# CycloneDX 1.7 CBOM (Cryptographic Bill of Materials) Support

## Module
Scanner

## Status
IMPLEMENTED

## Description
Cryptographic Bill of Materials support with crypto asset extraction for .NET, Java, and Node.js ecosystems. Includes CBOM aggregation service, serializer, and policy crypto risk rules. Distinct from standard SBOM support -- this inventories cryptographic algorithms and primitives across components.

## Implementation Details
- **CBOM Aggregation & Serialization**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomAggregationService.cs` - Aggregates crypto assets from all analyzers into unified CBOM
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomSerializer.cs` - Serializes CBOM data to CycloneDX format
  - `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxCbomWriter.cs` - Writes CycloneDX 1.7 CBOM output
- **Per-Ecosystem Crypto Extractors**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Crypto/DotNetCryptoExtractor.cs` - .NET crypto asset extraction
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Crypto/JavaCryptoExtractor.cs` - Java crypto asset extraction
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Crypto/NodeCryptoExtractor.cs` - Node.js crypto asset extraction

## E2E Test Plan
- [ ] Scan a container image with .NET, Java, or Node.js applications and verify CBOM extraction identifies cryptographic assets
- [ ] Verify the CBOM aggregation service merges crypto assets from multiple ecosystem analyzers
- [ ] Export the scan results as CycloneDX 1.7 and verify `cryptoProperties` fields are populated
- [ ] Verify crypto algorithms (AES, RSA, SHA-256, etc.) are inventoried with correct metadata
- [ ] Verify policy crypto risk rules flag weak or deprecated algorithms in the CBOM