stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
docs/features/checked/scanner/cyclonedx-1-7-cbom-support.md Normal file
View File

@@ -0,0 +1,38 @@
# CycloneDX 1.7 CBOM (Cryptographic Bill of Materials) Support
## Module
Scanner
## Status
VERIFIED
## Description
Cryptographic Bill of Materials support with crypto asset extraction for .NET, Java, and Node.js ecosystems. Includes CBOM aggregation service, serializer, and policy crypto risk rules. Distinct from standard SBOM support -- this inventories cryptographic algorithms and primitives across components.
## Implementation Details
- **CBOM Aggregation & Serialization**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomAggregationService.cs` - Aggregates crypto assets from all analyzers into unified CBOM
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomSerializer.cs` - Serializes CBOM data to CycloneDX format
- `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxCbomWriter.cs` - Writes CycloneDX 1.7 CBOM output
- **Per-Ecosystem Crypto Extractors**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Crypto/DotNetCryptoExtractor.cs` - .NET crypto asset extraction
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Crypto/JavaCryptoExtractor.cs` - Java crypto asset extraction
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Crypto/NodeCryptoExtractor.cs` - Node.js crypto asset extraction
## E2E Test Plan
- [ ] Scan a container image with .NET, Java, or Node.js applications and verify CBOM extraction identifies cryptographic assets
- [ ] Verify the CBOM aggregation service merges crypto assets from multiple ecosystem analyzers
- [ ] Export the scan results as CycloneDX 1.7 and verify `cryptoProperties` fields are populated
- [ ] Verify crypto algorithms (AES, RSA, SHA-256, etc.) are inventoried with correct metadata
- [ ] Verify policy crypto risk rules flag weak or deprecated algorithms in the CBOM
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |