script3r
diff --git a/‎README.md‎
Lines changed: 21 additions & 6 deletions b/‎README.md‎
Lines changed: 21 additions & 6 deletions
diff --git a/‎crates/cbom-generator/src/lib.rs‎
Lines changed: 85 additions & 2 deletions b/‎crates/cbom-generator/src/lib.rs‎
Lines changed: 85 additions & 2 deletions
diff --git a/‎crates/cbom-generator/src/project_parser.rs‎
Lines changed: 87 additions & 2 deletions b/‎crates/cbom-generator/src/project_parser.rs‎
Lines changed: 87 additions & 2 deletions
diff --git a/‎crates/cli/src/main.rs‎
Lines changed: 57 additions & 15 deletions b/‎crates/cli/src/main.rs‎
Lines changed: 57 additions & 15 deletions
@@ -18,7 +18,11 @@ cargo build --release
 Generate MV-CBOM (Cryptographic Bill of Materials):
 
 ```bash
+# Single project CBOM
 ./target/release/cipherscope . --cbom
+
+# Recursive CBOM generation for all discovered projects
+./target/release/cipherscope . --cbom-recursive
 ```
 
 JSONL and SARIF:
@@ -30,6 +34,7 @@ JSONL and SARIF:
 
 Key flags:
 - `--cbom`: generate MV-CBOM (Minimal Viable Cryptographic Bill of Materials)
+- `--cbom-recursive`: generate MV-CBOMs recursively for all discovered projects
 - `--threads N`: set thread pool size
 - `--max-file-size MB`: skip large files (default 2)
 - `--patterns PATH`: specify patterns file (default: `patterns.toml`)
@@ -55,6 +60,7 @@ The MV-CBOM includes:
 - **Cryptographic Assets**: Algorithms, certificates, and related crypto material with NIST security levels
 - **Dependency Relationships**: Distinguishes between "uses" (actively called) vs "implements" (available but unused)
 - **Parameter Extraction**: Key sizes, curves, and other algorithm-specific parameters
+- **Recursive Project Discovery**: Automatically discovers and analyzes nested projects (BUCK, Bazel, Maven modules, etc.)
 
 Example MV-CBOM snippet:
 ```json
@@ -194,12 +200,13 @@ The MV-CBOM generation is implemented in the `cbom-generator` crate with modular
 - Extensible: new algorithms added by editing patterns, not code
 
 The MV-CBOM pipeline:
-1. **Static Analysis**: Scanner finds cryptographic usage patterns using `patterns.toml`
-2. **Algorithm Detection**: **Pattern-driven** extraction of algorithms and parameters
-3. **Certificate Parsing**: Discovers and analyzes X.509 certificates in the project
-4. **Project Analysis**: Multi-language dependency parsing (Cargo, Maven, go.mod, Makefile, Bazel, BUCK, etc.)
-5. **Dependency Analysis**: Correlates project dependencies with actual code usage
-6. **CBOM Generation**: Produces standards-compliant JSON with NIST security levels
+1. **Project Discovery**: **Recursive** scanning for project files (BUILD, pom.xml, Cargo.toml, etc.)
+2. **Static Analysis**: Scanner finds cryptographic usage patterns using `patterns.toml`
+3. **Algorithm Detection**: **Pattern-driven** extraction of algorithms and parameters
+4. **Certificate Parsing**: Discovers and analyzes X.509 certificates in each project
+5. **Project Analysis**: Multi-language dependency parsing (Cargo, Maven, go.mod, Makefile, Bazel, BUCK, etc.)
+6. **Dependency Analysis**: Correlates project dependencies with actual code usage per project
+7. **CBOM Generation**: Produces standards-compliant JSON with NIST security levels (one per project)
 
 ### Tests & Benchmarks
 
@@ -256,6 +263,14 @@ cat fixtures/rust/rsa-vulnerable/mv-cbom.json | jq '.cryptoAssets[] | select(.as
 
 # Test certificate parsing
 ./target/release/cipherscope fixtures/certificates/x509-rsa-ecdsa --cbom
+
+# Test recursive project discovery
+./target/release/cipherscope fixtures/buck-nested --cbom-recursive
+./target/release/cipherscope fixtures/bazel-nested --cbom-recursive
+
+# Verify multiple CBOMs generated
+find fixtures/buck-nested -name "mv-cbom.json" | wc -l  # Should show 3
+find fixtures/bazel-nested -name "mv-cbom.json" | wc -l # Should show 4
 ```
 
 Benchmark scan throughput on test fixtures:
 
@@ -9,7 +9,7 @@ use chrono::{DateTime, Utc};
 use scanner_core::{Finding, PatternRegistry};
 use serde::{Deserialize, Serialize};
 use std::fs;
-use std::path::Path;
+use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use uuid::Uuid;
 
@@ -211,7 +211,7 @@ impl CbomGenerator {
         }
     }
 
-    /// Generate an MV-CBOM for the given directory
+    /// Generate an MV-CBOM for the given directory (single project)
     pub fn generate_cbom(&self, scan_path: &Path, findings: &[Finding]) -> Result<MvCbom> {
         let scan_path = scan_path.canonicalize()
             .with_context(|| format!("Failed to canonicalize path: {}", scan_path.display()))?;
@@ -267,6 +267,76 @@ impl CbomGenerator {
         Ok(cbom)
     }
 
+    /// Generate MV-CBOMs for all projects discovered recursively
+    pub fn generate_cboms_recursive(&self, scan_path: &Path, findings: &[Finding]) -> Result<Vec<(PathBuf, MvCbom)>> {
+        let scan_path = scan_path.canonicalize()
+            .with_context(|| format!("Failed to canonicalize path: {}", scan_path.display()))?;
+
+        // Discover all projects recursively
+        let discovered_projects = self.project_parser.discover_projects(&scan_path)?;
+        
+        let mut cboms = Vec::new();
+        
+        for (project_path, project_info, project_dependencies) in discovered_projects {
+            // Filter findings relevant to this specific project
+            let project_findings: Vec<Finding> = findings.iter()
+                .filter(|finding| {
+                    // Check if the finding's file is within this project's directory
+                    finding.file.starts_with(&project_path)
+                })
+                .cloned()
+                .collect();
+
+            // Create component info from parsed project information
+            let component_info = ComponentInfo {
+                name: project_info.name,
+                version: project_info.version,
+                path: project_path.display().to_string(),
+            };
+            
+            // Parse certificates in this project directory
+            let certificates = self.certificate_parser.parse_certificates(&project_path)?;
+            
+            // Detect algorithms from findings and static analysis for this project
+            let algorithms = self.algorithm_detector.detect_algorithms(&project_path, &project_findings)?;
+            
+            // Analyze dependencies for this project
+            let dependencies = self.dependency_analyzer.analyze_dependencies(
+                &component_info,
+                &algorithms,
+                &certificates,
+                &project_dependencies,
+                &project_findings,
+            )?;
+
+            // Build crypto assets list
+            let mut crypto_assets = Vec::new();
+            crypto_assets.extend(algorithms);
+            crypto_assets.extend(certificates);
+
+            let cbom = MvCbom {
+                bom_format: "MV-CBOM".to_string(),
+                spec_version: "1.0".to_string(),
+                serial_number: format!("urn:uuid:{}", Uuid::new_v4()),
+                version: 1,
+                metadata: CbomMetadata {
+                    component: component_info,
+                    timestamp: Utc::now(),
+                    tools: vec![ToolInfo {
+                        name: "cipherscope".to_string(),
+                        version: env!("CARGO_PKG_VERSION").to_string(),
+                        vendor: "CipherScope Contributors".to_string(),
+                    }],
+                },
+                crypto_assets,
+                dependencies,
+            };
+
+            cboms.push((project_path, cbom));
+        }
+
+        Ok(cboms)
+    }
 
     /// Write the MV-CBOM to a JSON file
     pub fn write_cbom(&self, cbom: &MvCbom, output_path: &Path) -> Result<()> {
@@ -278,6 +348,19 @@ impl CbomGenerator {
 
         Ok(())
     }
+
+    /// Write multiple MV-CBOMs to JSON files (one per project)
+    pub fn write_cboms(&self, cboms: &[(PathBuf, MvCbom)]) -> Result<Vec<PathBuf>> {
+        let mut written_files = Vec::new();
+        
+        for (project_path, cbom) in cboms {
+            let output_path = project_path.join("mv-cbom.json");
+            self.write_cbom(cbom, &output_path)?;
+            written_files.push(output_path);
+        }
+        
+        Ok(written_files)
+    }
 }
 
 impl Default for CbomGenerator {
 
@@ -4,8 +4,9 @@ use anyhow::{Context, Result};
 use serde::Deserialize;
 use std::collections::HashMap;
 use std::fs;
-use std::path::Path;
+use std::path::{Path, PathBuf};
 use regex::Regex;
+use walkdir::WalkDir;
 
 /// Information about a project dependency
 #[derive(Debug, Clone)]
@@ -84,7 +85,7 @@ impl ProjectParser {
         parser
     }
 
-    /// Parse project information and dependencies from a directory
+    /// Parse project information and dependencies from a directory (non-recursive)
     pub fn parse_project(&self, scan_path: &Path) -> Result<(ProjectInfo, Vec<ProjectDependency>)> {
         // Try to detect project type by looking for common files
         if let Some((project_type, file_path)) = self.detect_project_type(scan_path) {
@@ -122,6 +123,90 @@ impl ProjectParser {
         }
     }
 
+    /// Recursively discover all projects in a directory tree
+    pub fn discover_projects(&self, scan_path: &Path) -> Result<Vec<(PathBuf, ProjectInfo, Vec<ProjectDependency>)>> {
+        let mut projects = Vec::new();
+        
+        // Use walkdir to recursively scan for project files
+        for entry in walkdir::WalkDir::new(scan_path)
+            .into_iter()
+            .filter_map(|e| e.ok())
+            .filter(|e| e.file_type().is_file())
+        {
+            let file_path = entry.path();
+            let dir_path = file_path.parent().unwrap_or(scan_path);
+            
+            // Check if this file indicates a project root
+            if let Some(project_type) = self.classify_project_file(file_path) {
+                // Skip if we already found a project in this directory
+                if projects.iter().any(|(path, _, _)| path == dir_path) {
+                    continue;
+                }
+                
+                // Parse the project
+                match self.parse_project_from_file(file_path, dir_path, project_type) {
+                    Ok((project_info, dependencies)) => {
+                        projects.push((dir_path.to_path_buf(), project_info, dependencies));
+                    }
+                    Err(e) => {
+                        eprintln!("Warning: Failed to parse project at {}: {}", dir_path.display(), e);
+                    }
+                }
+            }
+        }
+        
+        // If no projects found, create a default one for the root
+        if projects.is_empty() {
+            let (project_info, dependencies) = self.parse_project(scan_path)?;
+            projects.push((scan_path.to_path_buf(), project_info, dependencies));
+        }
+        
+        Ok(projects)
+    }
+
+    /// Classify a file to determine if it's a project configuration file
+    fn classify_project_file(&self, file_path: &Path) -> Option<ProjectType> {
+        let file_name = file_path.file_name()?.to_str()?;
+        
+        match file_name {
+            "Cargo.toml" => Some(ProjectType::Cargo),
+            "pom.xml" => Some(ProjectType::Maven),
+            "build.gradle" | "build.gradle.kts" => Some(ProjectType::Gradle),
+            "go.mod" => Some(ProjectType::GoMod),
+            "package.json" => Some(ProjectType::NPM),
+            "requirements.txt" => Some(ProjectType::Requirements),
+            "Pipfile" => Some(ProjectType::Pipfile),
+            "Gemfile" => Some(ProjectType::Gemfile),
+            "composer.json" => Some(ProjectType::Composer),
+            "Makefile" | "makefile" => Some(ProjectType::Makefile),
+            "CMakeLists.txt" => Some(ProjectType::CMake),
+            "WORKSPACE" | "BUILD" | "BUILD.bazel" => Some(ProjectType::Bazel),
+            "BUCK" | ".buckconfig" => Some(ProjectType::Buck),
+            name if name.ends_with(".podspec") => Some(ProjectType::Podspec),
+            _ => None,
+        }
+    }
+
+    /// Parse a project from a specific file and directory
+    fn parse_project_from_file(&self, file_path: &Path, dir_path: &Path, project_type: ProjectType) -> Result<(ProjectInfo, Vec<ProjectDependency>)> {
+        match project_type {
+            ProjectType::Cargo => self.parse_cargo_project(file_path),
+            ProjectType::Maven => self.parse_maven_project(file_path),
+            ProjectType::Gradle => self.parse_gradle_project(file_path),
+            ProjectType::GoMod => self.parse_go_project(file_path),
+            ProjectType::NPM => self.parse_npm_project(file_path),
+            ProjectType::Requirements => self.parse_requirements_project(file_path, dir_path),
+            ProjectType::Pipfile => self.parse_pipfile_project(file_path),
+            ProjectType::Gemfile => self.parse_gemfile_project(file_path),
+            ProjectType::Composer => self.parse_composer_project(file_path),
+            ProjectType::Makefile => self.parse_makefile_project(file_path, dir_path),
+            ProjectType::CMake => self.parse_cmake_project(file_path, dir_path),
+            ProjectType::Podspec => self.parse_podspec_project(file_path),
+            ProjectType::Bazel => self.parse_bazel_project(file_path, dir_path),
+            ProjectType::Buck => self.parse_buck_project(file_path, dir_path),
+        }
+    }
+
     /// Detect project type by scanning for common configuration files
     fn detect_project_type(&self, scan_path: &Path) -> Option<(ProjectType, std::path::PathBuf)> {
         let candidates = vec![
 
@@ -27,6 +27,10 @@ struct Args {
     #[arg(long, action = ArgAction::SetTrue)]
     cbom: bool,
 
+    /// Generate MV-CBOMs recursively for all discovered projects
+    #[arg(long, action = ArgAction::SetTrue)]
+    cbom_recursive: bool,
+
     /// Number of threads
     #[arg(long, value_name = "N")]
     threads: Option<usize>,
@@ -201,31 +205,69 @@ fn main() -> Result<()> {
     }
 
     // Generate MV-CBOM if requested
-    if args.cbom {
+    if args.cbom || args.cbom_recursive {
         let cbom_generator = CbomGenerator::with_registry(reg.clone());
 
         // Use the first path as the scan root for CBOM generation
         let default_path = PathBuf::from(".");
         let scan_path = args.paths.first().unwrap_or(&default_path);
 
-        match cbom_generator.generate_cbom(scan_path, &findings) {
-            Ok(cbom) => {
-                let output_path = scan_path.join("mv-cbom.json");
-                match cbom_generator.write_cbom(&cbom, &output_path) {
-                    Ok(()) => {
-                        if !args.json {
-                            println!("MV-CBOM written to: {}", output_path.display());
-                            println!("Found {} cryptographic assets", cbom.crypto_assets.len());
-                            println!("Created {} dependency relationships", cbom.dependencies.len());
+        if args.cbom_recursive {
+            // Recursive CBOM generation for all discovered projects
+            match cbom_generator.generate_cboms_recursive(scan_path, &findings) {
+                Ok(cboms) => {
+                    match cbom_generator.write_cboms(&cboms) {
+                        Ok(written_files) => {
+                            if !args.json {
+                                println!("Generated {} MV-CBOMs for discovered projects:", cboms.len());
+                                let mut total_assets = 0;
+                                let mut total_dependencies = 0;
+                                
+                                for (i, (project_path, cbom)) in cboms.iter().enumerate() {
+                                    total_assets += cbom.crypto_assets.len();
+                                    total_dependencies += cbom.dependencies.len();
+                                    println!("  {}. {}: {} assets, {} dependencies", 
+                                            i + 1, 
+                                            project_path.display(),
+                                            cbom.crypto_assets.len(),
+                                            cbom.dependencies.len());
+                                }
+                                
+                                println!("Total: {} cryptographic assets, {} dependency relationships", 
+                                        total_assets, total_dependencies);
+                                println!("Files written: {}", written_files.len());
+                            }
+                        }
+                        Err(e) => {
+                            eprintln!("Failed to write MV-CBOMs: {}", e);
                         }
                     }
-                    Err(e) => {
-                        eprintln!("Failed to write MV-CBOM: {}", e);
-                    }
+                }
+                Err(e) => {
+                    eprintln!("Failed to generate recursive MV-CBOMs: {}", e);
                 }
             }
-            Err(e) => {
-                eprintln!("Failed to generate MV-CBOM: {}", e);
+        } else {
+            // Single CBOM generation
+            match cbom_generator.generate_cbom(scan_path, &findings) {
+                Ok(cbom) => {
+                    let output_path = scan_path.join("mv-cbom.json");
+                    match cbom_generator.write_cbom(&cbom, &output_path) {
+                        Ok(()) => {
+                            if !args.json {
+                                println!("MV-CBOM written to: {}", output_path.display());
+                                println!("Found {} cryptographic assets", cbom.crypto_assets.len());
+                                println!("Created {} dependency relationships", cbom.dependencies.len());
+                            }
+                        }
+                        Err(e) => {
+                            eprintln!("Failed to write MV-CBOM: {}", e);
+                        }
+                    }
+                }
+                Err(e) => {
+                    eprintln!("Failed to generate MV-CBOM: {}", e);
+                }
             }
         }
     }