true if output file is not specified with -o"
+    description: "Print the SBoM as a table with tree."
   })
   .option("resolve-class", {
     alias: "c",
@@ -229,7 +228,6 @@ const checkPermissions = (filePath) => {
   const bomNSData = (await createBom(filePath, options)) || {};
   if (!args.output) {
     args.output = "bom.json";
-    args.print = true;
   }
   if (
     args.output &&

package/bin/verify.js

@@ -40,6 +40,25 @@ if (args.version) {
 }
 
 const bomJson = JSON.parse(fs.readFileSync(args.input, "utf8"));
+let hasInvalidComp = false;
+// Validate any component signature
+for (const comp of bomJson.components) {
+  if (comp.signature) {
+    const compSignature = comp.signature.value;
+    const validationResult = jws.verify(
+      compSignature,
+      comp.signature.algorithm,
+      fs.readFileSync(args.publicKey, "utf8")
+    );
+    if (!validationResult) {
+      console.log(`${comp["bom-ref"]} signature is invalid!`);
+      hasInvalidComp = true;
+    }
+  }
+}
+if (hasInvalidComp) {
+  process.exit(1);
+}
 const bomSignature =
   bomJson.signature && bomJson.signature.value
     ? bomJson.signature.value

package/binary.js

@@ -6,18 +6,18 @@ import { PackageURL } from "packageurl-js";
 import { DEBUG_MODE } from "./utils.js";
 
 import { fileURLToPath } from "node:url";
-import path from "node:path";
 
 let url = import.meta.url;
 if (!url.startsWith("file://")) {
   url = new URL(`file://${import.meta.url}`).toString();
 }
-const dirName = import.meta ? path.dirname(fileURLToPath(url)) : __dirname;
+const dirName = import.meta ? dirname(fileURLToPath(url)) : __dirname;
 
 const isWin = _platform() === "win32";
 
 let platform = _platform();
 let extn = "";
+let pluginsBinSuffix = "";
 if (platform == "win32") {
   platform = "windows";
   extn = ".exe";
@@ -31,6 +31,13 @@ switch (arch) {
   case "x64":
     arch = "amd64";
     break;
+  case "arm64":
+    pluginsBinSuffix = "-arm64";
+    break;
+  case "ppc64":
+    arch = "ppc64le";
+    pluginsBinSuffix = "-ppc64";
+    break;
 }
 
 // Retrieve the cdxgen plugins directory
@@ -47,14 +54,20 @@ if (
 if (
   !CDXGEN_PLUGINS_DIR &&
   existsSync(
-    join(dirName, "node_modules", "@cyclonedx", "cdxgen-plugins-bin", "plugins")
+    join(
+      dirName,
+      "node_modules",
+      "@cyclonedx",
+      "cdxgen-plugins-bin" + pluginsBinSuffix,
+      "plugins"
+    )
   ) &&
   existsSync(
     join(
       dirName,
       "node_modules",
       "@cyclonedx",
-      "cdxgen-plugins-bin",
+      "cdxgen-plugins-bin" + pluginsBinSuffix,
       "plugins",
       "goversion"
     )
@@ -64,7 +77,7 @@ if (
     dirName,
     "node_modules",
     "@cyclonedx",
-    "cdxgen-plugins-bin",
+    "cdxgen-plugins-bin" + pluginsBinSuffix,
     "plugins"
   );
 }
@@ -89,7 +102,7 @@ if (!CDXGEN_PLUGINS_DIR) {
   const globalPlugins = join(
     globalNodePath,
     "@cyclonedx",
-    "cdxgen-plugins-bin",
+    "cdxgen-plugins-bin" + pluginsBinSuffix,
     "plugins"
   );
   if (existsSync(globalPlugins)) {
@@ -181,6 +194,7 @@ const OS_DISTRO_ALIAS = {
   "ubuntu-19.10": "eoan",
   "ubuntu-20.04": "focal",
   "ubuntu-20.10": "groovy",
+  "ubuntu-22.04": "jammy",
   "ubuntu-23.04": "lunar",
   "debian-14": "forky",
   "debian-14.5": "forky",
@@ -266,6 +280,7 @@ export const getCargoAuditableInfo = (src) => {
 
 export const getOSPackages = (src) => {
   const pkgList = [];
+  const dependenciesList = [];
   const allTypes = new Set();
   if (TRIVY_BIN) {
     let imageType = "image";
@@ -321,6 +336,60 @@ export const getOSPackages = (src) => {
           rmSync(tempDir, { recursive: true, force: true });
         }
       }
+      const osReleaseData = {};
+      let osReleaseFile = undefined;
+      // Let's try to read the os-release file from various locations
+      if (existsSync(join(src, "etc", "os-release"))) {
+        osReleaseFile = join(src, "etc", "os-release");
+      } else if (existsSync(join(src, "usr", "lib", "os-release"))) {
+        osReleaseFile = join(src, "usr", "lib", "os-release");
+      }
+      if (osReleaseFile) {
+        const osReleaseInfo = readFileSync(
+          join(src, "usr", "lib", "os-release"),
+          "utf-8"
+        );
+        if (osReleaseInfo) {
+          osReleaseInfo.split("\n").forEach((l) => {
+            if (!l.startsWith("#") && l.includes("=")) {
+              const tmpA = l.split("=");
+              osReleaseData[tmpA[0]] = tmpA[1].replace(/"/g, "");
+            }
+          });
+        }
+      }
+      if (DEBUG_MODE) {
+        console.log(osReleaseData);
+      }
+      let distro_codename = osReleaseData["VERSION_CODENAME"] || "";
+      let distro_id = osReleaseData["ID"] || "";
+      let distro_id_like = osReleaseData["ID_LIKE"] || "";
+      let purl_type = "rpm";
+      switch (distro_id) {
+        case "debian":
+        case "ubuntu":
+        case "pop":
+          purl_type = "deb";
+          break;
+        default:
+          if (distro_id_like.includes("debian")) {
+            purl_type = "deb";
+          } else if (
+            distro_id_like.includes("rhel") ||
+            distro_id_like.includes("centos") ||
+            distro_id_like.includes("fedora")
+          ) {
+            purl_type = "rpm";
+          }
+          break;
+      }
+      if (osReleaseData["VERSION_ID"]) {
+        distro_id = distro_id + "-" + osReleaseData["VERSION_ID"];
+      }
+      const tmpDependencies = {};
+      (tmpBom.dependencies || []).forEach((d) => {
+        tmpDependencies[d.ref] = d.dependsOn;
+      });
       if (tmpBom && tmpBom.components) {
         for (const comp of tmpBom.components) {
           if (comp.purl) {
@@ -342,11 +411,11 @@ export const getOSPackages = (src) => {
             ) {
               continue;
             }
+            const origBomRef = comp["bom-ref"];
             // Fix the group
             let group = dirname(comp.name);
             const name = basename(comp.name);
             let purlObj = undefined;
-            let distro_codename = "";
             if (group === ".") {
               group = "";
             }
@@ -360,19 +429,23 @@ export const getOSPackages = (src) => {
                   comp.group = group;
                   purlObj.namespace = group;
                 }
+                if (distro_id && distro_id.length) {
+                  purlObj.qualifiers["distro"] = distro_id;
+                }
+                if (distro_codename && distro_codename.length) {
+                  purlObj.qualifiers["distro_name"] = distro_codename;
+                }
                 // Bug fix for mageia and oracle linux
+                // Type is being returned as none for ubuntu as well!
                 if (purlObj.type === "none") {
-                  purlObj["type"] = "rpm";
+                  purlObj["type"] = purl_type;
                   purlObj["namespace"] = "";
                   comp.group = "";
-                  distro_codename = undefined;
                   if (comp.purl && comp.purl.includes(".mga")) {
                     purlObj["namespace"] = "mageia";
                     comp.group = "mageia";
                     purlObj.qualifiers["distro"] = "mageia";
                     distro_codename = "mga";
-                  } else if (comp.purl && comp.purl.includes(".el8")) {
-                    purlObj.qualifiers["distro"] = "el8";
                   }
                   comp.purl = new PackageURL(
                     purlObj.type,
@@ -412,25 +485,25 @@ export const getOSPackages = (src) => {
                       );
                     }
                   }
-                  if (distro_codename !== "") {
-                    allTypes.add(distro_codename);
-                    allTypes.add(purlObj.namespace);
-                    purlObj.qualifiers["distro_name"] = distro_codename;
-                    comp.purl = new PackageURL(
-                      purlObj.type,
-                      purlObj.namespace,
-                      name,
-                      purlObj.version,
-                      purlObj.qualifiers,
-                      purlObj.subpath
-                    ).toString();
-                    comp["bom-ref"] = decodeURIComponent(comp.purl);
-                  }
+                }
+                if (distro_codename !== "") {
+                  allTypes.add(distro_codename);
+                  allTypes.add(purlObj.namespace);
+                  comp.purl = new PackageURL(
+                    purlObj.type,
+                    purlObj.namespace,
+                    name,
+                    purlObj.version,
+                    purlObj.qualifiers,
+                    purlObj.subpath
+                  ).toString();
+                  comp["bom-ref"] = decodeURIComponent(comp.purl);
                 }
               } catch (err) {
                 // continue regardless of error
               }
             }
+            // Fix licenses
             if (
               comp.licenses &&
               Array.isArray(comp.licenses) &&
@@ -438,6 +511,17 @@ export const getOSPackages = (src) => {
             ) {
               comp.licenses = [comp.licenses[0]];
             }
+            // Fix hashes
+            if (
+              comp.hashes &&
+              Array.isArray(comp.hashes) &&
+              comp.hashes.length
+            ) {
+              const hashContent = comp.hashes[0].content;
+              if (!hashContent || hashContent.length < 32) {
+                delete comp.hashes;
+              }
+            }
             const compProperties = comp.properties;
             let srcName = undefined;
             let srcVersion = undefined;
@@ -453,6 +537,14 @@ export const getOSPackages = (src) => {
             }
             delete comp.properties;
             pkgList.push(comp);
+            const compDeps = retrieveDependencies(
+              tmpDependencies,
+              origBomRef,
+              comp
+            );
+            if (compDeps) {
+              dependenciesList.push(compDeps);
+            }
             // If there is a source package defined include it as well
             if (srcName && srcVersion && srcName !== comp.name) {
               const newComp = Object.assign({}, comp);
@@ -474,10 +566,43 @@ export const getOSPackages = (src) => {
           }
         }
       }
-      return { osPackages: pkgList, allTypes: Array.from(allTypes) };
     }
   }
-  return { osPackages: pkgList, allTypes: Array.from(allTypes) };
+  return {
+    osPackages: pkgList,
+    dependenciesList,
+    allTypes: Array.from(allTypes)
+  };
+};
+
+const retrieveDependencies = (tmpDependencies, origBomRef, comp) => {
+  try {
+    const tmpDependsOn = tmpDependencies[origBomRef] || [];
+    const dependsOn = new Set();
+    tmpDependsOn.forEach((d) => {
+      try {
+        const compPurl = PackageURL.fromString(comp.purl);
+        const tmpPurl = PackageURL.fromString(d.replace("none", compPurl.type));
+        tmpPurl.type = compPurl.type;
+        tmpPurl.namespace = compPurl.namespace;
+        if (compPurl.qualifiers) {
+          if (compPurl.qualifiers.distro_name) {
+            tmpPurl.qualifiers.distro_name = compPurl.qualifiers.distro_name;
+          }
+          if (compPurl.qualifiers.distro) {
+            tmpPurl.qualifiers.distro = compPurl.qualifiers.distro;
+          }
+        }
+        dependsOn.add(decodeURIComponent(tmpPurl.toString()));
+      } catch (e) {
+        // ignore
+      }
+    });
+    return { ref: comp["bom-ref"], dependsOn: Array.from(dependsOn).sort() };
+  } catch (e) {
+    // ignore
+  }
+  return undefined;
 };
 
 export const executeOsQuery = (query) => {
@@ -487,10 +612,11 @@ export const executeOsQuery = (query) => {
     }
     const args = ["--json", query];
     if (DEBUG_MODE) {
-      console.log("Execuing", OSQUERY_BIN, args.join(" "));
+      console.log("Executing", OSQUERY_BIN, args.join(" "));
     }
     const result = spawnSync(OSQUERY_BIN, args, {
-      encoding: "utf-8"
+      encoding: "utf-8",
+      maxBuffer: 50 * 1024 * 1024
     });
     if (result.status !== 0 || result.error) {
       if (DEBUG_MODE && result.error) {
@@ -502,7 +628,17 @@ export const executeOsQuery = (query) => {
       if (stdout) {
         const cmdOutput = Buffer.from(stdout).toString();
         if (cmdOutput !== "") {
-          return JSON.parse(cmdOutput);
+          try {
+            return JSON.parse(cmdOutput);
+          } catch (err) {
+            // ignore
+            if (DEBUG_MODE) {
+              console.log("Unable to parse the output from query", query);
+              console.log(
+                "This could be due to the amount of data returned or the query being invalid for the given platform."
+              );
+            }
+          }
         }
         return undefined;
       }

package/data/queries-win.json

@@ -0,0 +1,200 @@
+{
+  "win_version": {
+    "query": "select tb1.name, tb1.build_version, (case when (arch like '%-bit') then concat('x', replace(arch,'-bit', '')) else arch end) as arch, 'Microsoft' as publisher, tb2.version from (select name, version as build_version, arch from os_version) tb1,(select data as version from registry where path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion') tb2;",
+    "name": "win_version",
+    "description": "Retrieves the name, version number, build version, and arch of the target Windows system.",
+    "purlType": "swid",
+    "componentType": "operating-system"
+  },
+  "kernel_info": {
+    "query": "select * from kernel_info;",
+    "name": "os-image",
+    "description": "Retrieves information from the current kernel in the target system.",
+    "purlType": "swid"
+  },
+  "chrome_extensions": {
+    "query": "select chrome_extensions.* from users join chrome_extensions using (uid);",
+    "description": "Retrieves the list of extensions for Chrome in the target system.",
+    "purlType": "swid"
+  },
+  "firefox_addons": {
+    "query": "select firefox_addons.* from users join firefox_addons using (uid);",
+    "description": "Retrieves the list of addons for Firefox in the target system.",
+    "purlType": "swid"
+  },
+  "browser_plugins": {
+    "query": "select browser_plugins.* from users join browser_plugins using (uid);",
+    "description": "Retrieves the list of C/NPAPI browser plugin in the target system.",
+    "purlType": "swid"
+  },
+  "ie_extensions": {
+    "query": "select ie_extensions.* from users join ie_extensions using (uid);",
+    "description": "Retrieves the list of extensions for IE in the target system.",
+    "purlType": "swid"
+  },
+  "opera_extensions": {
+    "query": "select opera_extensions.* from users join opera_extensions using (uid);",
+    "description": "Retrieves the list of extensions for opera in the target system.",
+    "purlType": "swid"
+  },
+  "safari_extensions": {
+    "query": "select safari_extensions.* from users join safari_extensions using (uid);",
+    "description": "Retrieves the list of extensions for safari in the target system.",
+    "purlType": "swid"
+  },
+  "python_packages": {
+    "query": "select * from python_packages;",
+    "description": "Python packages installed on system.",
+    "purlType": "pypi"
+  },
+  "windows_programs": {
+    "query": "select * from programs;",
+    "description": "Retrieves the list of products as they are installed by Windows Installer in the target Windows system.",
+    "purlType": "swid"
+  },
+  "windows_patches": {
+    "query": "select * from patches;",
+    "description": "Retrieves all the information for the current windows drivers in the target Windows system.",
+    "purlType": "swid"
+  },
+  "windows_drivers": {
+    "query": "select * from drivers;",
+    "description": "Retrieves all the information for the current windows drivers in the target Windows system.",
+    "purlType": "swid"
+  },
+  "windows_shared_resources": {
+    "query": "select * from shared_resources;",
+    "description": "Retrieves the list of shared resources in the target Windows system.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "appcompat_shims": {
+    "query": "SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe');",
+    "description": "Appcompat shims (.sdb files) installed on Windows hosts.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "system_info_snapshot": {
+    "query": "SELECT * FROM system_info;",
+    "description": "System info snapshot query.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "pipes_snapshot": {
+    "query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);",
+    "description": "Pipes snapshot query.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "services_snapshot": {
+    "query": "SELECT * FROM services;",
+    "description": "Services snapshot query.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "wmi_cli_event_consumers": {
+    "query": "SELECT * FROM wmi_cli_event_consumers;",
+    "description": "WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "wmi_filter_consumer_binding": {
+    "query": "SELECT * FROM wmi_filter_consumer_binding;",
+    "description": "Lists the relationship between event consumers and filters.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "wmi_cli_event_consumers_snapshot": {
+    "query": "SELECT * FROM wmi_cli_event_consumers;",
+    "description": "Snapshot query for WMI event consumers.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "certificates": {
+    "query": "SELECT * FROM certificates WHERE path != 'Other People';",
+    "description": "List all certificates in the trust store.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "wmi_event_filters": {
+    "query": "SELECT * FROM wmi_event_filters;",
+    "description": "Lists WMI event filters.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "etc_hosts": {
+    "query": "SELECT * FROM etc_hosts;",
+    "description": "List the contents of the Windows hosts file.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "scheduled_tasks": {
+    "query": "SELECT * FROM scheduled_tasks;",
+    "description": "List all scheduled_tasks.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "chocolatey_packages": {
+    "query": "SELECT * FROM chocolatey_packages;",
+    "description": "List all chocolatey_packages.",
+    "purlType": "chocolatey"
+  },
+  "npm_packages": {
+    "query": "SELECT * FROM npm_packages;",
+    "description": "List all npm_packages.",
+    "purlType": "npm"
+  },
+  "atom_packages": {
+    "query": "SELECT * FROM atom_packages;",
+    "description": "List all atom_packages.",
+    "purlType": "atom"
+  },
+  "startup_items": {
+    "query": "SELECT * FROM startup_items;",
+    "description": "List all startup_items.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "routes": {
+    "query": "SELECT * FROM routes;",
+    "description": "List all routes.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "listening_ports": {
+    "query": "SELECT * FROM listening_ports;",
+    "description": "List all listening_ports.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "processes": {
+    "query": "SELECT * FROM processes;",
+    "description": "List all processes.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "process_open_sockets": {
+    "query": "SELECT * FROM process_open_sockets;",
+    "description": "List all process_open_sockets.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "windows_update_history": {
+    "query": "SELECT * FROM windows_update_history;",
+    "description": "List all windows_update_history.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "windows_optional_features": {
+    "query": "SELECT * FROM windows_optional_features;",
+    "description": "List all windows_optional_features.",
+    "purlType": "swid",
+    "componentType": "data"
+  },
+  "windows_firewall_rules": {
+    "query": "SELECT * FROM windows_firewall_rules;",
+    "description": "List all windows_firewall_rules.",
+    "purlType": "swid",
+    "componentType": "data"
+  }
+}