Skip to main content

Mondoo 9.9 is out!

ยท 3 min read
Tim Smith
Mondoo Core Team

๐Ÿฅณ Mondoo 9.9 is out! This release includes experimental SBOM support, platform/package CPE data, and more!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container

๐ŸŽ‰ NEW FEATURESโ€‹

Experimental SBOM generationโ€‹

cnquery includes new experimental support for generating software bills of materials (SBOMs). You can generate SBOMs against your local system or containers, mounted filesystems, vagrant boxes, and remote systems over SSH or WinRM.

By default the SBOM prints in list format in the CLI:

cnquery sbom local
โ†’ This command is experimental. Please report any issues to https://github.com/mondoohq/cnquery.
โ†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
โ†’ discover related assets for 1 asset(s)

 lunalectric-test โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100%


pypi/Jinja2/2.11.3 /usr/lib/python3/dist-packages/Jinja2-2.11.3.egg-info/PKG-INFO
pypi/LibAppArmor/2.13.6 /usr/lib/python3/dist-packages/LibAppArmor-2.13.6.egg-info
pypi/Mako/1.1.3 /usr/lib/python3/dist-packages/Mako-1.1.3.egg-info/PKG-INFO
pypi/Markdown/3.3.4 /usr/lib/python3/dist-packages/Markdown-3.3.4.egg-info/PKG-INFO
pypi/MarkupSafe/1.1.1 /usr/lib/python3/dist-packages/MarkupSafe-1.1.1.egg-info/PKG-INFO
pypi/PyGObject/3.38.0 /usr/lib/python3/dist-packages/PyGObject-3.38.0.egg-info/PKG-INFO
pypi/PyYAML/5.3.1 /usr/lib/python3/dist-packages/PyYAML-5.3.1.egg-info
deb/acl/2.2.53-10
deb/acpid/1:2.0.32-1
deb/adduser/3.118+deb11u1
deb/amd64-microcode/3.20230808.1.1~deb11u1
deb/anacron/2.3-30
...

Using the --output flag you can control the output format with support for cyclonedx-json, cyclonedx-xml, spdx-json, spdx-tag-value, and table formats.

cnquery sbom local --output spdx-json
โ†’ This command is experimental. Please report any issues to https://github.com/mondoohq/cnquery.
โ†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
โ†’ discover related assets for 1 asset(s)

 lunalectric-test โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100%

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "",
  "documentNamespace": "",
  "creationInfo": {
    "creators": [
      "Tool: cnquery"
    ],
    "created": "2023-11-28T22:47:07Z"
  },
  "packages": [
    {
      "name": "Jinja2",
      "SPDXID": "SPDXRef-Package-pypi-Jinja2-2e4a538b3939365a",
      "versionInfo": "2.11.3",
      "packageFileName": "/usr/lib/python3/dist-packages/Jinja2-2.11.3.egg-info/PKG-INFO",
      "downloadLocation": "",
      "filesAnalyzed": false,
      "licenseDeclared": "2.11.3",
      "externalRefs": [
        {
          "referenceCategory": "SECURITY",
          "referenceType": "cpe23Type",
          "referenceLocator": "cpe:2.3:a:jinja2_project:jinja2:2.11.3:*:*:*:*:*:*:*"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "purl",
          "referenceLocator": "pkg:pypi/Jinja2@2.11.3"
        }
      ]
    },
    ...

๐Ÿงน IMPROVEMENTSโ€‹

Platform and package CPE dataโ€‹

To power our new SBOM capabilities, Mondoo's asset and package resources now include Common Platform Enumeration (CPE) data that uniquely identifies the platform of the system and packages. Learn more about CPE on the NIST National Vulnerability Database CPE page.

Asset CPEs:

cnquery> asset.cpes
asset.cpes: [
  0: cpe uri="cpe:2.3:o:debian:debian_linux:11.8:*:*:*:*:*:*:*"
]

OS package CPEs:

cnquery> packages{name cpes}
packages.list: [
  0: {
    name: "acl"
    cpes: [
      0: cpe uri="cpe:2.3:a:acl:acl:2.2.53-10:amd64:*:*:*:*:*:*"
    ]
  }

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Fix authentication failures in some AWS resources.
  • Allow updating tokens in GitLab integrations.
  • Fix a false positive in the CIS macOS Ensure Show Wi-Fi status in Menu Bar Is Enabled check.
  • Fix the CIS Distribution Independent Linux policy Ensure updates, patches, and additional security software are installed check to run properly on Debian-based systems.
  • Show the number of assets for a policy, not the number of checks, on the Security -> Policies page.
  • Open CVE source links in new windows.
  • Remove extra white space on CVE pages with short descriptions.
  • Improve reliability of queries in the Mondoo Linux Security policy
  • Improve query titles in asset inventory query packs.