CBOMkit Pipeline – Uncover Cryptographic Algorithms Hiding in the Dependencies of Your Project

The Problem

Organizations preparing for PQC transition need to start building their cryptographic inventories. One of the main components of a cryptographic inventory should be a list of CBOMs (Cryptographic Bill of Materials). Tools such as CBOMkit tool suite (which is a part of Post Quantum Cryptography Alliance tooling group) provide means to generate, store and visualize CBOMs. However, cryptographic algorithms can be hiding anywhere in the dependency tree and tools like CBOMkit tool suite will not uncover these. Therefore we made a prototype of a CBOMkit pipeline, which runs in Azure and invokes tools from CBOMkit tool suite in such a way that it looks through the dependencies too and thus creates a more comprehensive list of CBOMs for a project. 

Tools Used

Firstly, we will explain the capabilities of tools from CBOMkit tool suite utilized in the pipeline and then we will cover the pipeline operation step by step. Among other tools, CBOMkit contains sonar-cryptography plugin (a plugin for the SonarQube server) which detects cryptographic assets and produces CBOM objects. CBOMkit sonar-cryptography plugin detects only cryptographic assets which are invoked directly from the source code of the scanned application. However, as stated before, cryptography can be hiding anywhere in the dependency tree, which the pipeline tries to address. CBOMkit also contains CBOM Viewer which implements a feature that clones GitHub repositories, invokes the sonar-cryptography plugin, stores the resulting CBOM in a database and shows CBOM in a GUI for viewing analysis results. CBOMkit pipeline utilizes its feature of scanning GitHub repositories based on a provided repository link.

How It Works

Figure 1 describes the overall architecture of the pipeline. In the next paragraphs we will dive into the specific steps that the pipeline performs and explain them in more detail.

Figure 1: Pipeline Steps

In the beginning, the pipeline builds the project so that it can be digested by SonarQube – this step is a necessary precondition for SonarQube analysis. Then it sends the built project for analysis to a SonarQube instance which has a sonar-cryptography plugin enabled. The pipeline then receives a resulting CBOM in a form of a JSON file. It is important that a JSON file is received and the cryptographic findings are not only listed as detected vulnerabilities in SonarQube, since the pipeline stores and retrieves the JSON file later.

After the pipeline receives the CBOM file, it stores it in a CBOMkit database where people working on the project whose code was scanned can view the CBOM and see if the algorithms pass compliance checks against predefined policies.

Afterwards, the pipeline generates an SBOM (Software Bill of Materials) to see what are the dependencies of the project. The pipeline parses this list and retrieves PURLs (Package URLs) of dependencies so that it can get their respective CBOMs in the next step.

Having a list of PURLs, the pipeline checks with CBOMkit whether CBOM entries for the parsed PURLs already exist in the database or not – if they exist, they can get assigned to the project whose code was scanned in the beginning. This check is performed in order to see if the last step of the pipeline is needed or not, as we don’t want to scan the same dependency for CBOMs again if it was already scanned and we have its CBOM in the database. 

In the last step, if the CBOM for a certain PURL doesn’t exist in a database, the pipeline sends the PURL to CBOMkit which invokes sonar-cryptography plugin to generate a CBOM for it. This CBOM of the dependency can then be assigned to the project which was scanned in the beginning.

Try It

This way, the pipeline iterates over all the dependencies of a project that are open source and packaged in such a way that SonarQube can scan them. This creates a more comprehensive list of used cryptographic algorithms than merely scanning the parent project itself. If you would like to set up the pipeline in your environment, you can find it on CBOMkit Github and generate a CBOM list for your project and its dependencies.