feat: add supply chain quantum risk analysis

[leoneperdigao]

Description

Extend the assessment engine to evaluate quantum risk across the supply chain, including third-party dependencies, vendor services, and data flows that traverse external systems. Supply chain quantum risk is critical because even a fully PQC-migrated system is vulnerable if its supply chain partners use quantum-vulnerable cryptography.

Tasks

• Third-party dependency assessment:
  • Identify cryptographic libraries used by dependencies
  • Flag dependencies using quantum-vulnerable algorithms
  • Track PQC readiness of major libraries (OpenSSL, BoringSSL, liboqs, etc.)
• Vendor PQC readiness evaluation:
  • Score vendor PQC migration status
  • Track vendor PQC roadmap commitments
  • Identify vendor lock-in risks for crypto migration
• Supply chain data flow analysis:
  • Map data flows through third-party services
  • Identify HNDL (harvest now, decrypt later) exposure in supply chain
  • Assess data-in-transit protection for inter-organization flows
• Supply chain quantum risk scoring:
  • Aggregate supply chain risk into component-level scores
  • Weight by data sensitivity and exposure surface
  • Identify weakest links in the supply chain
• Vendor questionnaire generation:
  • Generate PQC readiness questionnaire for vendors
  • Track questionnaire responses and update scores
  • Export questionnaire results for procurement teams

References

• NIST SP 800-161 — Supply Chain Risk Management
• Depends on: assessment engine (feat: implement quantum vulnerability assessment engine #4), knowledge base (feat: build quantum threat knowledge base #3)