Generate minimal viable cryptographic bill of materials #8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit introduces the Minimal Viable Cryptographic Bill of Materials (MV-CBOM) generation feature. It includes new crates for parsing certificates, analyzing dependencies, detecting algorithms, and parsing Cargo.toml files. The CLI is updated to support the `--cbom` flag for generating MV-CBOM JSON output. This enables Post-Quantum Cryptography (PQC) readiness assessment by identifying vulnerable algorithms and their usage. New test cases are added to validate the MV-CBOM generation for various cryptographic scenarios. Co-authored-by: script3r <[email protected]>
|
Cursor Agent can help with this pull request. Just |
Co-authored-by: script3r <[email protected]>
Co-authored-by: script3r <[email protected]>
Co-authored-by: script3r <[email protected]>
Co-authored-by: script3r <[email protected]>
This commit refactors the algorithm detection logic to utilize a pattern registry. This allows for more flexible and configurable detection of cryptographic algorithms based on defined patterns in a TOML file. The changes include:
- **AlgorithmDetector:**
- Replaced hardcoded parameter patterns with a reference to `PatternRegistry`.
- Modified `detect_algorithms` to use registry patterns for extraction.
- Introduced `extract_algorithms_from_finding_with_registry` and `perform_deep_static_analysis_with_registry` for registry-based detection.
- Added a fallback mechanism for when no registry is available.
- Removed specific extraction methods for different libraries (e.g., `extract_rustcrypto_algorithms`).
- Added helper methods for parsing primitives and creating algorithm assets from specifications.
- **CbomGenerator:**
- Added a `with_registry` constructor to accept a `PatternRegistry`.
- **CLI:**
- Updated `main.rs` to pass the loaded `PatternRegistry` to `CbomGenerator`.
- **Scanner Core:**
- Added `AlgorithmSpec` and `ParameterPattern` structs to define algorithm patterns in TOML.
- Added `CompiledAlgorithm` and `CompiledParameterPattern` for compiled regexes.
- Modified `compile_library` to compile algorithm specifications.
- **Patterns.toml:**
- Added new algorithm definitions for OpenSSL and RustCrypto, including symbol patterns, parameter extraction regexes, and NIST quantum security levels.
These changes decouple algorithm detection logic from the code, making it easier to add support for new libraries and algorithms by simply updating the `patterns.toml` file.
Co-authored-by: script3r <[email protected]>
Co-authored-by: script3r <[email protected]>
Co-authored-by: script3r <[email protected]>
Co-authored-by: script3r <[email protected]>
This commit refactors the crypto asset detection and dependency analysis logic. It includes improvements to the algorithm detector, certificate parser, and dependency analyzer. The project parser also receives updates for better handling of various project types. These changes enhance the accuracy and robustness of the MV-CBOM generation process. Co-authored-by: script3r <[email protected]>
This commit improves the algorithm detection logic to consider multiple sources for parameter extraction. It also updates various fixtures with new UUIDs and algorithm definitions, including RSA, AES, ECDSA, and SHA-256, for better representation. Co-authored-by: script3r <[email protected]>
Co-authored-by: script3r <[email protected]>
This commit refactors the algorithm deduplication logic to correctly merge algorithms with varying parameter specificity. It also introduces support for detecting algorithms from the libsodium library by adding new patterns to `patterns.toml` and creating a new fixture `libsodium-modern`. Additionally, several other fixtures have been updated with new UUIDs and timestamps to reflect the changes. Co-authored-by: script3r <[email protected]>
Update patterns.toml to include PyCA cryptography algorithms. Enhance algorithm detector to extract parameters from the full file content. Update generated SBOMs with new algorithm details and UUIDs. Co-authored-by: script3r <[email protected]>
Co-authored-by: script3r <[email protected]>
Update algorithm deduplication logic and regenerate fixture files with new UUIDs and timestamps. Co-authored-by: script3r <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add Minimal Viable Cryptographic Bill of Materials (MV-CBOM) generation to
cipherscopeto enable Post-Quantum Cryptography (PQC) readiness assessment.This PR introduces deep static analysis for algorithm parameter extraction, X.509 certificate parsing, and intelligent dependency analysis (
usesvs.implements) to provide a detailed, actionable inventory of cryptographic assets. This functionality is crucial for identifying PQC-vulnerable algorithms and understanding actual cryptographic usage versus merely declared dependencies.