cdxgen (>= v11.1.7) now includes a "secure mode," powered by the Node.js permission model. This "seat-belt approach" allows you to control which system resources cdxgen can access and what actions it can perform with those resources. For example, in --lifecycle pre-build mode, you can restrict cdxgen to reading only specific files, without granting permission to execute child processes. Even when executing node-based commands such as npm or atom, you can further limit the directories these external commands can read and write, as well as their permissions to execute child processes. This makes cdxgen an ideal SBOM tool when dealing with untrusted codebases (which is all software).
For further information, please refer to the permissions documentation or start using the new ghcr.io/cyclonedx/cdxgen-secure container image.
Thank you to @eran-medan and the other security researchers for helping bring this feature live.
Addresses CVE-2024-50611 and #1328. Please update at your convenience.
Full Changelog: v11.1.6...v11.1.7