git.stella-ops.org/docs/features/checked/scanner/cbom-cryptographic-bill-of-materials-analysis-with-post-quantum-readiness-assess.md

# CBOM Cryptographic Bill of Materials Analysis with Post-Quantum Readiness Assessment

## Module
Scanner

## Status
VERIFIED

## Description
Scanner analyzes cryptographic assets declared in CycloneDX CBOM (cryptoProperties), detects weak/deprecated algorithms, enforces crypto compliance policies (FIPS 140-2/3, PCI-DSS, NIST), inventories all crypto assets, and assesses post-quantum readiness with a dedicated PostQuantumAnalyzer.

## Implementation Details
- **Core Analyzer**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/CryptoAnalysisAnalyzer.cs` - Main orchestrator for crypto analysis
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/CryptoAnalysisServiceCollectionExtensions.cs` - DI registration
- **Algorithm Analysis**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/AlgorithmStrengthAnalyzer.cs` - Detects weak/deprecated algorithms
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAlgorithmCatalog.cs` - Catalog of known algorithms with strength metadata
- **Post-Quantum Readiness**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/PostQuantumAnalyzer.cs` - Assesses post-quantum readiness of crypto assets
- **Compliance Checking**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/FipsComplianceChecker.cs` - FIPS 140-2/3 compliance validation
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/RegionalComplianceChecker.cs` - Regional crypto compliance (eIDAS, GOST, SM)
- **Crypto Inventory**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoInventoryGenerator.cs` - Inventories all crypto assets
- **Certificate & Protocol Analysis**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CertificateAnalyzer.cs` - X.509 certificate analysis
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/ProtocolAnalyzer.cs` - TLS/crypto protocol version analysis
- **Context & Results**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAnalysisContext.cs` - Analysis context
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAnalysisResult.cs` - Analysis results
- **Policy**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Policy/CryptoPolicyLoader.cs` - Loads crypto compliance policies
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Policy/CryptoPolicy.cs` - Policy model (FIPS, PCI-DSS, NIST)
- **Models**: `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Models/CryptoAnalysisModels.cs`
- **Reporting**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Reporting/CryptoAnalysisReportFormatter.cs` - Report formatting
  - `src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Reporting/CryptoInventoryExporter.cs` - Inventory export
- **Worker Stage**: `src/Scanner/StellaOps.Scanner.Worker/Processing/CryptoAnalysis/CryptoAnalysisStageExecutor.cs`

## E2E Test Plan
- [ ] Scan a container image with a CycloneDX SBOM containing `cryptoProperties` and verify crypto assets are inventoried
- [ ] Verify `AlgorithmStrengthAnalyzer` flags weak algorithms (e.g., MD5, SHA-1, DES) with appropriate severity
- [ ] Verify `PostQuantumAnalyzer` assesses quantum readiness and flags algorithms vulnerable to quantum attacks (e.g., RSA-2048)
- [ ] Configure a FIPS 140-3 compliance policy and verify `FipsComplianceChecker` validates/rejects algorithms accordingly
- [ ] Verify certificate analysis identifies expired/weak certificates
- [ ] Verify crypto inventory export produces a complete listing of all discovered crypto assets
- [ ] Verify crypto analysis findings appear in the unified scan report

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |