{"id":43640434,"url":"https://github.com/cbomkit/sonar-cryptography","last_synced_at":"2026-02-04T18:03:04.832Z","repository":{"id":243631879,"uuid":"812939964","full_name":"cbomkit/sonar-cryptography","owner":"cbomkit","description":"This repository contains a SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.","archived":false,"fork":false,"pushed_at":"2026-01-26T21:56:09.000Z","size":39490,"stargazers_count":53,"open_issues_count":26,"forks_count":17,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-01-28T04:46:28.639Z","etag":null,"topics":["cbom","cbom-tool","cbomkit","crypto-scanner","cryptographic-inventory","cryptography","cryptography-bom","post-quantum","post-quantum-cryptography","quantum-safe","sbom","sbom-tool","sonar","sonarqube"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cbomkit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-06-10T07:41:48.000Z","updated_at":"2026-01-25T12:37:41.000Z","dependencies_parsed_at":"2024-06-25T09:41:41.415Z","dependency_job_id":"1b7ec977-44b1-4d5f-a92b-3e414564d775","html_url":"https://github.com/cbomkit/sonar-cryptography","commit_stats":null,"previous_names":["ibm/sonar-cryptography","pqca/sonar-cryptography","cbomkit/sonar-cryptography"],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/cbomkit/sonar-cryptography","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fsonar-cryptography","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fsonar-cryptography/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fsonar-cryptography/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fsonar-cryptography/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cbomkit","download_url":"https://codeload.github.com/cbomkit/sonar-cryptography/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fsonar-cryptography/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29092731,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-04T03:31:03.593Z","status":"ssl_error","status_checked_at":"2026-02-04T03:29:50.742Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cbom","cbom-tool","cbomkit","crypto-scanner","cryptographic-inventory","cryptography","cryptography-bom","post-quantum","post-quantum-cryptography","quantum-safe","sbom","sbom-tool","sonar","sonarqube"],"created_at":"2026-02-04T18:03:01.183Z","updated_at":"2026-02-04T18:03:04.822Z","avatar_url":"https://github.com/cbomkit.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sonar Cryptography Plugin (CBOMkit-hyperion)\n\n[![License](https://img.shields.io/github/license/cbomkit/sonar-cryptography.svg?)](https://opensource.org/licenses/Apache-2.0) \u003c!--- long-description-skip-begin --\u003e\n[![Current Release](https://img.shields.io/github/release/cbomkit/sonar-cryptography.svg?logo=IBM)](https://github.com/cbomkit/sonar-cryptography/releases)\n\n\nThis repository contains a SonarQube Plugin that detects cryptographic assets\nin source code and generates [CBOM](https://cyclonedx.org/capabilities/cbom/).\nIt is part of **the [CBOMKit](https://github.com/cbomkit) toolset**.\n\n## Table of Contents\n\n- [Version compatibility](#version-compatibility)\n- [Supported languages and libraries](#supported-languages-and-libraries)\n- [Installation](#installation)\n- [Using](#using)\n- [Example Output](#example-output)\n- [Build](#build)\n- [Help and troubleshooting](#help-and-troubleshooting)\n- [Contribution Guidelines](#contribution-guidelines)\n- [License](#license)\n\n## Version compatibility\n\n| Plugin Version | SonarQube Version |\n|-----------------|--------------------------------|\n| 1.3.7 and up | SonarQube 9.9 (LTS) and up |\n| 1.3.2 and 1.3.6 | SonarQube 9.8 (LTS) up to 10.8 | \n| 1.2.0 to 1.3.1 | SonarQube 9.8 (LTS) up to 10.4 | \n\n\n## Supported languages and libraries\n\n| Language | Cryptographic Library | Coverage |\n|----------|-----------------------------------------------------------------------------------------------|-------------|\n| Java | [JCA](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html) | 100% |\n| | [BouncyCastle](https://github.com/bcgit/bc-java) (*light-weight API*) | 100%[^1] |\n| Python | [pyca/cryptography](https://cryptography.io/en/latest/) | 100% |\n| Go | [crypto](https://pkg.go.dev/crypto) (*standard library*) | 100%[^2] |\n| | [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) | Partial[^3] |\n\n\n[^1]: We only cover the BouncyCastle *light-weight API* according to [this specification](https://javadoc.io/static/org.bouncycastle/bctls-jdk14/1.80/specifications.html)\n[^2]: All packages under [`crypto`](https://pkg.go.dev/crypto@go1.25.6#section-directories) are covered except `crypto/x509`\n[^3]: Covers `golang.org/x/crypto/hkdf`, `golang.org/x/crypto/pbkdf2`, and `golang.org/x/crypto/sha3`\n\n\u003e [!NOTE]\n\u003e The plugin is designed in a modular way so that it can be extended to support additional languages and recognition rules to support more libraries.\n\u003e - To add support for another language or cryptography library, see [*Extending the Sonar Cryptography Plugin to add support for another language or cryptography library*](./docs/LANGUAGE_SUPPORT.md)\n\u003e - If you just want to know more about the syntax for writing new detection rules, see [*Writing new detection rules for the Sonar Cryptography Plugin*](./docs/DETECTION_RULE_STRUCTURE.md)\n\n## Installation\n\n\u003e [!NOTE] \n\u003e To run the plugin, you need a running SonarQube instance with one of the supported \n\u003e versions. If you don't have one but want to try the plugin, you can use the\n\u003e included Docker Compose to set up a development environment. See \n\u003e [here](CONTRIBUTING.md#build) for instructions.\n\nCopy the plugin (the JAR file from the [latest releases](https://github.com/cbomkit/sonar-cryptography/releases))\nto `$SONARQUBE_HOME/extensions/plugins` and restart \nSonarQube ([more](https://docs.sonarqube.org/latest/setup-and-upgrade/install-a-plugin/)).\n\n## Using\n\nThe plugin provides new inventory rules (Cbomkit Cryptography Repository) regarding the use of cryptography for \nthe supported languages.\nIf you enable these rules, a source code scan creates a cryptographic inventory by creating a \n[CBOM](https://cyclonedx.org/capabilities/cbom/) with all cryptographic assets and writing \na `cbom.json` to the scan directory.\n\n### Add Cryptography Rules to your Quality Profile\n\nThis plugin incorporates rules specifically focused on cryptography.\n\n\u003e To generate a Cryptography Bill of Materials (CBOM), it is mandatory to activate at \n\u003e least one of these cryptography-related rules.\n\n![Activate Rules Crypto Rules](docs/images/rules.png)\n\nAs of the current version, the plugin contains one single rule for creating a cryptographic inventory. \nFuture updates may introduce additional rules to expand functionality.\n\n### Scan Source Code\n\nNow you can follow the [SonarQube documentation](https://docs.sonarqube.org/latest/analyzing-source-code/overview/) \nto start your first scan.\n\n### Visualizing your CBOM\n\nOnce you have scanned your source code with the plugin, and obtained a `cbom.json` file, you can use [CBOMkit](https://github.com/cbomkit/cbomkit) service to know more about it.\nIt provides you with general insights about the cryptography used in your source code and its compliance with post-quantum safety.\nIt also allows you to explore precisely each cryptography asset and its detailed specification, and displays where it appears in your code.\n\n## Example Output\n\nThe plugin generates a `cbom.json` file in [CycloneDX CBOM format](https://cyclonedx.org/capabilities/cbom/). Here's an example showing detected cryptographic assets:\n\n```json\n{\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"metadata\": {\n \"timestamp\": \"2026-01-20T10:58:39Z\",\n \"tools\": {\n \"services\": [\n {\n \"name\": \"CBOMkit\",\n \"provider\": { \"name\": \"PQCA\" }\n }\n ]\n }\n },\n \"components\": [\n {\n \"name\": \"SHA256\",\n \"type\": \"cryptographic-asset\",\n \"bom-ref\": \"0f4f522b-ef99-43b7-9f98-6e83b3b233ca\",\n \"evidence\": {\n \"occurrences\": [\n {\n \"line\": 51,\n \"location\": \"src/main/java/com/example/EncryptionConfig.java\",\n \"additionalContext\": \"java.security.MessageDigest#getInstance\"\n }\n ]\n },\n \"cryptoProperties\": {\n \"oid\": \"2.16.840.1.101.3.4.2.1\",\n \"assetType\": \"algorithm\",\n \"algorithmProperties\": {\n \"primitive\": \"hash\",\n \"cryptoFunctions\": [\"digest\"],\n \"parameterSetIdentifier\": \"256\"\n }\n }\n },\n {\n \"name\": \"AES128-GCM\",\n \"type\": \"cryptographic-asset\",\n \"bom-ref\": \"e006c3f1-912a-4de5-8399-79bf0f350cb9\",\n \"evidence\": {\n \"occurrences\": [\n {\n \"line\": 29,\n \"location\": \"src/main/java/com/example/aes/AESGCM.java\",\n \"additionalContext\": \"javax.crypto.Cipher#getInstance\"\n }\n ]\n },\n \"cryptoProperties\": {\n \"oid\": \"2.16.840.1.101.3.4.1\",\n \"assetType\": \"algorithm\",\n \"algorithmProperties\": {\n \"mode\": \"gcm\",\n \"primitive\": \"ae\",\n \"cryptoFunctions\": [\"decrypt\"],\n \"parameterSetIdentifier\": \"128\"\n }\n }\n },\n {\n \"name\": \"RSA-OAEP\",\n \"type\": \"cryptographic-asset\",\n \"bom-ref\": \"ff238e09-dd3d-44c4-ad49-34350f1d9cc7\",\n \"cryptoProperties\": {\n \"oid\": \"1.2.840.113549.1.1.7\",\n \"assetType\": \"algorithm\",\n \"algorithmProperties\": {\n \"mode\": \"ecb\",\n \"padding\": \"oaep\",\n \"primitive\": \"pke\",\n \"parameterSetIdentifier\": \"2048\"\n }\n }\n }\n ],\n \"dependencies\": [\n {\n \"ref\": \"secret-key-ref\",\n \"dependsOn\": [\"AES128-ref\"]\n }\n ]\n}\n```\n\nThe CBOM includes:\n- **Algorithms**: Hash functions, ciphers, key exchange mechanisms with their parameters\n- **Keys and secrets**: Private keys, secret keys, and other cryptographic materials\n- **Evidence**: Source file locations where each asset was detected\n- **Dependencies**: Relationships between cryptographic assets (e.g., a secret key depending on an algorithm)\n\n## Build\n\n```bash\n# Build with tests\nmvn clean package\n\n# Build without tests (faster)\nmvn clean package -DskipTests\n\n# Build specific module\nmvn clean package -pl java\n\n# Format code (Google Java Format, AOSP style)\nmvn spotless:apply\n\n# Check formatting\nmvn spotless:check\n```\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eAdding packages to sonar-go-to-slang (Go support)\u003c/strong\u003e\u003c/summary\u003e\n\nGo cryptographic detection relies on [sonar-go-to-slang](https://github.com/SonarSource/sonar-go/tree/master/sonar-go-to-slang) for type resolution. The default binary includes common packages, but some cryptographic packages may require you to rebuild it with additional package export data.\n\n### When is this needed?\n\nIf you see \"undefined: \\\u003cidentifier\\\u003e\" errors during type checking for packages like `crypto/hmac`, `crypto/elliptic`, or `crypto/ecdsa`, you need to add the missing package export data.\n\n### Steps to add a package\n\n1. **Generate the package export data file** (`.o` file):\n\n```go\n//go:build ignore\n\npackage main\n\nimport (\n \"fmt\"\n \"go/importer\"\n \"go/token\"\n \"os\"\n \"golang.org/x/tools/go/gcexportdata\"\n)\n\nfunc main() {\n fset := token.NewFileSet()\n imp := importer.ForCompiler(fset, \"gc\", nil)\n pkg, err := imp.Import(\"crypto/hmac\") // \u003c-- target package\n if err != nil {\n fmt.Fprintf(os.Stderr, \"Error importing package: %v\\n\", err)\n os.Exit(1)\n }\n file, err := os.Create(\"packages/crypto_hmac.o\") // \u003c-- output file\n if err != nil {\n fmt.Fprintf(os.Stderr, \"Error creating file: %v\\n\", err)\n os.Exit(1)\n }\n defer file.Close()\n // CRITICAL: Pass nil for fset, NOT the fset used for import\n if err := gcexportdata.Write(file, nil, pkg); err != nil {\n fmt.Fprintf(os.Stderr, \"Error writing export data: %v\\n\", err)\n os.Exit(1)\n }\n fmt.Printf(\"Successfully created package export data for %s\\n\", pkg.Path())\n}\n```\n\nRun with `go run gen_package.go`, then delete the script.\n\n\u003e **CRITICAL**: The `gcexportdata.Write` call must pass `nil` for the `fset` parameter. Passing the same fset used for import will embed absolute file paths, causing runtime errors.\n\n2. **Check for dependencies**: Some packages depend on types from other packages. Common dependencies:\n\n| Package | May require |\n|---------|-------------|\n| `crypto/hmac` | `hash` |\n| `crypto/cipher` | `io` |\n| `crypto/*` (most) | `io`, `hash` |\n\n3. **Add mapping entry** to `mapping_generated.go` in alphabetical order:\n\n```go\n\"crypto/hmac\": \"crypto_hmac.o\",\n```\n\n4. **Rebuild the binary**: `./make.sh build`\n\n### File naming convention\n\n| Package Path | Export Data File |\n|--------------|------------------|\n| `crypto/hmac` | `crypto_hmac.o` |\n| `crypto/elliptic` | `crypto_elliptic.o` |\n| `golang.org/x/crypto/bcrypt` | `x_crypto_bcrypt.o` |\n\n\u003c/details\u003e\n\n## Help and troubleshooting\n\nIf you encounter difficulties or unexpected results while installing the plugin with SonarQube, or when trying to scan a repository, please check out our guide [*Testing your configuration and troubleshooting*](docs/TROUBLESHOOTING.md) to run our plugin with step-by-step instructions.\n\n## Contribution Guidelines\n\nIf you'd like to contribute to Sonar Cryptography Plugin, please take a look at our\n[contribution guidelines](CONTRIBUTING.md). By participating, you are expected to uphold our [code of conduct](CODE_OF_CONDUCT.md).\n\nWe use [GitHub issues](https://github.com/cbomkit/sonar-cryptography/issues) for tracking requests and bugs. For questions\nstart a discussion using [GitHub Discussions](https://github.com/cbomkit/sonar-cryptography/discussions).\n\n## License\n\n[Apache License 2.0](LICENSE.txt)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcbomkit%2Fsonar-cryptography","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcbomkit%2Fsonar-cryptography","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcbomkit%2Fsonar-cryptography/lists"}