3.7 KiB
3.7 KiB
CBOM Cryptographic Bill of Materials Analysis with Post-Quantum Readiness Assessment
Module
Scanner
Status
IMPLEMENTED
Description
Scanner analyzes cryptographic assets declared in CycloneDX CBOM (cryptoProperties), detects weak/deprecated algorithms, enforces crypto compliance policies (FIPS 140-2/3, PCI-DSS, NIST), inventories all crypto assets, and assesses post-quantum readiness with a dedicated PostQuantumAnalyzer.
Implementation Details
- Core Analyzer:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/CryptoAnalysisAnalyzer.cs- Main orchestrator for crypto analysissrc/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/CryptoAnalysisServiceCollectionExtensions.cs- DI registration
- Algorithm Analysis:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/AlgorithmStrengthAnalyzer.cs- Detects weak/deprecated algorithmssrc/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAlgorithmCatalog.cs- Catalog of known algorithms with strength metadata
- Post-Quantum Readiness:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/PostQuantumAnalyzer.cs- Assesses post-quantum readiness of crypto assets
- Compliance Checking:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/FipsComplianceChecker.cs- FIPS 140-2/3 compliance validationsrc/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/RegionalComplianceChecker.cs- Regional crypto compliance (eIDAS, GOST, SM)
- Crypto Inventory:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoInventoryGenerator.cs- Inventories all crypto assets
- Certificate & Protocol Analysis:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CertificateAnalyzer.cs- X.509 certificate analysissrc/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/ProtocolAnalyzer.cs- TLS/crypto protocol version analysis
- Context & Results:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAnalysisContext.cs- Analysis contextsrc/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Analyzers/CryptoAnalysisResult.cs- Analysis results
- Policy:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Policy/CryptoPolicyLoader.cs- Loads crypto compliance policiessrc/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Policy/CryptoPolicy.cs- Policy model (FIPS, PCI-DSS, NIST)
- Models:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Models/CryptoAnalysisModels.cs - Reporting:
src/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Reporting/CryptoAnalysisReportFormatter.cs- Report formattingsrc/Scanner/__Libraries/StellaOps.Scanner.CryptoAnalysis/Reporting/CryptoInventoryExporter.cs- Inventory export
- Worker Stage:
src/Scanner/StellaOps.Scanner.Worker/Processing/CryptoAnalysis/CryptoAnalysisStageExecutor.cs
E2E Test Plan
- Scan a container image with a CycloneDX SBOM containing
cryptoPropertiesand verify crypto assets are inventoried - Verify
AlgorithmStrengthAnalyzerflags weak algorithms (e.g., MD5, SHA-1, DES) with appropriate severity - Verify
PostQuantumAnalyzerassesses quantum readiness and flags algorithms vulnerable to quantum attacks (e.g., RSA-2048) - Configure a FIPS 140-3 compliance policy and verify
FipsComplianceCheckervalidates/rejects algorithms accordingly - Verify certificate analysis identifies expired/weak certificates
- Verify crypto inventory export produces a complete listing of all discovered crypto assets
- Verify crypto analysis findings appear in the unified scan report