Skip to content

Commit e1e89bf

Browse files
cursoragentscript3r
cursoragent
and
script3r
committed
feat: Add PyCA cryptography algorithms and improve parameter extraction
Update patterns.toml to include PyCA cryptography algorithms. Enhance algorithm detector to extract parameters from the full file content. Update generated SBOMs with new algorithm details and UUIDs. Co-authored-by: script3r <[email protected]>
1 parent 5811261 commit e1e89bf

File tree

6 files changed

+158
-47
lines changed

6 files changed

+158
-47
lines changed

crates/cbom-generator/src/algorithm_detector.rs

Lines changed: 25 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -289,18 +289,33 @@ impl AlgorithmDetector {
289289
for symbol_match in symbol_pattern.find_iter(&content) {
290290
let symbol = symbol_match.as_str();
291291

292-
// Extract parameters from the matched symbol
292+
// Extract parameters from the entire file content around this symbol
293293
let mut parameters = HashMap::new();
294294
for param_pattern in &algorithm.parameter_patterns {
295-
if let Some(captures) = param_pattern.pattern.captures(symbol) {
296-
if let Some(value_match) = captures.get(1) {
297-
let value_str = value_match.as_str();
298-
let value = if let Ok(num) = value_str.parse::<u64>() {
299-
json!(num)
300-
} else {
301-
json!(value_str)
302-
};
303-
parameters.insert(param_pattern.name.clone(), value);
295+
// Try to extract from the full content first, then fall back to symbol
296+
let sources = vec![&content, symbol];
297+
let mut found_param = false;
298+
299+
for source in sources {
300+
if let Some(captures) = param_pattern.pattern.captures(source) {
301+
if let Some(value_match) = captures.get(1) {
302+
let value_str = value_match.as_str();
303+
let value = if let Ok(num) = value_str.parse::<u64>() {
304+
json!(num)
305+
} else {
306+
json!(value_str)
307+
};
308+
parameters.insert(param_pattern.name.clone(), value);
309+
found_param = true;
310+
break;
311+
}
312+
}
313+
}
314+
315+
// Use default value if pattern doesn't match anywhere
316+
if !found_param {
317+
if let Some(default) = &param_pattern.default_value {
318+
parameters.insert(param_pattern.name.clone(), default.clone());
304319
}
305320
}
306321
}

fixtures/java/bazel-tink/mv-cbom.json

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
11
{
22
"bomFormat": "MV-CBOM",
33
"specVersion": "1.0",
4-
"serialNumber": "urn:uuid:dfcd8f33-3068-4900-8210-d7ea8c349995",
4+
"serialNumber": "urn:uuid:cf126f93-df7e-4c26-9709-fbb7fc47eb89",
55
"version": 1,
66
"metadata": {
77
"component": {
88
"name": "bazel-tink",
99
"path": "/workspace/fixtures/java/bazel-tink"
1010
},
11-
"timestamp": "2025-09-15T19:35:58.376107929Z",
11+
"timestamp": "2025-09-15T19:42:59.046882117Z",
1212
"tools": [
1313
{
1414
"name": "cipherscope",
@@ -19,16 +19,19 @@
1919
},
2020
"cryptoAssets": [
2121
{
22-
"bom-ref": "594bdb85-d643-4853-97ec-ed34072bfece",
22+
"bom-ref": "55aa79a1-c3e2-4a8c-9191-4d6cf7021cf1",
2323
"assetType": "algorithm",
2424
"name": "RSA",
2525
"assetProperties": {
2626
"primitive": "signature",
27+
"parameterSet": {
28+
"keySize": 2048
29+
},
2730
"nistQuantumSecurityLevel": 0
2831
}
2932
},
3033
{
31-
"bom-ref": "63a3582f-ed07-4144-bb89-3841b1fa40f3",
34+
"bom-ref": "1725feeb-2b2f-4db3-bdd6-32479824870f",
3235
"assetType": "algorithm",
3336
"name": "AES-GCM",
3437
"assetProperties": {

fixtures/python/cryptography-mixed/mv-cbom.json

Lines changed: 29 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
11
{
22
"bomFormat": "MV-CBOM",
33
"specVersion": "1.0",
4-
"serialNumber": "urn:uuid:6167fb18-dc69-4037-bfae-872abfc2daab",
4+
"serialNumber": "urn:uuid:4459de8d-acfe-47ba-8f99-977fd8daa779",
55
"version": 1,
66
"metadata": {
77
"component": {
88
"name": "cryptography-mixed",
99
"path": "/workspace/fixtures/python/cryptography-mixed"
1010
},
11-
"timestamp": "2025-09-15T19:35:58.558580875Z",
11+
"timestamp": "2025-09-15T19:42:26.815527466Z",
1212
"tools": [
1313
{
1414
"name": "cipherscope",
@@ -19,20 +19,44 @@
1919
},
2020
"cryptoAssets": [
2121
{
22-
"bom-ref": "f62ac744-0e69-470b-a45b-4f4de7910bab",
22+
"bom-ref": "e8686445-7241-4b24-9eb0-980b9df6112f",
23+
"assetType": "algorithm",
24+
"name": "SHA-256",
25+
"assetProperties": {
26+
"primitive": "hash",
27+
"nistQuantumSecurityLevel": 3
28+
}
29+
},
30+
{
31+
"bom-ref": "f3501a5c-9bd7-42f4-9dc5-68ff81ab2419",
32+
"assetType": "algorithm",
33+
"name": "Fernet",
34+
"assetProperties": {
35+
"primitive": "aead",
36+
"parameterSet": {
37+
"algorithm": "AES-128-CBC + HMAC-SHA256"
38+
},
39+
"nistQuantumSecurityLevel": 3
40+
}
41+
},
42+
{
43+
"bom-ref": "f31ea302-e352-4710-8aea-c1f96476b59a",
2344
"assetType": "algorithm",
2445
"name": "RSA",
2546
"assetProperties": {
2647
"primitive": "signature",
48+
"parameterSet": {
49+
"keySize": 2048
50+
},
2751
"nistQuantumSecurityLevel": 0
2852
}
2953
}
3054
],
3155
"dependencies": [
3256
{
33-
"ref": "269f8562-6a62-44ac-ba2d-bb1e6d22e536",
57+
"ref": "92ae53a8-9e99-40e6-8907-7ac816f6a1a9",
3458
"dependsOn": [
35-
"f62ac744-0e69-470b-a45b-4f4de7910bab"
59+
"f31ea302-e352-4710-8aea-c1f96476b59a"
3660
],
3761
"dependencyType": "implements"
3862
}

fixtures/rust/mixed-crypto/mv-cbom.json

Lines changed: 35 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
11
{
22
"bomFormat": "MV-CBOM",
33
"specVersion": "1.0",
4-
"serialNumber": "urn:uuid:d36d4624-0f58-4695-859b-52778a62690b",
4+
"serialNumber": "urn:uuid:2a5aa7ad-48bb-4cbb-834b-9afb59dee5e6",
55
"version": 1,
66
"metadata": {
77
"component": {
88
"name": "mixed-crypto-fixture",
99
"version": "0.2.0",
1010
"path": "/workspace/fixtures/rust/mixed-crypto"
1111
},
12-
"timestamp": "2025-09-15T19:35:58.326449197Z",
12+
"timestamp": "2025-09-15T19:42:26.843143869Z",
1313
"tools": [
1414
{
1515
"name": "cipherscope",
@@ -20,16 +20,19 @@
2020
},
2121
"cryptoAssets": [
2222
{
23-
"bom-ref": "ae994634-ef0b-422b-96be-9a862a0860b1",
23+
"bom-ref": "94b32726-6329-414c-930b-3d65c393457a",
2424
"assetType": "algorithm",
25-
"name": "SHA-512",
25+
"name": "RSA",
2626
"assetProperties": {
27-
"primitive": "hash",
28-
"nistQuantumSecurityLevel": 3
27+
"primitive": "signature",
28+
"parameterSet": {
29+
"keySize": 2048
30+
},
31+
"nistQuantumSecurityLevel": 0
2932
}
3033
},
3134
{
32-
"bom-ref": "f3652c7c-a5ae-40b1-a563-88301f4c086e",
35+
"bom-ref": "e8839408-d218-4983-9526-229b25b51247",
3336
"assetType": "algorithm",
3437
"name": "Ed25519",
3538
"assetProperties": {
@@ -38,47 +41,56 @@
3841
}
3942
},
4043
{
41-
"bom-ref": "9ccd65fa-9919-46cd-8294-dac9710ffd14",
44+
"bom-ref": "d3e33114-914d-4d72-b425-a9d063dd2cbd",
4245
"assetType": "algorithm",
43-
"name": "AES-GCM",
46+
"name": "SHA-256",
4447
"assetProperties": {
45-
"primitive": "aead",
48+
"primitive": "hash",
49+
"parameterSet": {
50+
"outputSize": 256
51+
},
4652
"nistQuantumSecurityLevel": 3
4753
}
4854
},
4955
{
50-
"bom-ref": "006c6146-8a2e-40c5-9c80-7537d7b7199b",
56+
"bom-ref": "7c7f3536-e939-413d-ac1c-fd0e07ec4352",
5157
"assetType": "algorithm",
52-
"name": "RSA",
58+
"name": "SHA-512",
5359
"assetProperties": {
54-
"primitive": "signature",
55-
"nistQuantumSecurityLevel": 0
60+
"primitive": "hash",
61+
"parameterSet": {
62+
"outputSize": 256
63+
},
64+
"nistQuantumSecurityLevel": 3
5665
}
5766
},
5867
{
59-
"bom-ref": "52342b3c-ebc2-4388-b9f2-60ba2084f166",
68+
"bom-ref": "177d321f-b235-4009-885a-90064c9d838e",
6069
"assetType": "algorithm",
61-
"name": "SHA-256",
70+
"name": "AES-GCM",
6271
"assetProperties": {
63-
"primitive": "hash",
72+
"primitive": "aead",
73+
"parameterSet": {
74+
"keySize": 256
75+
},
6476
"nistQuantumSecurityLevel": 3
6577
}
6678
}
6779
],
6880
"dependencies": [
6981
{
70-
"ref": "8560725c-7fec-472c-98c6-3d7dbe182d5b",
82+
"ref": "25bfd99b-6804-40a0-a5e0-a444b0da7da2",
7183
"dependsOn": [
72-
"52342b3c-ebc2-4388-b9f2-60ba2084f166",
73-
"f3652c7c-a5ae-40b1-a563-88301f4c086e"
84+
"d3e33114-914d-4d72-b425-a9d063dd2cbd",
85+
"e8839408-d218-4983-9526-229b25b51247"
7486
],
7587
"dependencyType": "uses"
7688
},
7789
{
78-
"ref": "8560725c-7fec-472c-98c6-3d7dbe182d5b",
90+
"ref": "25bfd99b-6804-40a0-a5e0-a444b0da7da2",
7991
"dependsOn": [
80-
"006c6146-8a2e-40c5-9c80-7537d7b7199b",
81-
"ae994634-ef0b-422b-96be-9a862a0860b1"
92+
"94b32726-6329-414c-930b-3d65c393457a",
93+
"7c7f3536-e939-413d-ac1c-fd0e07ec4352"
8294
],
8395
"dependencyType": "implements"
8496
}

fixtures/rust/rsa-vulnerable/mv-cbom.json

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
11
{
22
"bomFormat": "MV-CBOM",
33
"specVersion": "1.0",
4-
"serialNumber": "urn:uuid:828a4340-3438-4dc4-ba64-ddb9adac0d41",
4+
"serialNumber": "urn:uuid:46bc555a-82c7-41b8-849f-14d057d77edd",
55
"version": 1,
66
"metadata": {
77
"component": {
88
"name": "test-rsa-uses",
99
"version": "0.1.0",
1010
"path": "/workspace/fixtures/rust/rsa-vulnerable"
1111
},
12-
"timestamp": "2025-09-15T19:35:58.351463651Z",
12+
"timestamp": "2025-09-15T19:42:44.990667207Z",
1313
"tools": [
1414
{
1515
"name": "cipherscope",
@@ -20,20 +20,23 @@
2020
},
2121
"cryptoAssets": [
2222
{
23-
"bom-ref": "763a7f3b-5162-4a8c-bc4e-f38797d8e900",
23+
"bom-ref": "47c154cc-3b7f-431d-96d9-3fd214558978",
2424
"assetType": "algorithm",
2525
"name": "RSA",
2626
"assetProperties": {
2727
"primitive": "signature",
28+
"parameterSet": {
29+
"keySize": 2048
30+
},
2831
"nistQuantumSecurityLevel": 0
2932
}
3033
}
3134
],
3235
"dependencies": [
3336
{
34-
"ref": "f7c5bfd7-4d2c-43c3-a1c7-d90810de9829",
37+
"ref": "f1eb97dc-1961-4c69-9544-2b3ea6fd30f0",
3538
"dependsOn": [
36-
"763a7f3b-5162-4a8c-bc4e-f38797d8e900"
39+
"47c154cc-3b7f-431d-96d9-3fd214558978"
3740
],
3841
"dependencyType": "implements"
3942
}

patterns.toml

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -575,6 +575,60 @@ apis = [
575575
"\\.sign\\(",
576576
]
577577

578+
# Algorithm definitions for PyCA cryptography
579+
[[library.algorithms]]
580+
name = "RSA"
581+
primitive = "signature"
582+
nistQuantumSecurityLevel = 0
583+
symbol_patterns = [
584+
"\\brsa\\.generate_private_key",
585+
"\\bRSA",
586+
]
587+
[[library.algorithms.parameter_patterns]]
588+
name = "keySize"
589+
pattern = "key_size\\s*=\\s*(\\d+)"
590+
default_value = 2048
591+
592+
[[library.algorithms]]
593+
name = "Fernet"
594+
primitive = "aead"
595+
nistQuantumSecurityLevel = 3
596+
symbol_patterns = [
597+
"\\bFernet\\(",
598+
"\\bfernet",
599+
]
600+
[[library.algorithms.parameter_patterns]]
601+
name = "algorithm"
602+
pattern = ".*"
603+
default_value = "AES-128-CBC + HMAC-SHA256"
604+
605+
[[library.algorithms]]
606+
name = "SHA-256"
607+
primitive = "hash"
608+
nistQuantumSecurityLevel = 3
609+
symbol_patterns = [
610+
"\\bhashes\\.SHA256\\(",
611+
"\\bSHA256",
612+
]
613+
614+
[[library.algorithms]]
615+
name = "AES-GCM"
616+
primitive = "aead"
617+
nistQuantumSecurityLevel = 3
618+
symbol_patterns = [
619+
"\\bAESGCM\\(",
620+
"\\bAES.*GCM",
621+
]
622+
623+
[[library.algorithms]]
624+
name = "PBKDF2"
625+
primitive = "kdf"
626+
nistQuantumSecurityLevel = 3
627+
symbol_patterns = [
628+
"\\bPBKDF2HMAC\\(",
629+
"\\bpbkdf2",
630+
]
631+
578632
[[library]]
579633
name = "PyCryptodome"
580634
languages = ["Python"]

0 commit comments

Comments
 (0)