semi implemented and features implemented save checkpoint

docs/features/unchecked/scanner/cyclonedx-1-7-cbom-support.md

@@ -0,0 +1,27 @@
+# CycloneDX 1.7 CBOM (Cryptographic Bill of Materials) Support
+
+## Module
+Scanner
+
+## Status
+IMPLEMENTED
+
+## Description
+Cryptographic Bill of Materials support with crypto asset extraction for .NET, Java, and Node.js ecosystems. Includes CBOM aggregation service, serializer, and policy crypto risk rules. Distinct from standard SBOM support -- this inventories cryptographic algorithms and primitives across components.
+
+## Implementation Details
+- **CBOM Aggregation & Serialization**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomAggregationService.cs` - Aggregates crypto assets from all analyzers into unified CBOM
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomSerializer.cs` - Serializes CBOM data to CycloneDX format
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxCbomWriter.cs` - Writes CycloneDX 1.7 CBOM output
+- **Per-Ecosystem Crypto Extractors**:
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Crypto/DotNetCryptoExtractor.cs` - .NET crypto asset extraction
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Crypto/JavaCryptoExtractor.cs` - Java crypto asset extraction
+  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Crypto/NodeCryptoExtractor.cs` - Node.js crypto asset extraction
+
+## E2E Test Plan
+- [ ] Scan a container image with .NET, Java, or Node.js applications and verify CBOM extraction identifies cryptographic assets
+- [ ] Verify the CBOM aggregation service merges crypto assets from multiple ecosystem analyzers
+- [ ] Export the scan results as CycloneDX 1.7 and verify `cryptoProperties` fields are populated
+- [ ] Verify crypto algorithms (AES, RSA, SHA-256, etc.) are inventoried with correct metadata
+- [ ] Verify policy crypto risk rules flag weak or deprecated algorithms in the CBOM