[Security] Code execution risk when running cdxgen against untrusted repos

[prabhu]

This is a design limitation, without an immediate fix.

Summary

(Rewritten for clarity)

• Users of cdxgen are known to run the tool against both trusted and untrusted codebases
• cdxgen executes numerous external and package manager commands, including npm install, maven, gradle, and sbt commands
• Many package managers support custom scripts and plugins to execute additional commands.
  • For example, when cdxgen invokes npm install (default behavior unless --no-install-deps is passed), npm could be invoking more commands as per the scripts section in the package.json file present in the given codebase.

POC

1. Generate a gradle project with gradle init (choose all defaults, this will generate a Kotlin based DSL)
2. Open build.gradle.kts
3. Add this to the end of the file, e.g.

val projectRoot = project.rootProject.projectDir

val file = file("$projectRoot/hello.txt")
file.writeText("hello world")

4. Run “cdxgen -o bom.json” without any other params
5. Result: the code above is being executed

Timeline

8 Aug 2024 - Email received from the researcher. 8 Aug 2024 - Initial response: Known acceptable risk that is consistent with executing any CLI command including the package manager commands themselves. 19 Aug 2024 - Researcher shared more details about attacking SCA scanners that wrap cdxgen such as OWASP dep-scan. 26 Aug 2024 - GitHub Issue created.

Known workarounds

• Run cdxgen using the container image with limited volume mounts, random TEMP directories (avoid -v /tmp:/tmp and -v $HOME:$HOME), and a dedicated seccomp profiles.
• Use the argument --no-install-deps or --lifecycle pre-build to prevent cdxgen from running install commands. This may not work for all package managers.
• Do not run cdxgen against untrusted codebases and with sudo/administrative privileges.
• Use cdxgen with deno runtime.

[prabhu]

Tasks

• [ ] Update documentation and add log messages to warn about the risks of running cdxgen against untrusted codebases.
• [ ] Add a new cli argument say --untrusted to configure some install commands. Example: for npm, we can pass --ignore-scripts argument. Need to investigate similar capabilities for other package managers.
• [ ] Investigate seccomp and AppArmor profiles.

Stretch goals

• [ ] Revisit try mode support - https://github.com/CycloneDX/cdxgen/issues/362

[jdalton]

This has now landed in the CVE database and is being reported by GitHub's security tab: