[security] Misconfiguration led to CI github token leakage in released artifacts

[prabhu]

A potential security vulnerability was reported against the CI workflow used by cdxgen this week. The vulnerability would have given write access to the repo to anyone for up to 10 minutes (duration of a specific workflow) during a release event. Below are some details based on our investigation and the actions being taken:

Details:

1. cdxgen uses a library called caxa to produce single application executables for Windows, Mac, and Linux users. This feature is popular since it avoids the need for installing node.js separately.
2. caxa repo was archived by the maintainer in November 2023. A ticket to replace caxa was created on Jan 2, 2024 ([sae] caxa is archived #798). This is unrelated to the misconfiguration.
3. cdxgen was invoking the caxa command with --input . (current directory). This invocation was inadvertently including all folders from the current directory in the CI including the hidden .git directory.
4. The researcher noticed that GitHub was persisting a time-limited write token in the .git directory under certain conditions which was getting included and bundled into the packaged artifact. The token would have given "write" permissions to the repo for a limited duration.

Actions taken so far:

1. We have removed the use of caxa library and disabled the single application executable feature
   Remove sae builds #946
   Remove caxa #947
2. We have deleted the single application executable artifacts from the releases (for the last two versions)
   https://github.com/CycloneDX/cdxgen/releases/tag/v10.2.6
3. We have reviewed the code bases and releases for any unexpected commits and releases
4. A formal blog from the researcher will be published shortly

Recommendation for users:

• Follow best practices. Use cdxgen with a specific version tag or sha hashes instead of using the "latest". Consider maintaining your own image in a private registry.
• Do not run tools like cdxgen as sudo or in build pipelines with administrative privileges.