Documentation
¶
Overview ¶
Package converter transforms crypto-finder interim format to CycloneDX CBOM format.
Package converter transforms crypto-finder interim format to CycloneDX CBOM format.
Index ¶
Constants ¶
const ( // AssetTypeAlgorithm represents cryptographic algorithms (AES, RSA, SHA-256, etc.) AssetTypeAlgorithm = "algorithm" // AssetTypeProtocol represents cryptographic protocols (TLS, SSH, IPsec, etc.) AssetTypeProtocol = "protocol" // AssetTypeCertificate represents X.509 certificates and TLS certificates. AssetTypeCertificate = "certificate" // AssetTypeRelatedCryptoMaterial represents keys, tokens, secrets, passwords, digests, IVs. AssetTypeRelatedCryptoMaterial = "related-crypto-material" )
Asset type constants matching CycloneDX 1.6 cryptographic asset type enum.
const ( // OIDNISTAlgorithm is the base OID for NIST cryptographic algorithms. // {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4)}. OIDNISTAlgorithm = "2.16.840.1.101.3.4" // OIDAES is the parent OID for Advanced Encryption Standard algorithms. // {nistAlgorithm(4) aes(1)}. OIDAES = OIDNISTAlgorithm + ".1" // OIDHashAlgs is the parent OID for Secure Hash Algorithms. // {nistAlgorithm(4) hashAlgs(2)}. OIDHashAlgs = OIDNISTAlgorithm + ".2" // OIDSigAlgs is the parent OID for Signature Algorithms. // {nistAlgorithm(4) sigAlgs(3)}. OIDSigAlgs = OIDNISTAlgorithm + ".3" )
NIST CSOR Algorithm Base OIDs.
const ( OIDAES128ECB = OIDAES + ".1" // aes128-ECB OIDAES128CBC = OIDAES + ".2" // aes128-CBC OIDAES128OFB = OIDAES + ".3" // aes128-OFB OIDAES128CFB = OIDAES + ".4" // aes128-CFB OIDAES128WRAP = OIDAES + ".5" // id-aes128-wrap OIDAES128GCM = OIDAES + ".6" // aes128-GCM OIDAES128CCM = OIDAES + ".7" // aes128-CCM OIDAES128WRAPPAD = OIDAES + ".8" // aes128-wrap-pad )
NIST CSOR AES Algorithm OIDs (2.16.840.1.101.3.4.1.*). AES-128 variants.
const ( OIDAES192ECB = OIDAES + ".21" // aes192-ECB OIDAES192CBC = OIDAES + ".22" // aes192-CBC OIDAES192OFB = OIDAES + ".23" // aes192-OFB OIDAES192CFB = OIDAES + ".24" // aes192-CFB OIDAES192WRAP = OIDAES + ".25" // id-aes192-wrap OIDAES192GCM = OIDAES + ".26" // aes192-GCM OIDAES192CCM = OIDAES + ".27" // aes192-CCM OIDAES192WRAPPAD = OIDAES + ".28" // aes192-wrap-pad )
NIST CSOR AES-192 variants (2.16.840.1.101.3.4.1.2x).
const ( OIDAES256ECB = OIDAES + ".41" // aes256-ECB OIDAES256CBC = OIDAES + ".42" // aes256-CBC OIDAES256OFB = OIDAES + ".43" // aes256-OFB OIDAES256CFB = OIDAES + ".44" // aes256-CFB OIDAES256WRAP = OIDAES + ".45" // id-aes256-wrap OIDAES256GCM = OIDAES + ".46" // aes256-GCM OIDAES256CCM = OIDAES + ".47" // aes256-CCM OIDAES256WRAPPAD = OIDAES + ".48" // aes256-wrap-pad )
NIST CSOR AES-256 variants (2.16.840.1.101.3.4.1.4x).
const ( OIDSHA256 = OIDHashAlgs + ".1" // SHA-256 OIDSHA384 = OIDHashAlgs + ".2" // SHA-384 OIDSHA512 = OIDHashAlgs + ".3" // SHA-512 OIDSHA224 = OIDHashAlgs + ".4" // SHA-224 OIDSHA512224 = OIDHashAlgs + ".5" // SHA-512/224 OIDSHA512256 = OIDHashAlgs + ".6" // SHA-512/256 )
NIST CSOR SHA-2 Algorithm OIDs (2.16.840.1.101.3.4.2.1-6).
const ( OIDSHA3224 = OIDHashAlgs + ".7" // SHA3-224 OIDSHA3256 = OIDHashAlgs + ".8" // SHA3-256 OIDSHA3384 = OIDHashAlgs + ".9" // SHA3-384 OIDSHA3512 = OIDHashAlgs + ".10" // SHA3-512 )
NIST CSOR SHA-3 Algorithm OIDs (2.16.840.1.101.3.4.2.7-10).
const ( OIDSHAKE128 = OIDHashAlgs + ".11" // SHAKE128 extendable-output function OIDSHAKE256 = OIDHashAlgs + ".12" // SHAKE256 extendable-output function )
NIST CSOR SHAKE Algorithm OIDs (2.16.840.1.101.3.4.2.11-12).
const ( OIDDSASHA224 = OIDSigAlgs + ".1" // dsa-with-sha224 OIDDSASHA256 = OIDSigAlgs + ".2" // dsa-with-sha256 )
NIST CSOR DSA Signature Algorithm OIDs (2.16.840.1.101.3.4.3.*).
const ( OIDPKCS1 = "1.2.840.113549.1.1" OIDRSA = OIDPKCS1 + ".1" // rsaEncryption OIDRSAMD5 = OIDPKCS1 + ".4" // md5WithRSAEncryption OIDRSASHA1 = OIDPKCS1 + ".5" // sha1WithRSAEncryption OIDRSASHA256 = OIDPKCS1 + ".11" // sha256WithRSAEncryption OIDRSASHA384 = OIDPKCS1 + ".12" // sha384WithRSAEncryption OIDRSASHA512 = OIDPKCS1 + ".13" // sha512WithRSAEncryption OIDRSASHA224 = OIDPKCS1 + ".14" // sha224WithRSAEncryption )
PKCS #1 RSA Algorithm OIDs (1.2.840.113549.1.1.*). Source: RFC 8017.
const ( OIDANSIX962 = "1.2.840.10045" OIDECPublicKey = OIDANSIX962 + ".2.1" // ecPublicKey OIDECDSASHA1 = OIDANSIX962 + ".4.1" // ecdsa-with-SHA1 OIDECDSASHA224 = OIDANSIX962 + ".4.3.1" // ecdsa-with-SHA224 OIDECDSASHA256 = OIDANSIX962 + ".4.3.2" // ecdsa-with-SHA256 OIDECDSASHA384 = OIDANSIX962 + ".4.3.3" // ecdsa-with-SHA384 OIDECDSASHA512 = OIDANSIX962 + ".4.3.4" // ecdsa-with-SHA512 )
ANSI X9.62 ECDSA Algorithm OIDs (1.2.840.10045.*). Source: ANSI X9.62-2005.
const ( OIDHMACBase = "1.2.840.113549.2" OIDHMACMD5 = OIDHMACBase + ".6" // hmacWithMD5 OIDHMACSHA1 = OIDHMACBase + ".7" // hmacWithSHA1 OIDHMACSHA224 = OIDHMACBase + ".8" // hmacWithSHA224 OIDHMACSHA256 = OIDHMACBase + ".9" // hmacWithSHA256 OIDHMACSHA384 = OIDHMACBase + ".10" // hmacWithSHA384 OIDHMACSHA512 = OIDHMACBase + ".11" // hmacWithSHA512 )
HMAC Algorithm OIDs (1.2.840.113549.2.*). Source: RFC 8018.
const ( OIDMLDSA44 = OIDSigAlgs + ".17" // ML-DSA-44 OIDMLDSA65 = OIDSigAlgs + ".18" // ML-DSA-65 OIDMLDSA87 = OIDSigAlgs + ".19" // ML-DSA-87 )
NIST CSOR ML-DSA (Module-Lattice Digital Signature Algorithm) OIDs (2.16.840.1.101.3.4.3.17-19). Source: RFC 9881, FIPS 204.
const ( OIDMLKEM512 = OIDKEMs + ".1" // ML-KEM-512 OIDMLKEM768 = OIDKEMs + ".2" // ML-KEM-768 OIDMLKEM1024 = OIDKEMs + ".3" // ML-KEM-1024 )
NIST CSOR ML-KEM (Module-Lattice Key Encapsulation Mechanism) OIDs (2.16.840.1.101.3.4.4.1-3). Source: NIST CSOR, FIPS 203.
const ( OIDSLHDSASHA2128s = OIDSigAlgs + ".20" // SLH-DSA-SHA2-128s OIDSLHDSASHA2128f = OIDSigAlgs + ".21" // SLH-DSA-SHA2-128f OIDSLHDSASHA2192s = OIDSigAlgs + ".22" // SLH-DSA-SHA2-192s OIDSLHDSASHA2192f = OIDSigAlgs + ".23" // SLH-DSA-SHA2-192f OIDSLHDSASHA2256s = OIDSigAlgs + ".24" // SLH-DSA-SHA2-256s OIDSLHDSASHA2256f = OIDSigAlgs + ".25" // SLH-DSA-SHA2-256f OIDSLHDSASHAKE128s = OIDSigAlgs + ".26" // SLH-DSA-SHAKE-128s OIDSLHDSASHAKE128f = OIDSigAlgs + ".27" // SLH-DSA-SHAKE-128f OIDSLHDSASHAKE192s = OIDSigAlgs + ".28" // SLH-DSA-SHAKE-192s OIDSLHDSASHAKE192f = OIDSigAlgs + ".29" // SLH-DSA-SHAKE-192f OIDSLHDSASHAKE256s = OIDSigAlgs + ".30" // SLH-DSA-SHAKE-256s OIDSLHDSASHAKE256f = OIDSigAlgs + ".31" // SLH-DSA-SHAKE-256f )
NIST CSOR SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) OIDs (2.16.840.1.101.3.4.3.20-31). Source: RFC 9814/9909, FIPS 205.
const ( OIDPKCS5 = "1.2.840.113549.1.5" OIDPBKDF2 = OIDPKCS5 + ".12" // PBKDF2 )
PKCS#5 Key Derivation OIDs (1.2.840.113549.1.5.*). Source: RFC 2898 (PKCS#5 v2.1).
const ( OIDRSADigestAlgorithm = "1.2.840.113549.2" OIDMD4 = OIDRSADigestAlgorithm + ".4" // MD4 OIDMD5 = OIDRSADigestAlgorithm + ".5" // MD5 )
RSA Digest Algorithm OIDs (1.2.840.113549.2.*). Source: RFC 1321 (MD5), RFC 1320 (MD4).
const ( OIDCurves25519448 = "1.3.101" OIDX25519 = OIDCurves25519448 + ".110" // X25519 (ECDH) OIDX448 = OIDCurves25519448 + ".111" // X448 (ECDH) OIDEd25519 = OIDCurves25519448 + ".112" // Ed25519 (EdDSA) OIDEd448 = OIDCurves25519448 + ".113" // Ed448 (EdDSA) )
Curve25519/Curve448 Algorithm OIDs (1.3.101.*). Source: RFC 8410.
const ( OIDANSIX942 = "1.2.840.10046" OIDDH = OIDANSIX942 + ".2.1" // dhPublicNumber (FFDH) )
ANSI X9.42 Diffie-Hellman OIDs (1.2.840.10046.2.1). Source: RFC 2631.
const ( OIDSM2 = "1.2.156.10197.1.501" // SM2 with SM3 OIDSM3 = "1.2.156.10197.1.401" // SM3 hash )
SM2/SM3 Chinese National Standard Algorithm OIDs. Source: GB/T 32918 (SM2), GB/T 32905 (SM3).
const ( OIDRSAEncryptionAlgorithm = "1.2.840.113549.3" OIDRC4 = OIDRSAEncryptionAlgorithm + ".4" // RC4 (arcfour) )
RC4 Algorithm OID (1.2.840.113549.3.4). Source: RSA PKCS (deprecated cipher).
const ( OIDOIWSECSIG = "1.3.14.3.2" OIDMD4WithRSA = OIDOIWSECSIG + ".2" // md5WithRSA (OIW uses this for MD4 too) OIDMD5WithRSA = OIDOIWSECSIG + ".3" // md5WithRSA OIDDESECB = OIDOIWSECSIG + ".6" // desECB OIDDESCDC = OIDOIWSECSIG + ".7" // desCBC OIDDESOFB = OIDOIWSECSIG + ".8" // desOFB OIDDESCFB = OIDOIWSECSIG + ".9" // desCFB OIDDESEDE = OIDOIWSECSIG + ".17" // desEDE (Triple DES) OIDSHA = OIDOIWSECSIG + ".18" // sha (original SHA, now SHA-0) OIDSHA1 = OIDOIWSECSIG + ".26" // sha-1 (hashAlgorithmIdentifier) OIDSHA1WithRSA = OIDOIWSECSIG + ".29" // sha-1WithRSAEncryption OIDDSA = OIDOIWSECSIG + ".12" // dsa OIDDSAWithSHA = OIDOIWSECSIG + ".13" // dsaWithSHA OIDDSAWithSHA1 = OIDOIWSECSIG + ".27" // dsaWithSHA1 )
OIW SECSIG Legacy Algorithm OIDs (1.3.14.3.2.*). Source: OIW Security Special Interest Group (deprecated algorithms).
const ( // OIDKEMs is the parent OID for Key Encapsulation Mechanisms. // {nistAlgorithm(4) kems(4)}. OIDKEMs = OIDNISTAlgorithm + ".4" )
NIST CSOR KEM Algorithm Base OID (2.16.840.1.101.3.4.4).
const (
OIDRSAOAEP = OIDPKCS1 + ".7" // rsaes-oaep (RSAES-OAEP)
)
RSA additional algorithm OIDs (PKCS#1).
const (
OIDScrypt = "1.3.6.1.4.1.11591.4.11"
)
scrypt OID (1.3.6.1.4.1.11591.4.11). Source: RFC 7914.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AggregatedAsset ¶
type AggregatedAsset struct {
// Name is the CycloneDX component name (e.g., "CSPRNG", "SHA-256", "AES-256-GCM")
Name string
// AssetType is the type of cryptographic asset ("algorithm", "related-crypto-material", etc.)
AssetType string
// Occurrences tracks all locations where this asset was detected
Occurrences []AssetOccurrence
// Identities tracks all unique detection methods (rules) that found this asset
Identities []AssetIdentity
// ReferenceAsset holds one representative asset for extracting common metadata
ReferenceAsset *entities.CryptographicAsset
// ReferenceFinding holds one representative finding for context
ReferenceFinding *entities.Finding
}
AggregatedAsset represents a cryptographic asset with all its occurrences and detection methods.
type Aggregator ¶
type Aggregator struct {
// contains filtered or unexported fields
}
Aggregator groups cryptographic assets by their identity.
func (*Aggregator) AggregateAssets ¶
func (a *Aggregator) AggregateAssets(report *entities.InterimReport) ([]AggregatedAsset, error)
AggregateAssets groups cryptographic assets by their identity (CDX component name). Assets are grouped such that multiple occurrences of the same crypto asset (e.g., SHA-256 used in multiple files) are combined into a single aggregated entry.
func (*Aggregator) SortAssets ¶ added in v0.2.1
func (a *Aggregator) SortAssets(assets []AggregatedAsset)
SortAssets sorts aggregated assets alphabetically by Name for deterministic output.
type AlgorithmMapper ¶
type AlgorithmMapper struct {
// contains filtered or unexported fields
}
AlgorithmMapper converts cryptographic algorithm assets to CycloneDX components.
func NewAlgorithmMapper ¶
func NewAlgorithmMapper() *AlgorithmMapper
NewAlgorithmMapper creates a new algorithm mapper.
func (*AlgorithmMapper) MapToComponentWithEvidence ¶
func (m *AlgorithmMapper) MapToComponentWithEvidence(asset *entities.CryptographicAsset) (*cdx.Component, error)
MapToComponentWithEvidence converts a cryptographic asset to a CycloneDX component with support for new fields (executionEnvironment, implementationPlatform). This method does NOT build properties or evidence - those are handled by the converter.
type AssetIdentity ¶
type AssetIdentity struct {
// RuleID is the unique identifier of the detection rule
RuleID string
// API is the cryptographic API detected by this rule (if available)
API string
// Message is the human-readable description from the rule
Message string
// Match is the code snippet that was matched
Match string
// Severity is the severity level of the finding
Severity string
// Confidence is the confidence level of this detection (0.0 to 1.0)
Confidence float64
}
AssetIdentity represents a unique detection method for a cryptographic asset.
type AssetOccurrence ¶
type AssetOccurrence struct {
// FilePath is the location of the file containing the asset
FilePath string
// StartLine is the line number where the asset was detected
StartLine int
// EndLine is the line number where the asset ends
EndLine int
// RuleIDs contains all rule IDs that detected this occurrence
// Multiple rules can detect the same cryptographic asset
RuleIDs []string
// API is the cryptographic API that was detected (if available)
API string
// Match is the code snippet that was matched
Match string
}
AssetOccurrence represents a single detection instance of a cryptographic asset.
type Converter ¶
type Converter struct {
// contains filtered or unexported fields
}
Converter transforms interim reports to CycloneDX BOM format.
func NewConverter ¶
func NewConverter() *Converter
NewConverter creates a new CBOM converter with all required mappers.
type OIDMapper ¶ added in v0.2.0
type OIDMapper struct {
// contains filtered or unexported fields
}
OIDMapper resolves cryptographic algorithm names to their OIDs.
func NewOIDMapper ¶ added in v0.2.0
func NewOIDMapper() *OIDMapper
NewOIDMapper creates a new OID mapper with all predefined mappings.
func (*OIDMapper) GetFamilyOIDCount ¶ added in v0.2.0
GetFamilyOIDCount returns the number of family mappings.
func (*OIDMapper) GetNameOIDCount ¶ added in v0.2.0
GetNameOIDCount returns the number of specific name mappings.
func (*OIDMapper) IsKnownAlgorithm ¶ added in v0.2.0
IsKnownAlgorithm checks if an algorithm name is in the mapping.
func (*OIDMapper) IsKnownFamily ¶ added in v0.2.0
IsKnownFamily checks if an algorithm family is in the mapping.
func (*OIDMapper) ResolveOID ¶ added in v0.2.0
func (m *OIDMapper) ResolveOID(asset *entities.CryptographicAsset) string
ResolveOID looks up the OID for an algorithm using hybrid strategy: 1. Try specific algorithmName (case-insensitive, normalized). 2. Construct name from family + parameterSet + mode and try again. 3. Fall back to algorithmFamily parent OID (case-insensitive). 4. Return empty string if not found (logs warning).
type RelatedCryptoMapper ¶
type RelatedCryptoMapper struct{}
RelatedCryptoMapper converts related cryptographic material assets to CycloneDX components. This includes keys, tokens, secrets, passwords, digests, IVs, etc.
func NewRelatedCryptoMapper ¶
func NewRelatedCryptoMapper() *RelatedCryptoMapper
NewRelatedCryptoMapper creates a new related crypto material mapper.
func (*RelatedCryptoMapper) MapToComponentWithEvidence ¶
func (m *RelatedCryptoMapper) MapToComponentWithEvidence(asset *entities.CryptographicAsset) (*cdx.Component, error)
MapToComponentWithEvidence converts a related-crypto-material asset to a CycloneDX component. This method does NOT build properties or evidence - those are handled by the converter.
Source Files