Track executables with setuid and setgid flags (#1707)

* Capture setuid and setgid for executables

Signed-off-by: Prabhu Subramanian <[email protected]>

* Capture setuid and setgid for executables

Signed-off-by: Prabhu Subramanian <[email protected]>

* Capture setuid and setgid for executables

Signed-off-by: Prabhu Subramanian <[email protected]>

* Capture sticky bit

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

Author: prabhu

README.md

@@ -147,7 +147,8 @@ Options:
       --server-host            Listen address                                                     [default: "127.0.0.1"]
       --server-port            Listen port                                                             [default: "9090"]
       --install-deps           Install dependencies automatically for some projects. Defaults to true but disabled for c
-                               ontainers and oci scans. Use --no-install-deps to disable this feature.         [boolean]
+                               ontainers and oci scans. Use --no-install-deps to disable this feature.
+                                                                                               [boolean] [default: true]
       --validate               Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di
                                sable.                                                          [boolean] [default: true]
       --evidence               Generate SBOM with evidence for supported languages.           [boolean] [default: false]
@@ -170,6 +171,7 @@ Options:
                                luated against or attested to.
   [array] [choices: "asvs-5.0", "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "pcissc-secure-slc-1.1", "scv
                                                                                          s-1.0.0", "ssaf-DRAFT-2023-11"]
+      --json-pretty            Pretty-print the generated BOM json.                           [boolean] [default: false]
       --min-confidence         Minimum confidence needed for the identity of a component from 0 - 1, where 1 is 100% con
                                fidence.                                                            [number] [default: 0]
       --technique              Analysis technique to use

bin/cdxgen.js

@@ -24,6 +24,7 @@ import {
 import { thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
 import {
   ATOM_DB,
+  DEBUG_MODE,
   dirNameStr,
   getTmpDir,
   isMac,
@@ -303,6 +304,11 @@ const args = yargs(hideBin(process.argv))
     description:
       "Do not show the donation banner. Set this attribute if you are an active sponsor for OWASP CycloneDX.",
   })
+  .option("json-pretty", {
+    type: "boolean",
+    default: DEBUG_MODE,
+    description: "Pretty-print the generated BOM json.",
+  })
   .option("feature-flags", {
     description: "Experimental feature flags to enable. Advanced users only.",
     hidden: true,
@@ -798,7 +804,11 @@ const checkPermissions = (filePath, options) => {
         fs.writeFileSync(jsonFile, bomNSData.bomJson);
         jsonPayload = bomNSData.bomJson;
       } else {
-        jsonPayload = JSON.stringify(bomNSData.bomJson, null, null);
+        jsonPayload = JSON.stringify(
+          bomNSData.bomJson,
+          null,
+          options.jsonPretty ? 2 : null,
+        );
         fs.writeFileSync(jsonFile, jsonPayload);
         if (jsonFile.endsWith("bom.json")) {
           thoughtLog(
@@ -900,7 +910,11 @@ const checkPermissions = (filePath, options) => {
             bomJsonUnsignedObj.signature = signatureBlock;
             fs.writeFileSync(
               jsonFile,
-              JSON.stringify(bomJsonUnsignedObj, null, null),
+              JSON.stringify(
+                bomJsonUnsignedObj,
+                null,
+                options.jsonPretty ? 2 : null,
+              ),
             );
             thoughtLog(`Signing the BOM file "${jsonFile}".`);
             if (publicKeyFile) {
@@ -937,7 +951,9 @@ const checkPermissions = (filePath, options) => {
     }
   } else if (!options.print) {
     if (bomNSData.bomJson) {
-      console.log(JSON.stringify(bomNSData.bomJson, null, 2));
+      console.log(
+        JSON.stringify(bomNSData.bomJson, null, options.jsonPretty ? 2 : null),
+      );
     } else {
       console.log("Unable to produce BOM for", filePath);
       console.log("Try running the command with -t <type> or -r argument");
@@ -967,6 +983,7 @@ const checkPermissions = (filePath, options) => {
       includeCrypto: options.includeCrypto,
       specVersion: options.specVersion,
       profile: options.profile,
+      jsonPretty: options.jsonPretty,
     };
     const dbObjMap = await evinserModule.prepareDB(evinseOptions);
     if (dbObjMap) {

deno.json

@@ -50,8 +50,8 @@
   "imports": {
     "@appthreat/atom": "npm:@appthreat/atom@2.1.14",
     "@appthreat/cdx-proto": "npm:@appthreat/cdx-proto@1.0.1",
-    "@babel/parser": "npm:@babel/parser@^7.26.10",
-    "@babel/traverse": "npm:@babel/traverse@^7.26.10",
+    "@babel/parser": "npm:@babel/parser@^7.27.0",
+    "@babel/traverse": "npm:@babel/traverse@^7.27.0",
     "@npmcli/arborist": "npm:@npmcli/arborist@9.0.1",
     "ajv": "npm:ajv@^8.16.0",
     "ajv-formats": "npm:ajv-formats@^3.0.1",

docs/CLI.md

@@ -96,7 +96,8 @@ Options:
       --server-host            Listen address                                                     [default: "127.0.0.1"]
       --server-port            Listen port                                                             [default: "9090"]
       --install-deps           Install dependencies automatically for some projects. Defaults to true but disabled for c
-                               ontainers and oci scans. Use --no-install-deps to disable this feature.         [boolean]
+                               ontainers and oci scans. Use --no-install-deps to disable this feature.
+                                                                                               [boolean] [default: true]
       --validate               Validate the generated SBOM using json schema. Defaults to true. Pass --no-validate to di
                                sable.                                                          [boolean] [default: true]
       --evidence               Generate SBOM with evidence for supported languages.           [boolean] [default: false]
@@ -119,6 +120,7 @@ Options:
                                luated against or attested to.
   [array] [choices: "asvs-5.0", "asvs-4.0.3", "bsimm-v13", "masvs-2.0.0", "nist_ssdf-1.1", "pcissc-secure-slc-1.1", "scv
                                                                                          s-1.0.0", "ssaf-DRAFT-2023-11"]
+      --json-pretty            Pretty-print the generated BOM json.                           [boolean] [default: false]
       --min-confidence         Minimum confidence needed for the identity of a component from 0 - 1, where 1 is 100% con
                                fidence.                                                            [number] [default: 0]
       --technique              Analysis technique to use

lib/evinser/evinser.js

@@ -257,7 +257,10 @@ export async function createSlice(
     const slicesData = createSemanticsSlices(resolve(filePath), options);
     // Write the semantics slices data
     if (slicesData) {
-      fs.writeFileSync(slicesFile, JSON.stringify(slicesData, null, null));
+      fs.writeFileSync(
+        slicesFile,
+        JSON.stringify(slicesData, null, options.jsonPretty ? 2 : null),
+      );
     }
     return { tempDir: sliceOutputDir, slicesFile };
   }
@@ -1404,7 +1407,7 @@ export function createEvinseFile(sliceArtefacts, options) {
   const bomNSData = postProcess({ bomJson }, options);
   fs.writeFileSync(
     evinseOutFile,
-    JSON.stringify(bomNSData.bomJson, null, null),
+    JSON.stringify(bomNSData.bomJson, null, options.jsonPretty ? 2 : null),
   );
   if (occEvidencePresent || csEvidencePresent || servicesPresent) {
     console.log(evinseOutFile, "created successfully.");

lib/managers/binary.js

@@ -6,6 +6,7 @@ import {
   mkdtempSync,
   readFileSync,
   rmSync,
+  statSync,
 } from "node:fs";
 import { arch as _arch, platform as _platform, homedir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
@@ -1037,16 +1038,45 @@ async function fileComponents(basePath, fileList, fileType) {
     }
     const name = basename(f);
     const purl = `pkg:generic/${name}`;
+    let isExecutable;
+    let isSetuid;
+    let isSetgid;
+    let isSticky;
+    try {
+      const stats = statSync(f);
+      const mode = stats.mode;
+      isExecutable = !!(mode & 0o111);
+      isSetuid = !!(mode & 0o4000);
+      isSetgid = !!(mode & 0o2000);
+      isSticky = !!(mode & 0o1000);
+    } catch (e) {
+      // ignore
+    }
+    const properties = [{ name: "SrcFile", value: f }];
+    if (fileType === "executable" && isExecutable !== undefined) {
+      properties.push({
+        name: `internal:is_${fileType}`,
+        value: isExecutable.toString(),
+      });
+    } else {
+      properties.push({ name: `internal:is_${fileType}`, value: "true" });
+    }
+    if (isSetuid) {
+      properties.push({ name: "internal:has_setuid", value: "true" });
+    }
+    if (isSetgid) {
+      properties.push({ name: "internal:has_setgid", value: "true" });
+    }
+    if (isSticky) {
+      properties.push({ name: "internal:has_sticky", value: "true" });
+    }
     components.push({
       name,
       type: "file",
       purl,
       "bom-ref": purl,
       hashes,
-      properties: [
-        { name: "SrcFile", value: f },
-        { name: `internal:is_${fileType}`, value: "true" },
-      ],
+      properties,
       evidence: {
         identity: [
           {

package.json

@@ -74,8 +74,8 @@
     "*": "biome check --fix --no-errors-on-unmatched"
   },
   "dependencies": {
-    "@babel/parser": "^7.26.10",
-    "@babel/traverse": "^7.26.10",
+    "@babel/parser": "^7.27.0",
+    "@babel/traverse": "^7.27.0",
     "@iarna/toml": "2.2.5",
     "@npmcli/arborist": "9.0.1",
     "ajv": "^8.17.1",