CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Google chat: https://chat.google.com/room/AAAA6l2dO60?cls=7
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
571 stars 155 forks source link

[Security] Code execution risk when running cdxgen against untrusted repos #1328

Open prabhu opened 2 months ago

prabhu commented 2 months ago

This is a design limitation, without an immediate fix.

Summary

(Rewritten for clarity)

POC

  1. Generate a gradle project with gradle init (choose all defaults, this will generate a Kotlin based DSL)
  2. Open build.gradle.kts
  3. Add this to the end of the file, e.g.
val projectRoot = project.rootProject.projectDir

val file = file("$projectRoot/hello.txt")
file.writeText("hello world")
  1. Run “cdxgen -o bom.json” without any other params
  2. Result: the code above is being executed

Timeline

8 Aug 2024 - Email received from the researcher. 8 Aug 2024 - Initial response: Known acceptable risk that is consistent with executing any CLI command including the package manager commands themselves. 19 Aug 2024 - Researcher shared more details about attacking SCA scanners that wrap cdxgen such as OWASP dep-scan. 26 Aug 2024 - GitHub Issue created.

Known workarounds

prabhu commented 2 months ago

Tasks

Stretch goals

jdalton commented 9 hours ago

This has now landed in the CVE database and is being reported by GitHub's security tab:

Image