1.8 KiB
1.8 KiB
CycloneDX 1.7 CBOM (Cryptographic Bill of Materials) Support
Module
Scanner
Status
IMPLEMENTED
Description
Cryptographic Bill of Materials support with crypto asset extraction for .NET, Java, and Node.js ecosystems. Includes CBOM aggregation service, serializer, and policy crypto risk rules. Distinct from standard SBOM support -- this inventories cryptographic algorithms and primitives across components.
Implementation Details
- CBOM Aggregation & Serialization:
src/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomAggregationService.cs- Aggregates crypto assets from all analyzers into unified CBOMsrc/Scanner/__Libraries/StellaOps.Scanner.Emit/Cbom/CbomSerializer.cs- Serializes CBOM data to CycloneDX formatsrc/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/CycloneDxCbomWriter.cs- Writes CycloneDX 1.7 CBOM output
- Per-Ecosystem Crypto Extractors:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/Internal/Crypto/DotNetCryptoExtractor.cs- .NET crypto asset extractionsrc/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/Crypto/JavaCryptoExtractor.cs- Java crypto asset extractionsrc/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/Crypto/NodeCryptoExtractor.cs- Node.js crypto asset extraction
E2E Test Plan
- Scan a container image with .NET, Java, or Node.js applications and verify CBOM extraction identifies cryptographic assets
- Verify the CBOM aggregation service merges crypto assets from multiple ecosystem analyzers
- Export the scan results as CycloneDX 1.7 and verify
cryptoPropertiesfields are populated - Verify crypto algorithms (AES, RSA, SHA-256, etc.) are inventoried with correct metadata
- Verify policy crypto risk rules flag weak or deprecated algorithms in the CBOM