Refactor: Add comprehensive fixtures and improve README

Co-authored-by: script3r <[email protected]>

Author: cursoragent

README.md

@@ -182,17 +182,24 @@ Each detector implements the `Detector` trait and can be extended independently.
 The MV-CBOM generation is implemented in the `cbom-generator` crate with modular components:
 
 - **cbom-generator**: Main CBOM generation and JSON serialization
-- **certificate-parser**: X.509 certificate parsing and signature algorithm extraction
-- **algorithm-detector**: Deep static analysis for algorithm parameter extraction
+- **certificate-parser**: X.509 certificate parsing and signature algorithm extraction  
+- **algorithm-detector**: **Pattern-driven** algorithm detection using `patterns.toml` definitions
 - **dependency-analyzer**: Intelligent "uses" vs "implements" relationship detection
-- **cargo-parser**: Rust project metadata and dependency analysis
+- **project-parser**: Multi-language project metadata and dependency analysis (Cargo, Maven, go.mod, requirements.txt, Makefile, Bazel, BUCK, etc.)
+
+**Key Innovation: Pattern-Driven Algorithm Detection**
+- Algorithm definitions moved from hardcoded Rust to configurable `patterns.toml`
+- Each library can define supported algorithms with NIST security levels
+- Parameter extraction patterns (key sizes, curves) defined declaratively
+- Extensible: new algorithms added by editing patterns, not code
 
 The MV-CBOM pipeline:
-1. **Static Analysis**: Scanner finds cryptographic usage patterns
-2. **Algorithm Detection**: Extracts specific algorithms and parameters from findings
+1. **Static Analysis**: Scanner finds cryptographic usage patterns using `patterns.toml`
+2. **Algorithm Detection**: **Pattern-driven** extraction of algorithms and parameters
 3. **Certificate Parsing**: Discovers and analyzes X.509 certificates in the project
-4. **Dependency Analysis**: Correlates Cargo.toml dependencies with actual code usage
-5. **CBOM Generation**: Produces standards-compliant JSON with NIST security levels
+4. **Project Analysis**: Multi-language dependency parsing (Cargo, Maven, go.mod, Makefile, Bazel, BUCK, etc.)
+5. **Dependency Analysis**: Correlates project dependencies with actual code usage
+6. **CBOM Generation**: Produces standards-compliant JSON with NIST security levels
 
 ### Tests & Benchmarks
 
@@ -202,20 +209,53 @@ Run unit tests and integration tests (fixtures):
 cargo test
 ```
 
-#### MV-CBOM Test Cases
+#### Comprehensive Fixtures for MV-CBOM Testing
+
+The `fixtures/` directory contains rich, realistic examples for testing MV-CBOM generation across multiple languages and build systems:
+
+**Rust Fixtures:**
+- **`rust/rsa-vulnerable`**: RSA 2048-bit usage (PQC vulnerable, "uses" relationship)
+- **`rust/aes-gcm-safe`**: Quantum-safe algorithms (AES-256-GCM, ChaCha20Poly1305, SHA-3, BLAKE3)
+- **`rust/implements-vs-uses`**: SHA2 "uses" vs P256 "implements" distinction
+- **`rust/mixed-crypto`**: Complex multi-algorithm project (RSA, AES, SHA2, Ed25519, Ring)
+
+**Java Fixtures:**
+- **`java/maven-bouncycastle`**: Maven project with BouncyCastle RSA/ECDSA
+- **`java/bazel-tink`**: Bazel project with Google Tink and BouncyCastle
+- **`java/jca-standard`**: Standard JCA/JCE without external dependencies
 
-The `test-cases/` directory contains comprehensive test scenarios for MV-CBOM validation:
+**C/C++ Fixtures:**
+- **`c/openssl-mixed`**: OpenSSL + libsodium with RSA, ChaCha20Poly1305, AES
+- **`c/libsodium-modern`**: Modern libsodium with quantum-safe and vulnerable algorithms
+- **`c/makefile-crypto`**: Basic OpenSSL usage with Makefile dependency detection
+- **`cpp/botan-modern`**: Botan library with RSA, AES-GCM, SHA-3, BLAKE2b
+- **`cpp/cryptopp-legacy`**: Crypto++ library with RSA, AES-GCM, SHA-256/512
 
-- **test-case-1-rsa-uses**: RSA 2048-bit usage (PQC vulnerable, "uses" relationship)
-- **test-case-2-implements-vs-uses**: SHA2 "uses" vs P256 "implements" distinction
-- **test-case-3-certificate**: X.509 certificate parsing with signature algorithm detection
-- **test-case-4-pqc-safe**: Quantum-safe algorithms (AES-256, ChaCha20Poly1305, SHA-3, BLAKE3)
+**Go Fixtures:**
+- **`go/stdlib-crypto`**: Standard library crypto (RSA, ECDSA, AES-GCM, SHA-256/512)
+- **`go/x-crypto-extended`**: Extended crypto with golang.org/x/crypto dependencies
 
-Run tests:
+**Python Fixtures:**
+- **`python/cryptography-mixed`**: PyCA Cryptography with RSA, AES, PBKDF2
+- **`python/pycryptodome-legacy`**: PyCryptodome with RSA signatures and AES
+- **`python/requirements-basic`**: Basic requirements.txt with Fernet and hashing
+
+**Certificate Fixtures:**
+- **`certificates/x509-rsa-ecdsa`**: X.509 certificates with RSA and ECDSA signatures
+
+Run fixture tests:
 ```bash
-cd test-cases/test-case-1-rsa-uses
-../../target/release/cipherscope . --cbom --patterns ../../patterns.toml
-cat mv-cbom.json | jq '.cryptoAssets[] | select(.assetProperties.nistQuantumSecurityLevel == 0)'
+# Test RSA vulnerability detection
+./target/release/cipherscope fixtures/rust/rsa-vulnerable --cbom
+cat fixtures/rust/rsa-vulnerable/mv-cbom.json | jq '.cryptoAssets[] | select(.assetProperties.nistQuantumSecurityLevel == 0)'
+
+# Test multi-language support
+./target/release/cipherscope fixtures/java/maven-bouncycastle --cbom
+./target/release/cipherscope fixtures/go/stdlib-crypto --cbom
+./target/release/cipherscope fixtures/python/cryptography-mixed --cbom
+
+# Test certificate parsing
+./target/release/cipherscope fixtures/certificates/x509-rsa-ecdsa --cbom
 ```
 
 Benchmark scan throughput on test fixtures:

fixtures/c/libsodium-modern/Makefile

@@ -0,0 +1,15 @@
+CC=gcc
+CFLAGS=-Wall -Wextra -std=c99
+LIBS=-lsodium
+TARGET=sodium_test
+SOURCES=main.c
+
+all: $(TARGET)
+
+$(TARGET): $(SOURCES)
+	$(CC) $(CFLAGS) -o $(TARGET) $(SOURCES) $(LIBS)
+
+clean:
+	rm -f $(TARGET)
+
+.PHONY: all clean

fixtures/c/libsodium-modern/main.c

@@ -0,0 +1,71 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sodium.h>
+
+int main() {
+    if (sodium_init() < 0) {
+        fprintf(stderr, "Failed to initialize libsodium\n");
+        return 1;
+    }
+    
+    printf("libsodium initialized successfully\n");
+    
+    // ChaCha20Poly1305 AEAD encryption
+    unsigned char key[crypto_aead_chacha20poly1305_ietf_KEYBYTES];
+    unsigned char nonce[crypto_aead_chacha20poly1305_ietf_NPUBBYTES];
+    unsigned char ciphertext[1000];
+    unsigned long long ciphertext_len;
+    
+    crypto_aead_chacha20poly1305_ietf_keygen(key);
+    randombytes_buf(nonce, sizeof nonce);
+    
+    const char *message = "Hello, libsodium World!";
+    
+    crypto_aead_chacha20poly1305_ietf_encrypt(ciphertext, &ciphertext_len,
+                                              (const unsigned char*)message, strlen(message),
+                                              NULL, 0,
+                                              NULL, nonce, key);
+    
+    printf("✓ ChaCha20Poly1305 encryption successful\n");
+    
+    // Ed25519 digital signatures
+    unsigned char pk[crypto_sign_ed25519_PUBLICKEYBYTES];
+    unsigned char sk[crypto_sign_ed25519_SECRETKEYBYTES];
+    unsigned char signature[crypto_sign_ed25519_BYTES];
+    unsigned long long signature_len;
+    
+    crypto_sign_ed25519_keypair(pk, sk);
+    crypto_sign_ed25519_detached(signature, &signature_len,
+                                 (const unsigned char*)message, strlen(message), sk);
+    
+    printf("✓ Ed25519 digital signature created\n");
+    
+    // Generic hash (BLAKE2b)
+    unsigned char hash[crypto_generichash_BYTES];
+    crypto_generichash(hash, sizeof hash,
+                       (const unsigned char*)message, strlen(message),
+                       NULL, 0);
+    
+    printf("✓ BLAKE2b hash computed\n");
+    
+    // X25519 key exchange
+    unsigned char alice_pk[crypto_scalarmult_curve25519_BYTES];
+    unsigned char alice_sk[crypto_scalarmult_curve25519_SCALARBYTES];
+    unsigned char bob_pk[crypto_scalarmult_curve25519_BYTES];
+    unsigned char bob_sk[crypto_scalarmult_curve25519_SCALARBYTES];
+    unsigned char shared_secret[crypto_scalarmult_curve25519_BYTES];
+    
+    crypto_scalarmult_curve25519_base(alice_pk, alice_sk);
+    crypto_scalarmult_curve25519_base(bob_pk, bob_sk);
+    crypto_scalarmult_curve25519(shared_secret, alice_sk, bob_pk);
+    
+    printf("✓ X25519 key exchange completed\n");
+    
+    printf("\nCryptographic algorithms tested:\n");
+    printf("- ChaCha20Poly1305 (Quantum-safe AEAD)\n");
+    printf("- Ed25519 (Quantum-vulnerable signatures)\n");
+    printf("- BLAKE2b (Quantum-safe hash)\n");
+    printf("- X25519 (Quantum-vulnerable key exchange)\n");
+    
+    return 0;
+}

fixtures/c/makefile-crypto/Makefile

@@ -0,0 +1,15 @@
+CC=gcc
+CFLAGS=-Wall -Wextra -std=c99
+LIBS=-lcrypto -lssl
+TARGET=basic_crypto
+SOURCES=main.c
+
+all: $(TARGET)
+
+$(TARGET): $(SOURCES)
+	$(CC) $(CFLAGS) -o $(TARGET) $(SOURCES) $(LIBS)
+
+clean:
+	rm -f $(TARGET)
+
+.PHONY: all clean

fixtures/c/makefile-crypto/main.c

@@ -0,0 +1,22 @@
+#include <stdio.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/aes.h>
+
+int main() {
+    // Basic OpenSSL usage
+    OpenSSL_add_all_algorithms();
+    
+    // RSA key generation
+    EVP_PKEY_CTX *rsa_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
+    EVP_PKEY_keygen_init(rsa_ctx);
+    EVP_PKEY_CTX_set_rsa_keygen_bits(rsa_ctx, 2048);
+    
+    printf("Basic crypto setup with OpenSSL\n");
+    printf("RSA 2048-bit key generation configured\n");
+    
+    EVP_PKEY_CTX_free(rsa_ctx);
+    EVP_cleanup();
+    
+    return 0;
+}

test-cases/test-case-c-openssl/Makefile fixtures/c/openssl-mixed/Makefiletest-cases/test-case-c-openssl/Makefile renamed to fixtures/c/openssl-mixed/Makefile

@@ -1,14 +1,14 @@
 {
   "bomFormat": "MV-CBOM",
   "specVersion": "1.0",
-  "serialNumber": "urn:uuid:61406d2a-33dd-4551-9bd8-b2e273503cad",
+  "serialNumber": "urn:uuid:f7699f6e-deb2-4df5-a35f-cdfc3e75fac2",
   "version": 1,
   "metadata": {
     "component": {
-      "name": "test-case-c-openssl",
-      "path": "/workspace/test-cases/test-case-c-openssl"
+      "name": "openssl-mixed",
+      "path": "/workspace/fixtures/c/openssl-mixed"
     },
-    "timestamp": "2025-09-15T17:31:16.152158659Z",
+    "timestamp": "2025-09-15T17:50:59.203450522Z",
     "tools": [
       {
         "name": "cipherscope",
@@ -19,7 +19,7 @@
   },
   "cryptoAssets": [
     {
-      "bom-ref": "afa4ad33-07f0-4eaf-b26e-c08f508f6ab3",
+      "bom-ref": "8ec4b990-c242-4dce-b287-f03f5ad7d944",
       "assetType": "algorithm",
       "name": "RSA",
       "assetProperties": {
@@ -28,7 +28,7 @@
       }
     },
     {
-      "bom-ref": "a6539be2-7d5b-4c82-9e7f-17da0b8cb16e",
+      "bom-ref": "b0eeb295-734e-4802-84a1-c10c77b8c84d",
       "assetType": "algorithm",
       "name": "ChaCha20Poly1305",
       "assetProperties": {
@@ -37,7 +37,7 @@
       }
     },
     {
-      "bom-ref": "cc5afa71-5e0b-4c42-ad22-30d3ff17cdcf",
+      "bom-ref": "618e2556-e493-4d3d-b7a3-e541ccaf533e",
       "assetType": "algorithm",
       "name": "ChaCha20Poly1305",
       "assetProperties": {
@@ -48,9 +48,9 @@
   ],
   "dependencies": [
     {
-      "ref": "5f4e1435-94ed-4e02-bf51-1f2a864ebdf4",
+      "ref": "7b79d53e-9174-40a2-ab0e-90ce576f0eea",
       "dependsOn": [
-        "afa4ad33-07f0-4eaf-b26e-c08f508f6ab3"
+        "8ec4b990-c242-4dce-b287-f03f5ad7d944"
       ],
       "dependencyType": "implements"
     }

test-cases/test-case-c-openssl/main.c fixtures/c/openssl-mixed/main.ctest-cases/test-case-c-openssl/main.c renamed to fixtures/c/openssl-mixed/main.c

@@ -0,0 +1,11 @@
+# Certificate Fixtures
+
+This directory contains X.509 certificates for testing CBOM certificate parsing:
+
+- `rsa-cert.pem`: RSA 2048-bit self-signed certificate (PQC vulnerable)
+- `ecdsa-cert.pem`: ECDSA P-256 self-signed certificate (PQC vulnerable)
+
+Expected CBOM output:
+- 2 certificate assets with subject/issuer/validity information
+- 2 algorithm assets for the signature algorithms (RSA, ECDSA)
+- Dependencies linking certificates to their signature algorithms