Refactor: Improve algorithm deduplication and add libsodium support

This commit refactors the algorithm deduplication logic to correctly merge algorithms with varying parameter specificity. It also introduces support for detecting algorithms from the libsodium library by adding new patterns to `patterns.toml` and creating a new fixture `libsodium-modern`. Additionally, several other fixtures have been updated with new UUIDs and timestamps to reflect the changes.

Co-authored-by: script3r <[email protected]>

Author: cursoragent

crates/cbom-generator/src/algorithm_detector.rs

@@ -44,11 +44,7 @@ impl AlgorithmDetector {
                     self.extract_algorithms_from_finding_with_registry(finding, registry)?
                 {
                     for asset in algorithm_assets {
-                        let key = format!(
-                            "{}:{}",
-                            asset.name.as_ref().unwrap_or(&"unknown".to_string()),
-                            asset.bom_ref
-                        );
+                        let key = self.create_deduplication_key(&asset);
                         if seen_algorithms.insert(key) {
                             algorithms.push(asset);
                         }
@@ -60,11 +56,7 @@ impl AlgorithmDetector {
             let additional_algorithms =
                 self.perform_deep_static_analysis_with_registry(scan_path, registry)?;
             for asset in additional_algorithms {
-                let key = format!(
-                    "{}:{}",
-                    asset.name.as_ref().unwrap_or(&"unknown".to_string()),
-                    asset.bom_ref
-                );
+                let key = self.create_deduplication_key(&asset);
                 if seen_algorithms.insert(key) {
                     algorithms.push(asset);
                 }
@@ -76,11 +68,7 @@ impl AlgorithmDetector {
                     self.extract_algorithms_from_finding_fallback(finding)?
                 {
                     for asset in algorithm_assets {
-                        let key = format!(
-                            "{}:{}",
-                            asset.name.as_ref().unwrap_or(&"unknown".to_string()),
-                            asset.bom_ref
-                        );
+                        let key = self.create_deduplication_key(&asset);
                         if seen_algorithms.insert(key) {
                             algorithms.push(asset);
                         }
@@ -89,7 +77,9 @@ impl AlgorithmDetector {
             }
         }
 
-        Ok(algorithms)
+        // Merge duplicate algorithms with different parameter specificity
+        let merged_algorithms = self.merge_algorithm_assets(algorithms);
+        Ok(merged_algorithms)
     }
 
     /// Extract algorithms from finding using pattern registry
@@ -326,6 +316,49 @@ impl AlgorithmDetector {
         Ok(algorithms)
     }
 
+    /// Create a proper deduplication key based on algorithm properties, not bom_ref
+    fn create_deduplication_key(&self, asset: &CryptoAsset) -> String {
+        match &asset.asset_properties {
+            AssetProperties::Algorithm(props) => {
+                // For deduplication, use algorithm name and primitive only
+                // This will merge different parameter variations of the same algorithm
+                format!("{}:{}", 
+                    asset.name.as_ref().unwrap_or(&"unknown".to_string()),
+                    props.primitive as u8
+                )
+            }
+            _ => format!("{}:{}", 
+                asset.name.as_ref().unwrap_or(&"unknown".to_string()),
+                asset.bom_ref
+            )
+        }
+    }
+
+    /// Merge algorithm assets with the same name/primitive but different parameters
+    fn merge_algorithm_assets(&self, assets: Vec<CryptoAsset>) -> Vec<CryptoAsset> {
+        let mut merged_map: HashMap<String, CryptoAsset> = HashMap::new();
+        
+        for asset in assets {
+            let key = self.create_deduplication_key(&asset);
+            
+            if let Some(existing) = merged_map.get_mut(&key) {
+                // Merge parameters if the new asset has more specific information
+                if let (AssetProperties::Algorithm(existing_props), AssetProperties::Algorithm(new_props)) = 
+                    (&mut existing.asset_properties, &asset.asset_properties) {
+                    
+                    // If existing has no parameters but new one does, use the new parameters
+                    if existing_props.parameter_set.is_none() && new_props.parameter_set.is_some() {
+                        existing_props.parameter_set = new_props.parameter_set.clone();
+                    }
+                }
+            } else {
+                merged_map.insert(key, asset);
+            }
+        }
+        
+        merged_map.into_values().collect()
+    }
+
     // Essential helper methods for fallback scenarios
 
     fn create_rsa_algorithm(&self, key_size: u32) -> CryptoAsset {

crates/cbom-generator/src/lib.rs

@@ -144,7 +144,7 @@ pub struct RelatedCryptoMaterialProperties {
 }
 
 /// Classification of cryptographic primitives
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 #[serde(rename_all = "lowercase")]
 pub enum CryptographicPrimitive {
     #[serde(rename = "pke")]

fixtures/c/libsodium-modern/mv-cbom.json

@@ -0,0 +1,59 @@
+{
+  "bomFormat": "MV-CBOM",
+  "specVersion": "1.0",
+  "serialNumber": "urn:uuid:470fe928-c629-4bc7-963f-7a023373c518",
+  "version": 1,
+  "metadata": {
+    "component": {
+      "name": "libsodium-modern",
+      "path": "/workspace/fixtures/c/libsodium-modern"
+    },
+    "timestamp": "2025-09-15T19:35:58.450272085Z",
+    "tools": [
+      {
+        "name": "cipherscope",
+        "version": "0.1.0",
+        "vendor": "CipherScope Contributors"
+      }
+    ]
+  },
+  "cryptoAssets": [
+    {
+      "bom-ref": "16690765-56ee-4f2b-9e6e-fe748850c616",
+      "assetType": "algorithm",
+      "name": "X25519",
+      "assetProperties": {
+        "primitive": "kem",
+        "nistQuantumSecurityLevel": 0
+      }
+    },
+    {
+      "bom-ref": "623fb39a-2f53-441f-94ec-08e8b54ca424",
+      "assetType": "algorithm",
+      "name": "BLAKE2b",
+      "assetProperties": {
+        "primitive": "hash",
+        "nistQuantumSecurityLevel": 3
+      }
+    },
+    {
+      "bom-ref": "1e732469-0895-4854-93d1-fce78ae23345",
+      "assetType": "algorithm",
+      "name": "ChaCha20Poly1305",
+      "assetProperties": {
+        "primitive": "aead",
+        "nistQuantumSecurityLevel": 3
+      }
+    },
+    {
+      "bom-ref": "0dd2d57e-101a-44c0-87cb-9027a2b7ac56",
+      "assetType": "algorithm",
+      "name": "Ed25519",
+      "assetProperties": {
+        "primitive": "signature",
+        "nistQuantumSecurityLevel": 0
+      }
+    }
+  ],
+  "dependencies": []
+}

fixtures/c/makefile-crypto/mv-cbom.json

@@ -0,0 +1,40 @@
+{
+  "bomFormat": "MV-CBOM",
+  "specVersion": "1.0",
+  "serialNumber": "urn:uuid:9ae8429f-3631-4e2c-9a90-a0326818997d",
+  "version": 1,
+  "metadata": {
+    "component": {
+      "name": "makefile-crypto",
+      "path": "/workspace/fixtures/c/makefile-crypto"
+    },
+    "timestamp": "2025-09-15T19:35:58.472153385Z",
+    "tools": [
+      {
+        "name": "cipherscope",
+        "version": "0.1.0",
+        "vendor": "CipherScope Contributors"
+      }
+    ]
+  },
+  "cryptoAssets": [
+    {
+      "bom-ref": "62aaec88-6e0c-45a5-a415-b8cfa87bc35e",
+      "assetType": "algorithm",
+      "name": "RSA",
+      "assetProperties": {
+        "primitive": "signature",
+        "nistQuantumSecurityLevel": 0
+      }
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "8f754482-fc81-4702-b3b7-25e67376b287",
+      "dependsOn": [
+        "62aaec88-6e0c-45a5-a415-b8cfa87bc35e"
+      ],
+      "dependencyType": "implements"
+    }
+  ]
+}

fixtures/c/openssl-mixed/mv-cbom.json

@@ -1,14 +1,14 @@
 {
   "bomFormat": "MV-CBOM",
   "specVersion": "1.0",
-  "serialNumber": "urn:uuid:fc0dc0c3-dddc-4a08-9bb5-ec9e8c57513d",
+  "serialNumber": "urn:uuid:807b91e0-f7ed-4066-b79c-28514ac1adb2",
   "version": 1,
   "metadata": {
     "component": {
       "name": "openssl-mixed",
       "path": "/workspace/fixtures/c/openssl-mixed"
     },
-    "timestamp": "2025-09-15T19:16:12.263741214Z",
+    "timestamp": "2025-09-15T19:35:58.494965345Z",
     "tools": [
       {
         "name": "cipherscope",
@@ -19,34 +19,7 @@
   },
   "cryptoAssets": [
     {
-      "bom-ref": "5da73c7c-874f-4a4a-bdd5-b788a4fd9828",
-      "assetType": "algorithm",
-      "name": "RSA",
-      "assetProperties": {
-        "primitive": "signature",
-        "nistQuantumSecurityLevel": 0
-      }
-    },
-    {
-      "bom-ref": "949c682f-245a-48ac-929c-321883f113e5",
-      "assetType": "algorithm",
-      "name": "RSA",
-      "assetProperties": {
-        "primitive": "signature",
-        "nistQuantumSecurityLevel": 0
-      }
-    },
-    {
-      "bom-ref": "21e6b5c1-a73c-4f06-9e65-2abb21dc7b8a",
-      "assetType": "algorithm",
-      "name": "RSA",
-      "assetProperties": {
-        "primitive": "signature",
-        "nistQuantumSecurityLevel": 0
-      }
-    },
-    {
-      "bom-ref": "d9ad0e25-6a6a-4795-b6c6-6fe43df020d9",
+      "bom-ref": "c266f971-0159-4e9e-b87e-c96ab6a04852",
       "assetType": "algorithm",
       "name": "ChaCha20Poly1305",
       "assetProperties": {
@@ -55,20 +28,20 @@
       }
     },
     {
-      "bom-ref": "d17963d8-afc3-4d9d-9639-40207e59cba2",
+      "bom-ref": "74d1ed1a-7841-4ccf-99e7-ae80f96df729",
       "assetType": "algorithm",
-      "name": "ChaCha20Poly1305",
+      "name": "RSA",
       "assetProperties": {
-        "primitive": "aead",
-        "nistQuantumSecurityLevel": 3
+        "primitive": "signature",
+        "nistQuantumSecurityLevel": 0
       }
     }
   ],
   "dependencies": [
     {
-      "ref": "9913e268-477a-44bd-b83c-e4507a13a864",
+      "ref": "f2ce9aef-23b3-4df1-8030-4c8d0fc04054",
       "dependsOn": [
-        "5da73c7c-874f-4a4a-bdd5-b788a4fd9828"
+        "74d1ed1a-7841-4ccf-99e7-ae80f96df729"
       ],
       "dependencyType": "implements"
     }

fixtures/certificates/x509-rsa-ecdsa/mv-cbom.json

@@ -1,14 +1,14 @@
 {
   "bomFormat": "MV-CBOM",
   "specVersion": "1.0",
-  "serialNumber": "urn:uuid:7eba9f44-8183-4dce-b2bd-6f6fad1fd26a",
+  "serialNumber": "urn:uuid:ffb30bcc-15d8-4f2f-828d-5e7f09480a96",
   "version": 1,
   "metadata": {
     "component": {
       "name": "x509-rsa-ecdsa",
       "path": "/workspace/fixtures/certificates/x509-rsa-ecdsa"
     },
-    "timestamp": "2025-09-15T17:49:58.531299222Z",
+    "timestamp": "2025-09-15T19:35:58.623962548Z",
     "tools": [
       {
         "name": "cipherscope",
@@ -19,34 +19,34 @@
   },
   "cryptoAssets": [
     {
-      "bom-ref": "7a29490d-27fa-4d82-aa39-27ab91a0a9bc",
+      "bom-ref": "18cec8f3-46fd-4392-88e1-b182a89e2348",
       "assetType": "certificate",
       "name": "ecdsa-example.com",
       "assetProperties": {
         "subjectName": "C=US, ST=CA, L=San Francisco, O=Test Corp, CN=ecdsa-example.com",
         "issuerName": "C=US, ST=CA, L=San Francisco, O=Test Corp, CN=ecdsa-example.com",
         "notValidAfter": "2026-09-15T17:49:42Z",
-        "signatureAlgorithmRef": "903241ad-6fae-46f8-b395-fe93bd6f52c6"
+        "signatureAlgorithmRef": "d6fd640e-eda2-4c32-98c3-79da61856e87"
       }
     },
     {
-      "bom-ref": "1a7972ac-3422-4be1-a8d4-3fe8e41da29e",
+      "bom-ref": "284ea65f-e698-4a74-9912-ce2bb6ba0c4d",
       "assetType": "certificate",
       "name": "rsa-example.com",
       "assetProperties": {
         "subjectName": "C=US, ST=CA, L=San Francisco, O=Test Corp, CN=rsa-example.com",
         "issuerName": "C=US, ST=CA, L=San Francisco, O=Test Corp, CN=rsa-example.com",
         "notValidAfter": "2026-09-15T17:49:26Z",
-        "signatureAlgorithmRef": "a234cafc-99bb-4966-9f60-c38eca7bde88"
+        "signatureAlgorithmRef": "f8473c88-dd07-4a2b-867d-52a0896747a5"
       }
     }
   ],
   "dependencies": [
     {
-      "ref": "279603a2-45e4-4c9a-870d-4d03165ebb97",
+      "ref": "3ab8a56c-fef7-46af-b957-1e48116db024",
       "dependsOn": [
-        "7a29490d-27fa-4d82-aa39-27ab91a0a9bc",
-        "1a7972ac-3422-4be1-a8d4-3fe8e41da29e"
+        "284ea65f-e698-4a74-9912-ce2bb6ba0c4d",
+        "18cec8f3-46fd-4392-88e1-b182a89e2348"
       ],
       "dependencyType": "uses"
     }

fixtures/go/stdlib-crypto/mv-cbom.json

@@ -0,0 +1,33 @@
+{
+  "bomFormat": "MV-CBOM",
+  "specVersion": "1.0",
+  "serialNumber": "urn:uuid:c1deb27e-4d9b-4ad1-8b73-7fa82adfbdfd",
+  "version": 1,
+  "metadata": {
+    "component": {
+      "name": "stdlib-crypto-fixture",
+      "version": "1.19",
+      "path": "/workspace/fixtures/go/stdlib-crypto"
+    },
+    "timestamp": "2025-09-15T19:35:58.516104704Z",
+    "tools": [
+      {
+        "name": "cipherscope",
+        "version": "0.1.0",
+        "vendor": "CipherScope Contributors"
+      }
+    ]
+  },
+  "cryptoAssets": [
+    {
+      "bom-ref": "28113262-9793-4a1a-8f06-4c2d655e6319",
+      "assetType": "algorithm",
+      "name": "RSA",
+      "assetProperties": {
+        "primitive": "signature",
+        "nistQuantumSecurityLevel": 0
+      }
+    }
+  ],
+  "dependencies": []
+}