# CBOM Cryptographic Bill of Materials Analysis with Post-Quantum Readiness Assessment ## Module Scanner ## Status IMPLEMENTED ## Description Scanner analyzes cryptographic assets declared in CycloneDX CBOM (cryptoProperties), detects weak/deprecated algorithms, enforces crypto compliance policies (FIPS 140-2/3, PCI-DSS, NIST), inventories all crypto assets, and assesses post-quantum readiness with a dedicated PostQuantumAnalyzer. ## Implementation Details - **Core Analyzer**: - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/CryptoAnalysisAnalyzer.cs` - Main orchestrator for crypto analysis - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/CryptoAnalysisServiceCollectionExtensions.cs` - DI registration - **Algorithm Analysis**: - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/AlgorithmStrengthAnalyzer.cs` - Detects weak/deprecated algorithms - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAlgorithmCatalog.cs` - Catalog of known algorithms with strength metadata - **Post-Quantum Readiness**: - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/PostQuantumAnalyzer.cs` - Assesses post-quantum readiness of crypto assets - **Compliance Checking**: - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/FipsComplianceChecker.cs` - FIPS 140-2/3 compliance validation - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/RegionalComplianceChecker.cs` - Regional crypto compliance (eIDAS, GOST, SM) - **Crypto Inventory**: - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoInventoryGenerator.cs` - Inventories all crypto assets - **Certificate & Protocol Analysis**: - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CertificateAnalyzer.cs` - X.509 certificate analysis - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/ProtocolAnalyzer.cs` - TLS/crypto protocol version analysis - **Context & Results**: - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAnalysisContext.cs` - Analysis context - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAnalysisResult.cs` - Analysis results - **Policy**: - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Policy/CryptoPolicyLoader.cs` - Loads crypto compliance policies - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Policy/CryptoPolicy.cs` - Policy model (FIPS, PCI-DSS, NIST) - **Models**: `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Models/CryptoAnalysisModels.cs` - **Reporting**: - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Reporting/CryptoAnalysisReportFormatter.cs` - Report formatting - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Reporting/CryptoInventoryExporter.cs` - Inventory export - **Worker Stage**: `src/Scanner/StellaOps.Scanner.Worker/Processing/CryptoAnalysis/CryptoAnalysisStageExecutor.cs` ## E2E Test Plan - [ ] Scan a container image with a CycloneDX SBOM containing `cryptoProperties` and verify crypto assets are inventoried - [ ] Verify `AlgorithmStrengthAnalyzer` flags weak algorithms (e.g., MD5, SHA-1, DES) with appropriate severity - [ ] Verify `PostQuantumAnalyzer` assesses quantum readiness and flags algorithms vulnerable to quantum attacks (e.g., RSA-2048) - [ ] Configure a FIPS 140-3 compliance policy and verify `FipsComplianceChecker` validates/rejects algorithms accordingly - [ ] Verify certificate analysis identifies expired/weak certificates - [ ] Verify crypto inventory export produces a complete listing of all discovered crypto assets - [ ] Verify crypto analysis findings appear in the unified scan report