@cyclonedx/cdxgen
Creates CycloneDX Software Bill of Materials (SBOM) from source or container image
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:credential-dir-access | AI (semgrep): cdxgen scans filesystem for SBOM generation; reading docker config paths is expected behavior. | ai | |
| semgrep | semgrep:dll-hijacking-commands | AI (semgrep): lolbas.js is a reference list of known LOLBins for security analysis, not actual DLL hijacking. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): SBOM generator needs full env context to invoke build tools; spreading process.env is intentional. | ai | |
| semgrep | semgrep:etc-passwd-access | AI (semgrep): Appears in a test fixture for directory traversal safety checks, not production credential harvesting. | ai | |
| semgrep | semgrep:dll-injection-apis | AI (semgrep): Reference to LD_PRELOAD etc. is in an env-var allowlist/denylist for SBOM generation, not injection code. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Enumerating env vars to capture build environment metadata is core to SBOM formulation. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): toBase64() is a utility for encoding hashes/digests in SBOM output, not payload obfuscation. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP appears in a test fixture for IRI parsing, not a live network request. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding a user-supplied private key env var for SBOM signing is documented and expected functionality. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 12.5.1 | 35 / 5 | |
| 12.5.0 | 35 / 5 | |
| 12.4.4 | 36 / 5 | |
| 12.4.3 | 36 / 5 | |
| 12.4.2 | 36 / 5 | |
| 12.4.1 | 36 / 5 | |
| 12.4.0 | 36 / 5 | |
| 12.3.3 | 36 / 5 | |
| 12.3.0 | 36 / 5 | |
| 12.0.0 | 41 / 3 |
v12.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.4.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.4.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.4.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.4.0
2 findingsAccessing credential directories suggests credential harvesting 294 | { 295 | matcher: (lowerPath, baseName) => > 296 | lowerPath.includes("/.docker/config.json") || 297 | (baseName === "config.json" && lowerPath.includes("/docker")), 298 | metadata: {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.3.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.3.0
36 findingsDLL injection API detected — potential process injection attack 653 | "LD_LIBRARY_PATH", 654 | "DYLD_LIBRARY_PATH", > 655 | "LD_PRELOAD", 656 | "PYTHONPATH", 657 | "CLASSPATH",
Spreading entire process.env into an object — may capture all secrets 2391 | writeFileSync(tempSbtPlugins, sbtPluginDefinition); 2392 | let sbtExtraArgs = ""; > 2393 | const env = { ...process.env }; 2394 | // We need to collect the jars from the cache 2395 | if (options.deep) {
Spreading entire process.env into an object — may capture all secrets 6901 | cwd: path, 6902 | shell: isWin, > 6903 | env: { ...process.env, DOTNET_ROLL_FORWARD: "Major" }, 6904 | }); 6905 | if (DEBUG_MODE && (result.status !== 0 || result.error)) {
Spreading entire process.env into an object — may capture all secrets 951 | shell: isWin, 952 | cwd: basePath, > 953 | env: { 954 | ...process.env, 955 | GEM_HOME: cdxgenGemHome,
Spreading entire process.env into an object — may capture all secrets 1006 | shell: isWin, 1007 | cwd: basePath, > 1008 | env: { 1009 | ...process.env, 1010 | GEM_HOME: cdxgenGemHome,
DLL side-loading command detected — potential DLL hijacking 19 | ["msbuild", "msbuild.exe"], 20 | ["mshta", "mshta.exe"], > 21 | ["msiexec", "msiexec.exe"], 22 | ["odbcconf", "odbcconf.exe"], 23 | ["powershell", "powershell.exe"],
DLL side-loading command detected — potential DLL hijacking 19 | ["msbuild", "msbuild.exe"], 20 | ["mshta", "mshta.exe"], > 21 | ["msiexec", "msiexec.exe"], 22 | ["odbcconf", "odbcconf.exe"], 23 | ["powershell", "powershell.exe"],
DLL side-loading command detected — potential DLL hijacking 23 | ["powershell", "powershell.exe"], 24 | ["pwsh", "pwsh.exe"], > 25 | ["regsvr32", "regsvr32.exe"], 26 | ["rundll32", "rundll32.exe"], 27 | ["wmic", "wmic.exe"],
DLL side-loading command detected — potential DLL hijacking 23 | ["powershell", "powershell.exe"], 24 | ["pwsh", "pwsh.exe"], > 25 | ["regsvr32", "regsvr32.exe"], 26 | ["rundll32", "rundll32.exe"], 27 | ["wmic", "wmic.exe"],
DLL side-loading command detected — potential DLL hijacking 24 | ["pwsh", "pwsh.exe"], 25 | ["regsvr32", "regsvr32.exe"], > 26 | ["rundll32", "rundll32.exe"], 27 | ["wmic", "wmic.exe"], 28 | ["wscript", "wscript.exe"],
DLL side-loading command detected — potential DLL hijacking 24 | ["pwsh", "pwsh.exe"], 25 | ["regsvr32", "regsvr32.exe"], > 26 | ["rundll32", "rundll32.exe"], 27 | ["wmic", "wmic.exe"], 28 | ["wscript", "wscript.exe"],
DLL side-loading command detected — potential DLL hijacking 44 | ]; 45 | const STANDALONE_COMMAND_PATTERN = > 46 | /\b(bitsadmin|certutil|cmd|cmdkey|cmstp|cscript|ftp|installutil|msbuild|mshta|msiexec|odbcconf|powershell|pwsh|regsvr3 47 | const WINDOWS_EXECUTABLE_PATTERN = 48 | /(?:[a-z]:\\[^\s"'`,;|]+|\\\\[^\s"'`,;|]+|[a-z0-9._-]+)\.(?:exe|cmd|bat|dll|hta|js|jse|ps1|vbs|vbe|wsf|wsh)\b/gi;
DLL side-loading command detected — potential DLL hijacking 44 | ]; 45 | const STANDALONE_COMMAND_PATTERN = > 46 | /\b(bitsadmin|certutil|cmd|cmdkey|cmstp|cscript|ftp|installutil|msbuild|mshta|msiexec|odbcconf|powershell|pwsh|regsvr3 47 | const WINDOWS_EXECUTABLE_PATTERN = 48 | /(?:[a-z]:\\[^\s"'`,;|]+|\\\\[^\s"'`,;|]+|[a-z0-9._-]+)\.(?:exe|cmd|bat|dll|hta|js|jse|ps1|vbs|vbe|wsf|wsh)\b/gi;
DLL side-loading command detected — potential DLL hijacking 44 | ]; 45 | const STANDALONE_COMMAND_PATTERN = > 46 | /\b(bitsadmin|certutil|cmd|cmdkey|cmstp|cscript|ftp|installutil|msbuild|mshta|msiexec|odbcconf|powershell|pwsh|regsvr3 47 | const WINDOWS_EXECUTABLE_PATTERN = 48 | /(?:[a-z]:\\[^\s"'`,;|]+|\\\\[^\s"'`,;|]+|[a-z0-9._-]+)\.(?:exe|cmd|bat|dll|hta|js|jse|ps1|vbs|vbe|wsf|wsh)\b/gi;
DLL side-loading command detected — potential DLL hijacking 15 | 16 | it("resolves fully qualified Windows paths", () => { > 17 | const metadata = getLolbasMetadata("C:\\Windows\\System32\\regsvr32.exe"); 18 | assert.ok(metadata); 19 | assert.strictEqual(metadata.canonicalName, "regsvr32.exe");
DLL side-loading command detected — potential DLL hijacking 17 | const metadata = getLolbasMetadata("C:\\Windows\\System32\\regsvr32.exe"); 18 | assert.ok(metadata); > 19 | assert.strictEqual(metadata.canonicalName, "regsvr32.exe"); 20 | assert.ok(metadata.riskTags.includes("proxy-execution")); 21 | });
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 328 | it("should handle directory traversal patterns in environment variables safely", () => { 329 | const traversalEnv = { > 330 | VIRTUAL_ENV: "../../../../../etc/passwd", 331 | CONDA_PREFIX: "..\\..\\..\\Windows\\System32", 332 | };
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 334 | const meta = getVenvMetadata(traversalEnv); 335 | assert.deepStrictEqual(meta.type, "unknown"); > 336 | assert.deepStrictEqual(meta.path, "../../../../../etc/passwd"); 337 | }); 338 |
Spreading entire process.env into an object — may capture all secrets 92 | }; 93 | const env = isSecureMode > 94 | ? { 95 | ...process.env, 96 | ...envConfigs,
Spreading entire process.env into an object — may capture all secrets 99 | GIT_ALLOW_PROTOCOL: gitAllowProtocol, 100 | } > 101 | : { 102 | ...process.env, 103 | ...envConfigs,
Spreading entire process.env into an object — may capture all secrets 9142 | timeout: 5000, 9143 | cwd: filePath, > 9144 | env: { 9145 | ...process.env, 9146 | GEM_HOME: gemHome,
Spreading entire process.env into an object — may capture all secrets 13952 | export async function collectJarNS(jarPath, pomPathMap = {}) { 13953 | const jarNSMapping = {}; > 13954 | const env = { 13955 | ...process.env, 13956 | };
Spreading entire process.env into an object — may capture all secrets 14468 | copyFileSync(jarFile, join(tempDir, fname), constants.COPYFILE_FICLONE); 14469 | } > 14470 | const env = { 14471 | ...process.env, 14472 | };
Spreading entire process.env into an object — may capture all secrets 16021 | console.log("Executing", ATOM_BIN); 16022 | } > 16023 | const env = { 16024 | ...process.env, 16025 | ...extra_env,
Spreading entire process.env into an object — may capture all secrets 16299 | let result; 16300 | let frozen = true; > 16301 | const env = { 16302 | ...process.env, 16303 | };
Spreading entire process.env into an object — may capture all secrets 16881 | const dependenciesList = []; 16882 | let result; > 16883 | const env = { 16884 | ...process.env, 16885 | };
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 372 | // Local file path (3 slashes) 373 | "file:///C:/Users/name/file.txt", > 374 | "file:///etc/passwd", 375 | // UNC path with IPv4 literal 376 | "file://192.168.1.1/share/folder",
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 146 | { 147 | name: "path traversal in value", > 148 | input: "cache = ../../../etc/passwd", 149 | expected: { cache: "../../../etc/passwd" }, 150 | },
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 147 | name: "path traversal in value", 148 | input: "cache = ../../../etc/passwd", > 149 | expected: { cache: "../../../etc/passwd" }, 150 | }, 151 | {
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 221 | process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,/public"; 222 | assert.strictEqual(isAllowedPath("/private/data"), false); > 223 | assert.strictEqual(isAllowedPath("/etc/passwd"), false); 224 | }); 225 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 234 | process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api"; 235 | assert.strictEqual(isAllowedPath("/api/../private"), false); > 236 | assert.strictEqual(isAllowedPath("/api/../../etc/passwd"), false); 237 | }); 238 |
Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux 265 | "PRN:.\\..\\bar", 266 | "LpT5:/another/path", > 267 | "PRN:.././../etc/passwd", 268 | "AUX:/foo\\bar/baz", 269 | "COM¹:/printer/foo",
DLL side-loading command detected — potential DLL hijacking 1500 | { name: "cdx:osquery:category", value: "wmi_cli_event_consumers" }, 1501 | { name: "cdx:lolbas:matched", value: "true" }, > 1502 | { name: "cdx:lolbas:names", value: "regsvr32.exe" }, 1503 | { 1504 | name: "cdx:lolbas:functions",
DLL side-loading command detected — potential DLL hijacking 1507 | { 1508 | name: "command_line_template", > 1509 | value: "regsvr32.exe /s scrobj.dll", 1510 | }, 1511 | ],
Spreading entire process.env into an object — may capture all secrets 247 | timeout: TIMEOUT_MS, 248 | cwd: filePath, > 249 | env: { 250 | ...process.env, 251 | PATH: newPath,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v12.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.