@cyclonedx/cdxgen 9.6.1 → 9.7.1

package/README.md

@@ -4,7 +4,7 @@
 
 cdxgen is a cli tool, library, [REPL](./ADVANCED.md) and server to create a valid and compliant [CycloneDX][cyclonedx-homepage] Software Bill-of-Materials (SBOM) containing an aggregate of all project dependencies for c/c++, node.js, php, python, ruby, rust, java, .Net, dart, haskell, elixir, and Go projects in JSON format. CycloneDX 1.5 is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.
 
-When used with plugins, cdxgen could generate an SBoM for Linux docker images and even VMs running Linux or Windows operating system. cdxgen also includes a tool called `evinse` that can generate component evidences for some languages.
+When used with plugins, cdxgen could generate an OBoM for Linux docker images and even VMs running Linux or Windows operating system. cdxgen also includes a tool called `evinse` that can generate component evidences and SaaSBoM for some languages.
 
 NOTE:
 
@@ -90,6 +90,12 @@ sudo npm install -g @cyclonedx/cdxgen
 sudo npm install -g @cyclonedx/cdxgen@8.6.0
 ```
 
+If you are a [Homebrew](https://brew.sh/) user, you can also install [cdxgen](https://formulae.brew.sh/formula/cdxgen) via:
+
+```shell
+$ brew install cdxgen
+```
+
 Deno install is also supported.
 
 ```shell
@@ -127,9 +133,7 @@ Options:
   -r, --recurse                Recurse mode suitable for mono-repos. Defaults to
                                 true. Pass --no-recurse to disable.
                                                        [boolean] [default: true]
-  -p, --print                  Print the SBoM as a table with tree. Defaults to
-                               true if output file is not specified with -o
-                                                                       [boolean]
+  -p, --print                  Print the SBoM as a table with tree.    [boolean]
   -c, --resolve-class          Resolve class names for packages. jars only for n
                                ow.                                     [boolean]
       --deep                   Perform deep searches for components. Useful whil
@@ -163,8 +167,8 @@ Options:
                                                        [boolean] [default: true]
       --spec-version           CycloneDX Specification version to use. Defaults
                                to 1.5                             [default: 1.5]
-      --version                Show version number                     [boolean]
-  -h                           Show help                               [boolean]
+  -h, --help                   Show help                               [boolean]
+  -v, --version                Show version number                     [boolean]
 ```
 
 All boolean arguments accepts `--no` prefix to toggle the behavior.
@@ -294,6 +298,8 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | MVN_CMD                      | Set to override maven command                                                                                                        |
 | MVN_ARGS                     | Set to pass additional arguments such as profile or settings to maven                                                                |
 | MAVEN_HOME                   | Specify maven home                                                                                                                   |
+| MAVEN_CENTRAL_URL            | Specify URL of Maven Central for metadata fetching (e.g. when private repo is used)                                                  |
+| BAZEL_STRIP_MAVEN_PREFIX     | Strip Maven group prefix (e.g. useful when private repo is used, defaults to `/maven2/`)                                             |
 | GRADLE_CACHE_DIR             | Specify gradle cache directory. Useful for class name resolving                                                                      |
 | GRADLE_MULTI_PROJECT_MODE    | Unused. Automatically handled                                                                                                        |
 | GRADLE_ARGS                  | Set to pass additional arguments such as profile or settings to gradle (all tasks). Eg: --configuration runtimeClassPath             |
@@ -366,15 +372,17 @@ systemctl --user start podman.socket
 podman system service -t 0 &
 ```
 
-### Generate SBoM for a live system
+### Generate OBoM for a live system
 
-You can use cdxgen to generate SBoM for a live system or a VM for compliance and vulnerability management purposes by passing the argument `-t os`.
+You can use the `obom` command to generate an OBoM for a live system or a VM for compliance and vulnerability management purposes. Windows and Linux operating systems are supported in this mode.
 
 ```shell
-cdxgen -t os
+# obom is an alias for cdxgen -t os
+obom
+# cdxgen -t os
 ```
 
-This feature is powered by osquery which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components.
+This feature is powered by osquery which is [installed](https://github.com/cyclonedx/cdxgen-plugins-bin/blob/main/build.sh#L8) along with the binary plugins. cdxgen would opportunistically try to detect as many components, apps and extensions as possible using the [default queries](queries.json). The process would take several minutes and result in an SBoM file with thousands of components of various types such as operating-system, device-drivers, files, and data.
 
 ## Generating SaaSBoM and component evidences
 

package/bin/cdxgen.js

@@ -41,8 +41,7 @@ const args = yargs(hideBin(process.argv))
   .option("print", {
     alias: "p",
     type: "boolean",
-    description:
-      "Print the SBoM as a table with tree. Defaults to true if output file is not specified with -o"
+    description: "Print the SBoM as a table with tree."
   })
   .option("resolve-class", {
     alias: "c",
@@ -122,7 +121,9 @@ const args = yargs(hideBin(process.argv))
   })
   .scriptName("cdxgen")
   .version()
-  .help("h").argv;
+  .alias("v", "version")
+  .help("h")
+  .alias("h", "help").argv;
 
 if (args.version) {
   const packageJsonAsString = fs.readFileSync(
@@ -157,6 +158,11 @@ if (args.serverUrl || args.apiKey) {
   args.specVersion = 1.4;
 }
 
+// Support for obom aliases
+if (process.argv[1].includes("obom") && !args.type) {
+  args.type = "os";
+}
+
 /**
  * projectType: python, nodejs, java, golang
  * multiProject: Boolean to indicate monorepo or multi-module projects
@@ -229,7 +235,6 @@ const checkPermissions = (filePath) => {
   const bomNSData = (await createBom(filePath, options)) || {};
   if (!args.output) {
     args.output = "bom.json";
-    args.print = true;
   }
   if (
     args.output &&

package/bin/repl.js

@@ -12,6 +12,7 @@ import { validateBom } from "../validator.js";
 import {
   printCallStack,
   printOccurrences,
+  printOSTable,
   printTable,
   printDependencyTree,
   printServices
@@ -32,8 +33,8 @@ process.env.NODE_NO_READLINE = 1;
 const cdxArt = `
  ██████╗██████╗ ██╗  ██╗
 ██╔════╝██╔══██╗╚██╗██╔╝
-██║     ██║  ██║ ╚███╔╝ 
-██║     ██║  ██║ ██╔██╗ 
+██║     ██║  ██║ ╚███╔╝
+██║     ██║  ██║ ██╔██╗
 ╚██████╗██████╔╝██╔╝ ██╗
  ╚═════╝╚═════╝ ╚═╝  ╚═╝
 `;
@@ -109,16 +110,16 @@ cdxgenRepl.defineCommand("create", {
     });
     if (bomNSData) {
       sbom = bomNSData.bomJson;
-      console.log("✅ SBoM imported successfully.");
-      console.log("💭 Type .print to view the SBoM as a table");
+      console.log("✅ BoM imported successfully.");
+      console.log("💭 Type .print to view the BoM as a table");
     } else {
-      console.log("SBoM was not generated successfully");
+      console.log("BoM was not generated successfully");
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("import", {
-  help: "import an existing SBoM",
+  help: "import an existing BoM",
   action(sbomOrPath) {
     this.clearBufferedCommand();
     importSbom(sbomOrPath);
@@ -138,14 +139,14 @@ cdxgenRepl.defineCommand("sbom", {
       console.log(sbom);
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("search", {
-  help: "search the current sbom. performs case insensitive search on various attributes.",
+  help: "search the current bom. performs case insensitive search on various attributes.",
   async action(searchStr) {
     if (sbom) {
       if (searchStr) {
@@ -170,14 +171,14 @@ cdxgenRepl.defineCommand("search", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("sort", {
-  help: "sort the current sbom based on the attribute",
+  help: "sort the current bom based on the attribute",
   async action(sortStr) {
     if (sbom) {
       if (sortStr) {
@@ -204,14 +205,14 @@ cdxgenRepl.defineCommand("sort", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("query", {
-  help: "query the current sbom using jsonata expression",
+  help: "query the current bom using jsonata expression",
   async action(querySpec) {
     if (sbom) {
       if (querySpec) {
@@ -228,20 +229,20 @@ cdxgenRepl.defineCommand("query", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("print", {
-  help: "print the current sbom as a table",
+  help: "print the current bom as a table",
   action() {
     if (sbom) {
       printTable(sbom);
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
@@ -254,14 +255,14 @@ cdxgenRepl.defineCommand("tree", {
       printDependencyTree(sbom);
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("validate", {
-  help: "validate the sbom using jsonschema",
+  help: "validate the bom using jsonschema",
   action() {
     if (sbom) {
       const result = validateBom(sbom);
@@ -270,31 +271,31 @@ cdxgenRepl.defineCommand("validate", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("save", {
-  help: "save the sbom to a new file",
+  help: "save the bom to a new file",
   action(saveToFile) {
     if (sbom) {
       if (!saveToFile) {
         saveToFile = "bom.json";
       }
       fs.writeFileSync(saveToFile, JSON.stringify(sbom, null, 2));
-      console.log(`SBoM saved successfully to ${saveToFile}`);
+      console.log(`BoM saved successfully to ${saveToFile}`);
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
   }
 });
 cdxgenRepl.defineCommand("update", {
-  help: "update the sbom components based on the given query",
+  help: "update the bom components based on the given query",
   async action(updateSpec) {
     if (sbom) {
       if (!updateSpec) {
@@ -312,10 +313,10 @@ cdxgenRepl.defineCommand("update", {
       if (newSbom && newSbom.components.length <= sbom.components.length) {
         sbom = newSbom;
       }
-      console.log("SBoM updated successfully.");
+      console.log("BoM updated successfully.");
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an existing SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an existing BoM"
       );
     }
     this.displayPrompt();
@@ -332,7 +333,7 @@ cdxgenRepl.defineCommand("occurrences", {
         let components = await expression.evaluate(sbom);
         if (!components) {
           console.log(
-            "No results found. Use evinse command to generate an SBoM with evidence."
+            "No results found. Use evinse command to generate an BoM with evidence."
           );
         } else {
           if (!Array.isArray(components)) {
@@ -345,7 +346,7 @@ cdxgenRepl.defineCommand("occurrences", {
       }
     } else {
       console.log(
-        "⚠ No SBoM is loaded. Use .import command to import an evinse SBoM"
+        "⚠ No BoM is loaded. Use .import command to import an evinse BoM"
       );
     }
     this.displayPrompt();
@@ -425,3 +426,130 @@ cdxgenRepl.defineCommand("services", {
     this.displayPrompt();
   }
 });
+cdxgenRepl.defineCommand("osinfocategories", {
+  help: "view the category names for the OS info from the obom",
+  async action() {
+    if (sbom) {
+      try {
+        const expression = jsonata(
+          '$distinct(components.properties[name="cdx:osquery:category"].value)'
+        );
+        let catgories = await expression.evaluate(sbom);
+        if (!catgories) {
+          console.log(
+            "Unable to retrieve the os info categories. Only OBoMs generated by cdxgen are supported by this tool."
+          );
+        } else {
+          console.log(catgories.join("\n"));
+        }
+      } catch (e) {
+        console.log(e);
+      }
+    } else {
+      console.log(
+        "⚠ No OBoM is loaded. Use .import command to import an OBoM"
+      );
+    }
+    this.displayPrompt();
+  }
+});
+
+// Let's dynamically define more commands from the queries
+[
+  "apt_sources",
+  "behavioral_reverse_shell",
+  "certificates",
+  "chrome_extensions",
+  "crontab_snapshot",
+  "deb_packages",
+  "docker_container_ports",
+  "docker_containers",
+  "docker_networks",
+  "docker_volumes",
+  "etc_hosts",
+  "firefox_addons",
+  "homebrew_packages",
+  "installed_applications",
+  "interface_addresses",
+  "kernel_info",
+  "kernel_integrity",
+  "kernel_modules",
+  "ld_preload",
+  "listening_ports",
+  "os_version",
+  "pipes",
+  "pipes_snapshot",
+  "portage_packages",
+  "process_events",
+  "processes",
+  "python_packages",
+  "rpm_packages",
+  "scheduled_tasks",
+  "services_snapshot",
+  "startup_items",
+  "system_info_snapshot",
+  "windows_drivers",
+  "windows_patches",
+  "windows_programs",
+  "windows_shared_resources",
+  "yum_sources",
+  "appcompat_shims",
+  "atom_packages",
+  "browser_plugins",
+  "certificates",
+  "chocolatey_packages",
+  "chrome_extensions",
+  "etc_hosts",
+  "firefox_addons",
+  "ie_extensions",
+  "kernel_info",
+  "npm_packages",
+  "opera_extensions",
+  "pipes_snapshot",
+  "process_open_sockets",
+  "safari_extensions",
+  "scheduled_tasks",
+  "services_snapshot",
+  "startup_items",
+  "routes",
+  "system_info_snapshot",
+  "win_version",
+  "windows_firewall_rules",
+  "windows_optional_features",
+  "windows_programs",
+  "windows_shared_resources",
+  "windows_update_history",
+  "wmi_cli_event_consumers",
+  "wmi_cli_event_consumers_snapshot",
+  "wmi_event_filters",
+  "wmi_filter_consumer_binding"
+].forEach((c) => {
+  cdxgenRepl.defineCommand(c, {
+    help: `query the ${c} category from the OS info`,
+    async action() {
+      if (sbom) {
+        try {
+          const expression = jsonata(
+            `components[properties[name="cdx:osquery:category" and value="${c}"]]`
+          );
+          let components = await expression.evaluate(sbom);
+          if (!components) {
+            console.log("No results found.");
+          } else {
+            if (!Array.isArray(components)) {
+              components = [components];
+            }
+            printOSTable({ components });
+          }
+        } catch (e) {
+          console.log(e);
+        }
+      } else {
+        console.log(
+          "⚠ No OBoM is loaded. Use .import command to import an OBoM"
+        );
+      }
+      this.displayPrompt();
+    }
+  });
+});

package/bin/verify.js

@@ -40,6 +40,25 @@ if (args.version) {
 }
 
 const bomJson = JSON.parse(fs.readFileSync(args.input, "utf8"));
+let hasInvalidComp = false;
+// Validate any component signature
+for (const comp of bomJson.components) {
+  if (comp.signature) {
+    const compSignature = comp.signature.value;
+    const validationResult = jws.verify(
+      compSignature,
+      comp.signature.algorithm,
+      fs.readFileSync(args.publicKey, "utf8")
+    );
+    if (!validationResult) {
+      console.log(`${comp["bom-ref"]} signature is invalid!`);
+      hasInvalidComp = true;
+    }
+  }
+}
+if (hasInvalidComp) {
+  process.exit(1);
+}
 const bomSignature =
   bomJson.signature && bomJson.signature.value
     ? bomJson.signature.value

package/binary.js

@@ -17,6 +17,7 @@ const isWin = _platform() === "win32";
 
 let platform = _platform();
 let extn = "";
+let pluginsBinSuffix = "";
 if (platform == "win32") {
   platform = "windows";
   extn = ".exe";
@@ -30,6 +31,13 @@ switch (arch) {
   case "x64":
     arch = "amd64";
     break;
+  case "arm64":
+    pluginsBinSuffix = "-arm64";
+    break;
+  case "ppc64":
+    arch = "ppc64le";
+    pluginsBinSuffix = "-ppc64";
+    break;
 }
 
 // Retrieve the cdxgen plugins directory
@@ -46,14 +54,20 @@ if (
 if (
   !CDXGEN_PLUGINS_DIR &&
   existsSync(
-    join(dirName, "node_modules", "@cyclonedx", "cdxgen-plugins-bin", "plugins")
+    join(
+      dirName,
+      "node_modules",
+      "@cyclonedx",
+      "cdxgen-plugins-bin" + pluginsBinSuffix,
+      "plugins"
+    )
   ) &&
   existsSync(
     join(
       dirName,
       "node_modules",
       "@cyclonedx",
-      "cdxgen-plugins-bin",
+      "cdxgen-plugins-bin" + pluginsBinSuffix,
       "plugins",
       "goversion"
     )
@@ -63,7 +77,7 @@ if (
     dirName,
     "node_modules",
     "@cyclonedx",
-    "cdxgen-plugins-bin",
+    "cdxgen-plugins-bin" + pluginsBinSuffix,
     "plugins"
   );
 }
@@ -88,7 +102,7 @@ if (!CDXGEN_PLUGINS_DIR) {
   const globalPlugins = join(
     globalNodePath,
     "@cyclonedx",
-    "cdxgen-plugins-bin",
+    "cdxgen-plugins-bin" + pluginsBinSuffix,
     "plugins"
   );
   if (existsSync(globalPlugins)) {
@@ -323,15 +337,21 @@ export const getOSPackages = (src) => {
         }
       }
       const osReleaseData = {};
-      // Let's try to read the os-release file
-      if (existsSync(join(src, "usr", "lib", "os-release"))) {
+      let osReleaseFile = undefined;
+      // Let's try to read the os-release file from various locations
+      if (existsSync(join(src, "etc", "os-release"))) {
+        osReleaseFile = join(src, "etc", "os-release");
+      } else if (existsSync(join(src, "usr", "lib", "os-release"))) {
+        osReleaseFile = join(src, "usr", "lib", "os-release");
+      }
+      if (osReleaseFile) {
         const osReleaseInfo = readFileSync(
           join(src, "usr", "lib", "os-release"),
           "utf-8"
         );
         if (osReleaseInfo) {
           osReleaseInfo.split("\n").forEach((l) => {
-            if (l.includes("=")) {
+            if (!l.startsWith("#") && l.includes("=")) {
               const tmpA = l.split("=");
               osReleaseData[tmpA[0]] = tmpA[1].replace(/"/g, "");
             }
@@ -592,10 +612,11 @@ export const executeOsQuery = (query) => {
     }
     const args = ["--json", query];
     if (DEBUG_MODE) {
-      console.log("Execuing", OSQUERY_BIN, args.join(" "));
+      console.log("Executing", OSQUERY_BIN, args.join(" "));
     }
     const result = spawnSync(OSQUERY_BIN, args, {
-      encoding: "utf-8"
+      encoding: "utf-8",
+      maxBuffer: 50 * 1024 * 1024
     });
     if (result.status !== 0 || result.error) {
       if (DEBUG_MODE && result.error) {
@@ -607,7 +628,17 @@ export const executeOsQuery = (query) => {
       if (stdout) {
         const cmdOutput = Buffer.from(stdout).toString();
         if (cmdOutput !== "") {
-          return JSON.parse(cmdOutput);
+          try {
+            return JSON.parse(cmdOutput);
+          } catch (err) {
+            // ignore
+            if (DEBUG_MODE) {
+              console.log("Unable to parse the output from query", query);
+              console.log(
+                "This could be due to the amount of data returned or the query being invalid for the given platform."
+              );
+            }
+          }
         }
         return undefined;
       }