Now CBOMs, Readme

Author: script3r

README.md

@@ -1,171 +1,62 @@
-## CipherScope
+# CipherScope
 
 <div align="center">
   <img src="cipherscope.png" alt="CipherScope Logo" width="350" height="350">
 </div>
 
-**Cryptographic Bill of Materials (MV-CBOM) Generator** for Post-Quantum Cryptography (PQC) readiness assessment. 
+Fast cryptographic inventory generator. Scans codebases to identify cryptographic algorithms and assess quantum resistance.
 
-Analyzes codebases across 11 programming languages (Go, Java, C, C++, Rust, Python, PHP, Swift, Objective-C, Kotlin, Erlang) and generates machine-readable JSON inventories of cryptographic assets with NIST quantum security levels.
-
-### Install & Run
+## Quick Start
 
 ```bash
 cargo build --release
-
-# Generate MV-CBOM for current directory
-./target/release/cipherscope .
-
-# Generate MV-CBOMs recursively for all discovered projects
-./target/release/cipherscope . --recursive
+./target/release/cipherscope /path/to/scan
 ```
 
-Key flags:
-- `--recursive`: generate MV-CBOMs recursively for all discovered projects
-- `--threads N`: set thread pool size  
-- `--max-file-size MB`: skip large files (default 2)
-- `--patterns PATH`: specify patterns file (default: `patterns.toml`)
-- `--progress`: show progress bar during scanning
-- `--print-config`: print loaded `patterns.toml`
-
-### Output
-
-**MV-CBOM JSON files** written to each project directory for comprehensive Post-Quantum Cryptography (PQC) readiness assessment.
-
-#### MV-CBOM (Minimal Viable Cryptographic Bill of Materials)
-
-CipherScope generates a comprehensive cryptographic inventory in JSON format that follows the MV-CBOM specification. This enables:
+## What It Does
 
-- **Post-Quantum Cryptography (PQC) Risk Assessment**: Identifies algorithms vulnerable to quantum attacks (NIST Quantum Security Level 0)
-- **Crypto-Agility Planning**: Provides detailed algorithm parameters and usage patterns
-- **Supply Chain Security**: Maps dependencies between components and cryptographic assets
+- **Detects** cryptographic usage across 11 languages
+- **Identifies** many cryptographic algorithms (AES, SHA, RSA, ECDSA, ChaCha20, etc.)
+- **Outputs** JSON inventory with NIST quantum security levels
+- **Runs fast** - GiB/s throughput with parallel scanning
 
-The MV-CBOM includes:
-- **Cryptographic Assets**: Algorithms, certificates, and related crypto material with NIST security levels
-- **Dependency Relationships**: Distinguishes between "uses" (actively called) vs "implements" (available but unused)
-- **Parameter Extraction**: Key sizes, curves, and other algorithm-specific parameters
-- **Recursive Project Discovery**: Automatically discovers and analyzes nested projects (BUCK, Bazel, Maven modules, etc.)
+## Example Output
 
-Example MV-CBOM snippet:
 ```json
 {
   "bomFormat": "MV-CBOM",
   "specVersion": "1.0",
-  "cryptoAssets": [
-    {
-      "bom-ref": "uuid-1234",
-      "assetType": "algorithm",
-      "name": "RSA",
-      "assetProperties": {
-        "primitive": "signature",
-        "parameterSet": {"keySize": 2048},
-        "nistQuantumSecurityLevel": 0
-      }
+  "cryptoAssets": [{
+    "name": "RSA",
+    "assetProperties": {
+      "primitive": "signature",
+      "parameterSet": {"keySize": 2048},
+      "nistQuantumSecurityLevel": 0
     }
-  ],
-  "dependencies": [
-    {
-      "ref": "main-component",
-      "dependsOn": ["uuid-1234"],
-      "dependencyType": "uses"
-    }
-  ]
+  }]
 }
 ```
 
-### Configuration
-
-Algorithm and library detection patterns are defined in `patterns.toml`. The schema supports:
-- **Library Detection**: `include`/`import`/`namespace`/`apis` patterns per language
-- **Algorithm Definitions**: Each library defines supported algorithms with NIST quantum security levels
-- **Parameter Extraction**: Patterns for extracting key sizes, curves, and algorithm parameters
-
-**Supported Languages**: C, C++, Java, Go, Rust, Python, PHP, Swift, Objective-C, Kotlin, Erlang
-
-#### High-Performance Architecture
-
-- **Parallel Processing**: Producer-consumer model with `rayon` thread pools
-- **Smart Filtering**: Respects `.gitignore`, early language detection, Aho-Corasick prefiltering  
-- **Scalable**: 4+ GiB/s throughput, linear scaling with CPU cores
-
-### Architecture
-
-**Modular MV-CBOM Generation Pipeline**:
-1. **Project Discovery**: Recursive scanning for project files (BUILD, pom.xml, Cargo.toml, etc.)
-2. **Static Analysis**: Pattern-driven cryptographic library detection
-3. **Algorithm Detection**: Extract algorithms and parameters using `patterns.toml` definitions  
-4. **Certificate Parsing**: X.509 certificate analysis with signature algorithms
-5. **Dependency Analysis**: "Uses" vs "implements" relationship detection
-6. **CBOM Generation**: Standards-compliant JSON with NIST quantum security levels
-
-**Key Innovation**: Algorithm detection moved from hardcoded Rust to configurable `patterns.toml` - new algorithms added by editing patterns, not code.
-
-### Tests & Benchmarks
-
-Run unit tests and integration tests (fixtures):
-
-```bash
-cargo test
-```
-
-#### Comprehensive Fixtures for MV-CBOM Testing
-
-The `fixtures/` directory contains rich, realistic examples for testing MV-CBOM generation across multiple languages and build systems:
+## Options
 
-**Rust Fixtures:**
-- **`rust/rsa-vulnerable`**: RSA 2048-bit usage (PQC vulnerable, "uses" relationship)
-- **`rust/aes-gcm-safe`**: Quantum-safe algorithms (AES-256-GCM, ChaCha20Poly1305, SHA-3, BLAKE3)
-- **`rust/implements-vs-uses`**: SHA2 "uses" vs P256 "implements" distinction
-- **`rust/mixed-crypto`**: Complex multi-algorithm project (RSA, AES, SHA2, Ed25519, Ring)
+- `--patterns PATH` - Custom patterns file (default: `patterns.toml`)
+- `--progress` - Show progress bar
+- `--deterministic` - Reproducible output for testing
 
-**Java Fixtures:**
-- **`java/maven-bouncycastle`**: Maven project with BouncyCastle RSA/ECDSA
-- **`java/bazel-tink`**: Bazel project with Google Tink and BouncyCastle
-- **`java/jca-standard`**: Standard JCA/JCE without external dependencies
+## Languages Supported
 
-**C/C++ Fixtures:**
-- **`c/openssl-mixed`**: OpenSSL + libsodium with RSA, ChaCha20Poly1305, AES
-- **`c/libsodium-modern`**: Modern libsodium with quantum-safe and vulnerable algorithms
-- **`c/makefile-crypto`**: Basic OpenSSL usage with Makefile dependency detection
-- **`cpp/botan-modern`**: Botan library with RSA, AES-GCM, SHA-3, BLAKE2b
-- **`cpp/cryptopp-legacy`**: Crypto++ library with RSA, AES-GCM, SHA-256/512
+C, C++, Go, Java, Kotlin, Python, Rust, Swift, Objective-C, PHP, Erlang
 
-**Go Fixtures:**
-- **`go/stdlib-crypto`**: Standard library crypto (RSA, ECDSA, AES-GCM, SHA-256/512)
-- **`go/x-crypto-extended`**: Extended crypto with golang.org/x/crypto dependencies
+## Configuration
 
-**Python Fixtures:**
-- **`python/cryptography-mixed`**: PyCA Cryptography with RSA, AES, PBKDF2
-- **`python/pycryptodome-legacy`**: PyCryptodome with RSA signatures and AES
-- **`python/requirements-basic`**: Basic requirements.txt with Fernet and hashing
+Edit `patterns.toml` to add new libraries or algorithms. No code changes needed.
 
-**Certificate Fixtures:**
-- **`certificates/x509-rsa-ecdsa`**: X.509 certificates with RSA and ECDSA signatures
-
-Run fixture tests:
-```bash
-# Test RSA vulnerability detection
-./target/release/cipherscope fixtures/rust/rsa-vulnerable
-jq '.cryptoAssets[] | select(.assetProperties.nistQuantumSecurityLevel == 0)' fixtures/rust/rsa-vulnerable/mv-cbom.json
-
-# Test multi-language support
-./target/release/cipherscope fixtures/java/maven-bouncycastle
-./target/release/cipherscope fixtures/go/stdlib-crypto
-./target/release/cipherscope fixtures/python/cryptography-mixed
-
-# Test recursive project discovery
-./target/release/cipherscope fixtures/buck-nested --recursive
-./target/release/cipherscope fixtures/bazel-nested --recursive
-```
-
-Benchmark performance:
+## Testing
 
 ```bash
 cargo test
-cargo bench
 ```
 
-### Contributing
-
-See `CONTRIBUTING.md` for guidelines on adding languages, libraries, and improving performance.
+## License
 
+MIT

crates/cbom-generator/src/algorithm_detector.rs

@@ -107,7 +107,7 @@ impl AlgorithmDetector {
                     .symbol_patterns
                     .iter()
                     .any(|pattern| pattern.is_match(&finding.snippet));
-                
+
                 if symbol_match || snippet_match {
                     // Extract parameters from the finding
                     let parameters = self.extract_parameters_from_finding(finding, algorithm)?;
@@ -368,10 +368,7 @@ impl AlgorithmDetector {
             AssetProperties::Algorithm(props) => {
                 // Deduplicate by algorithm name, primitive, and source library to avoid merging
                 // different libraries' detections of the same algorithm (e.g., OpenSSL vs CommonCrypto).
-                let library = asset
-                    .source_library
-                    .as_deref()
-                    .unwrap_or("unknown-library");
+                let library = asset.source_library.as_deref().unwrap_or("unknown-library");
                 format!(
                     "{}:{}:{}",
                     asset.name.as_deref().unwrap_or("unknown"),

crates/cbom-generator/src/lib.rs

@@ -19,7 +19,7 @@ pub mod certificate_parser;
 
 use algorithm_detector::AlgorithmDetector;
 use certificate_parser::CertificateParser;
- 
+
 /// The main MV-CBOM document structure
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct MvCbom {
@@ -38,9 +38,6 @@ pub struct MvCbom {
 
     #[serde(rename = "cryptoAssets")]
     pub crypto_assets: Vec<CryptoAsset>,
-
-    #[serde(skip_serializing_if = "Vec::is_empty", default)]
-    pub libraries: Vec<LibrarySummary>,
 }
 
 /// Metadata about the BOM's creation
@@ -149,12 +146,6 @@ pub struct AssetEvidence {
     pub column: usize,
 }
 
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct LibrarySummary {
-    pub name: String,
-    pub count: usize,
-}
-
 /// Classification of cryptographic primitives
 #[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 #[serde(rename_all = "lowercase")]
@@ -228,18 +219,6 @@ impl CbomGenerator {
         crypto_assets.extend(algorithms);
         crypto_assets.extend(certificates);
 
-        let mut lib_counts: std::collections::BTreeMap<String, usize> =
-            std::collections::BTreeMap::new();
-        for asset in &crypto_assets {
-            if let Some(ref lib) = asset.source_library {
-                *lib_counts.entry(lib.clone()).or_insert(0) += 1;
-            }
-        }
-        let libraries: Vec<LibrarySummary> = lib_counts
-            .into_iter()
-            .map(|(name, count)| LibrarySummary { name, count })
-            .collect();
-
         let cbom = MvCbom {
             bom_format: "MV-CBOM".to_string(),
             spec_version: "1.0".to_string(),
@@ -265,7 +244,6 @@ impl CbomGenerator {
                 }],
             },
             crypto_assets: { crypto_assets },
-            libraries,
         };
 
         Ok(cbom)
@@ -282,8 +260,7 @@ impl CbomGenerator {
             .with_context(|| format!("Failed to canonicalize path: {}", scan_path.display()))?;
 
         // Project discovery removed; just generate one CBOM for the root
-        let mut cboms = Vec::new();
-        cboms.push((scan_path.clone(), self.generate_cbom(&scan_path, findings)?));
+        let cboms = vec![(scan_path.clone(), self.generate_cbom(&scan_path, findings)?)];
         Ok(cboms)
     }
 
@@ -338,7 +315,6 @@ mod tests {
                 }],
             },
             crypto_assets: vec![],
-            libraries: vec![],
         };
 
         let json = serde_json::to_string_pretty(&cbom).unwrap();

crates/cli/tests/ground_truth.rs

@@ -20,7 +20,7 @@ fn normalize(v: &mut Value) {
                 for a in assets.iter_mut() {
                     if let Some(obj) = a.as_object_mut() {
                         obj.remove("bom-ref");
-                        
+
                         // Normalize file paths in evidence to be relative
                         if let Some(Value::Object(evidence)) = obj.get_mut("evidence") {
                             if let Some(Value::String(file_path)) = evidence.get_mut("file") {
@@ -37,10 +37,16 @@ fn normalize(v: &mut Value) {
                 // Sort assets by name, sourceLibrary, then assetType for stable comparisons
                 assets.sort_by(|a, b| {
                     let an = a.get("name").and_then(|x| x.as_str()).unwrap_or("");
-                    let as_ = a.get("sourceLibrary").and_then(|x| x.as_str()).unwrap_or("");
+                    let as_ = a
+                        .get("sourceLibrary")
+                        .and_then(|x| x.as_str())
+                        .unwrap_or("");
                     let at = a.get("assetType").and_then(|x| x.as_str()).unwrap_or("");
                     let bn = b.get("name").and_then(|x| x.as_str()).unwrap_or("");
-                    let bs = b.get("sourceLibrary").and_then(|x| x.as_str()).unwrap_or("");
+                    let bs = b
+                        .get("sourceLibrary")
+                        .and_then(|x| x.as_str())
+                        .unwrap_or("");
                     let bt = b.get("assetType").and_then(|x| x.as_str()).unwrap_or("");
                     (an, as_, at).cmp(&(bn, bs, bt))
                 });

crates/scanner-core/src/lib.rs

@@ -468,8 +468,7 @@ fn derive_prefilter_substrings(p: &LibraryPatterns) -> Vec<String> {
     let mut push_tokens = |s: &str| {
         // Remove common regex anchors that pollute tokens
         let cleaned = s.replace("\\b", "");
-        for tok in cleaned
-            .split(|c: char| !c.is_alphanumeric() && c != '.' && c != '/' && c != '_')
+        for tok in cleaned.split(|c: char| !c.is_alphanumeric() && c != '.' && c != '/' && c != '_')
         {
             let t = tok.trim();
             if t.len() >= 4 {
@@ -1430,7 +1429,11 @@ impl PatternDetector {
             // Require anchor only if patterns define any; always require at least one API hit
             let has_anchor_patterns =
                 !lib.include.is_empty() || !lib.import.is_empty() || !lib.namespace.is_empty();
-            let anchor_satisfied = if has_anchor_patterns { matched_import } else { true };
+            let anchor_satisfied = if has_anchor_patterns {
+                matched_import
+            } else {
+                true
+            };
             let should_report = anchor_satisfied && api_hits > 0;
             if should_report {
                 let finding = Finding {

fixtures/c/libsodium/aes-gcm/mv-cbom.json

@@ -30,11 +30,5 @@
         "column": 23
       }
     }
-  ],
-  "libraries": [
-    {
-      "name": "libsodium",
-      "count": 1
-    }
   ]
 }

fixtures/c/libsodium/hmac-sha256/mv-cbom.json

@@ -30,11 +30,5 @@
         "column": 23
       }
     }
-  ],
-  "libraries": [
-    {
-      "name": "libsodium",
-      "count": 1
-    }
   ]
 }

fixtures/c/libsodium/rsa-sign/mv-cbom.json

@@ -30,11 +30,5 @@
         "column": 5
       }
     }
-  ],
-  "libraries": [
-    {
-      "name": "libsodium",
-      "count": 1
-    }
   ]
 }

fixtures/c/libsodium/sha256/mv-cbom.json

@@ -30,11 +30,5 @@
         "column": 24
       }
     }
-  ],
-  "libraries": [
-    {
-      "name": "libsodium",
-      "count": 1
-    }
   ]
 }