-
Notifications
You must be signed in to change notification settings - Fork 201
Add cryptographic algorithm scanning and CycloneDX 1.7 CBOM output #1656
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
CortezFrazierJr
wants to merge
10
commits into
fossas:master
from
CortezFrazierJr:feature/crypto-scanning
Closed
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
32f92a9
Add cryptographic algorithm scanning with CycloneDX 1.7 CBOM output
CortezFrazierJr 7dd5856
Merge branch 'master' into feature/crypto-scanning
CortezFrazierJr 39e6861
Address CodeRabbit review: fix algorithm normalization, CBOM context …
CortezFrazierJr d06cccb
Address remaining CodeRabbit review: remove guards, fix WalkDir pruni…
CortezFrazierJr 91815d5
Address nitpick reviews: deterministic CBOM output, O(n log n) dedupe…
CortezFrazierJr f3afa46
Address CodeRabbit review round 3: fix AES key size guessing, ecosyst…
CortezFrazierJr 418924a
Address CodeRabbit review round 4: MSRV, dedup, BTreeSet, command bui…
CortezFrazierJr 8483e43
Address CodeRabbit review round 5: pin deps, DetectionMethod::as_str()
CortezFrazierJr 5ab4443
Address CodeRabbit review round 6: key-wrap primitive, ecosystem-scop…
CortezFrazierJr 0b01d05
Address CodeRabbit review round 7: deterministic BOM, canonical algor…
CortezFrazierJr File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,163 @@ | ||
|
|
||
| # Crypto Scanning | ||
|
|
||
| Crypto Scanning is the name of FOSSA's cryptographic algorithm detection feature. | ||
|
|
||
| Crypto Scanning analyzes source code, dependency manifests, and configuration files | ||
| in your project, identifies cryptographic algorithm usage, and classifies each | ||
| finding against FIPS 140-3 compliance requirements. Results can be uploaded to | ||
| FOSSA, exported as a CycloneDX 1.7 CBOM (Cryptography Bill of Materials), or | ||
| printed as a FIPS compliance report. | ||
|
|
||
| Crypto Scanning can be run as part of `fossa analyze`. To enable it, add the | ||
| `--x-crypto-scan` flag when you run `fossa analyze`: | ||
|
|
||
| ```sh | ||
| fossa analyze --x-crypto-scan | ||
| ``` | ||
|
|
||
| ## How Crypto Scanning Works | ||
|
|
||
| When `--x-crypto-scan` is enabled, the CLI: | ||
|
|
||
| 1. **Detects Ecosystems**: Identifies which language ecosystems are present in your | ||
| project (e.g., Python, Java, Go, Rust, Node.js, Ruby, C#/.NET, PHP, Swift, Elixir). | ||
| 2. **Scans Source Files**: Uses pattern-based detection across four categories: | ||
| - **Dependency analysis**: Known crypto libraries in dependency manifests | ||
| (e.g., `pyca/cryptography` in `requirements.txt`, `ring` in `Cargo.toml`) | ||
| - **Import pattern matching**: Crypto-related imports | ||
| (e.g., `import javax.crypto.Cipher`, `from cryptography.hazmat.primitives import hashes`) | ||
| - **API call pattern matching**: Crypto API invocations | ||
| (e.g., `Cipher.getInstance("AES/GCM/NoPadding")`, `hashlib.sha256()`) | ||
| - **Configuration file scanning**: TLS configs, OpenSSL configs, security properties | ||
| 3. **Classifies Algorithms**: Maps each detected algorithm to its FIPS 140-3 status | ||
| (approved, deprecated, or not approved) and assesses key sizes against NIST minimums. | ||
| 4. **Produces Results**: Outputs findings as part of the standard analysis pipeline, | ||
| with optional CycloneDX CBOM export and FIPS compliance reporting. | ||
|
|
||
| ## Supported Ecosystems | ||
|
|
||
| | Ecosystem | Crypto Libraries Detected | File Types Scanned | | ||
| |---|---|---| | ||
| | **Python** | cryptography, pycryptodome, hashlib, ssl | `*.py`, `requirements.txt`, `pyproject.toml` | | ||
| | **Java** | JCA/JCE, BouncyCastle, Conscrypt | `*.java`, `*.kt`, `pom.xml`, `build.gradle` | | ||
| | **Go** | crypto/*, x/crypto | `*.go`, `go.mod` | | ||
| | **Rust** | ring, rust-crypto, openssl, rustls | `*.rs`, `Cargo.toml` | | ||
| | **Node.js** | crypto (builtin), crypto-js, node-forge, jose | `*.js`, `*.ts`, `package.json` | | ||
| | **Ruby** | OpenSSL, rbnacl, bcrypt-ruby | `*.rb`, `Gemfile`, `*.gemspec` | | ||
| | **C#/.NET** | System.Security.Cryptography, BouncyCastle | `*.cs`, `*.csproj`, `packages.config` | | ||
| | **PHP** | openssl/sodium extensions, phpseclib | `*.php`, `composer.json` | | ||
| | **Swift** | CryptoKit, CommonCrypto | `*.swift`, `Package.swift`, `Podfile` | | ||
| | **Elixir** | :crypto, Comeonin (bcrypt/argon2), JOSE | `*.ex`, `*.exs`, `mix.exs` | | ||
|
|
||
| ## Data Sent to FOSSA | ||
|
|
||
| When crypto scan results are uploaded to FOSSA (the default behavior without `--output`), | ||
| the following data is sent: | ||
|
|
||
| - Algorithm names and classifications (e.g., "AES-256-GCM", "SHA-256") | ||
| - File paths where algorithms were detected | ||
| - Detection confidence levels | ||
| - FIPS compliance status per algorithm | ||
| - Providing library names (e.g., "openssl", "ring") | ||
|
|
||
| No source code content is sent to FOSSA. Only metadata about detected | ||
| cryptographic algorithm usage is transmitted. | ||
|
|
||
| ## CycloneDX 1.7 CBOM Output | ||
|
|
||
| To export a local CycloneDX 1.7 CBOM file instead of (or in addition to) | ||
| uploading to FOSSA, use the `--crypto-cbom-output` flag: | ||
|
|
||
| ```sh | ||
| fossa analyze --crypto-cbom-output /path/to/cbom.json | ||
| ``` | ||
|
|
||
| This produces a standards-compliant CycloneDX 1.7 JSON file with: | ||
|
|
||
| - `cryptographic-asset` component types | ||
| - `cryptoProperties` with `algorithmProperties` (primitive, mode, key size) | ||
| - `fossa:fips-status` component properties for the FIPS classification | ||
| - `provides` dependency relationships linking libraries to their algorithms | ||
| - Algorithm OIDs where applicable | ||
|
|
||
| The `--crypto-cbom-output` flag implies `--x-crypto-scan` and does not need to | ||
| be combined with it explicitly. | ||
|
|
||
| ## FIPS Compliance Report | ||
|
|
||
| To print a FIPS compliance summary to stdout, use the `--crypto-fips-report` flag: | ||
|
|
||
| ```sh | ||
| fossa analyze --crypto-fips-report | ||
| ``` | ||
|
|
||
| The report includes: | ||
|
|
||
| - **Summary statistics**: Total algorithms detected, FIPS-approved count, | ||
| deprecated count, non-FIPS count, and overall compliance percentage | ||
| - **Per-algorithm breakdown**: Each detected algorithm with its FIPS status | ||
| - **Remediation suggestions**: For non-FIPS algorithms, recommended FIPS | ||
| alternatives (e.g., "Replace ChaCha20-Poly1305 with AES-256-GCM") | ||
| - **Key size warnings**: Flags algorithms with key sizes below NIST minimums | ||
|
|
||
| The `--crypto-fips-report` flag implies `--x-crypto-scan` and does not need to | ||
| be combined with it explicitly. | ||
|
|
||
| ### Example output | ||
|
|
||
| ``` | ||
| FIPS Compliance Report | ||
| ====================== | ||
|
|
||
| Summary: 23 algorithms detected | ||
| Approved: 15 (65%) | ||
| Deprecated: 3 (13%) | ||
| Not Approved: 5 (22%) | ||
|
|
||
| Remediation Suggestions: | ||
| ChaCha20-Poly1305 -> AES-256-GCM | ||
| BLAKE2b -> SHA-256 / SHA-3 | ||
| X25519 -> ECDH P-256 | ||
| bcrypt -> PBKDF2 | ||
| MD5 -> SHA-256 | ||
| ``` | ||
|
|
||
| ## Combining Flags | ||
|
|
||
| All crypto scanning flags can be combined: | ||
|
|
||
| ```sh | ||
| # Scan, upload results, export CBOM, and print FIPS report | ||
| fossa analyze --x-crypto-scan --crypto-cbom-output cbom.json --crypto-fips-report | ||
|
|
||
| # Local-only: export CBOM without uploading | ||
| fossa analyze --output --crypto-cbom-output cbom.json | ||
|
|
||
| # FIPS report only | ||
| fossa analyze --output --crypto-fips-report | ||
| ``` | ||
|
|
||
| ## FIPS Compliance Reference | ||
|
|
||
| ### FIPS-Approved Algorithms | ||
|
|
||
| | Category | Algorithms | | ||
| |---|---| | ||
| | Symmetric Encryption | AES-128/192/256 (ECB mode is deprecated by 2030) | | ||
| | Hash Functions | SHA-256, SHA-384, SHA-512, SHA-3 family, SHAKE128/256 | | ||
| | Signatures | RSA >= 2048-bit, ECDSA (P-256/P-384/P-521), EdDSA, ML-DSA | | ||
| | Key Exchange | ECDH (P-256/P-384/P-521), DH >= 2048-bit, ML-KEM | | ||
| | MACs | HMAC, CMAC, GMAC, KMAC | | ||
| | KDFs | HKDF, PBKDF2, SP 800-108 KDFs | | ||
|
|
||
| ### Common Non-FIPS Algorithms | ||
|
|
||
| | Algorithm Found | Recommended FIPS Alternative | | ||
| |---|---| | ||
| | ChaCha20-Poly1305 | AES-256-GCM | | ||
| | BLAKE2/BLAKE3 | SHA-256 / SHA-3 | | ||
| | X25519/X448 | ECDH P-256/P-384 | | ||
| | MD5 | SHA-256 | | ||
| | RC4, Blowfish, DES | AES | | ||
| | Argon2, scrypt, bcrypt | PBKDF2 | | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # Crypto Scanning | ||
|
|
||
| FOSSA supports the ability to detect cryptographic algorithm usage in your project source tree and assess FIPS 140-3 compliance via an opt-in flag (`--x-crypto-scan`). | ||
|
|
||
| The core idea behind this feature is that organizations subject to FIPS compliance requirements need visibility into which cryptographic algorithms their software uses, whether those algorithms are FIPS-approved, and what remediation steps are needed for non-compliant usage. | ||
|
|
||
| _Important: For support and other general information, refer to the [experimental options overview](../README.md) before using experimental options._ | ||
|
|
||
| ## Discovery | ||
|
|
||
| Crypto Scanning automatically detects which language ecosystems are present in your project by examining manifest files (e.g., `requirements.txt`, `pom.xml`, `go.mod`, `Cargo.toml`, `package.json`, `Gemfile`, `*.csproj`, `composer.json`, `Package.swift`, `mix.exs`). | ||
|
|
||
| Ten ecosystems are supported: Python, Java, Go, Rust, Node.js, Ruby, C#/.NET, PHP, Swift, and Elixir. | ||
|
|
||
| ## Analysis | ||
|
|
||
| The scanner uses four detection methods, applied in order of specificity: | ||
|
|
||
| | Detection Method | Description | Example | | ||
| |---|---|---| | ||
| | Dependency manifest | Known crypto libraries in lock/manifest files | `cryptography` in `requirements.txt` | | ||
| | Import statement | Crypto-related import/require patterns | `import "crypto/aes"` in Go | | ||
| | API call | Direct crypto API invocations | `Cipher.getInstance("AES/GCM/NoPadding")` in Java | | ||
| | Configuration file | TLS/SSL/crypto configuration entries | `ssl_protocols TLSv1.3` in nginx config | | ||
|
|
||
| Each detected algorithm is classified with: | ||
|
|
||
| - **FIPS status**: Approved, deprecated, or not approved per NIST SP 800-131A Rev. 2 | ||
| - **Key size assessment**: Whether the key size meets NIST minimum requirements | ||
| - **Confidence level**: High, medium, or low based on detection method specificity | ||
| - **Providing library**: The library or framework providing the algorithm | ||
|
|
||
| ## Output Formats | ||
|
|
||
| | Flag | Output | | ||
| |---|---| | ||
| | `--x-crypto-scan` | Include crypto findings in standard FOSSA upload | | ||
| | `--crypto-cbom-output FILE` | Write CycloneDX 1.7 CBOM JSON to a local file | | ||
| | `--crypto-fips-report` | Print FIPS compliance summary to stdout | | ||
|
|
||
| Both `--crypto-cbom-output` and `--crypto-fips-report` imply `--x-crypto-scan`. | ||
|
|
||
| ## More Detail | ||
|
|
||
| For the full list of supported ecosystems, detected libraries, FIPS compliance reference, and usage examples, see [the Crypto Scanning feature documentation](../../../features/crypto-scanning.md). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.