{"id":35020366,"url":"https://github.com/csnp/qramm-cryptodeps","last_synced_at":"2026-01-13T21:04:09.970Z","repository":{"id":330619279,"uuid":"1123092338","full_name":"csnp/qramm-cryptodeps","owner":"csnp","description":"Cryptographic Dependency Scanner - Identify quantum-vulnerable cryptographic algorithms in your software dependencies. Part of the QRAMM Toolkit.","archived":false,"fork":false,"pushed_at":"2025-12-27T01:30:13.000Z","size":373,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-28T08:57:06.142Z","etag":null,"topics":["cbom","cnsa","cryptography","dependencies","golang","post-quantum","post-quantum-cryptography","pqc","quantum-computing","sast","sbom","security","supply-chain-security","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"https://qramm.org","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/csnp.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-26T07:03:39.000Z","updated_at":"2025-12-27T01:30:17.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/csnp/qramm-cryptodeps","commit_stats":null,"previous_names":["csnp/qramm-cryptodeps"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/csnp/qramm-cryptodeps","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptodeps","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptodeps/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptodeps/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptodeps/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/csnp","download_url":"https://codeload.github.com/csnp/qramm-cryptodeps/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csnp%2Fqramm-cryptodeps/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28400397,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cbom","cnsa","cryptography","dependencies","golang","post-quantum","post-quantum-cryptography","pqc","quantum-computing","sast","sbom","security","supply-chain-security","vulnerability-scanners"],"created_at":"2025-12-27T05:49:07.924Z","updated_at":"2026-01-13T21:04:09.964Z","avatar_url":"https://github.com/csnp.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CryptoDeps\n\n**Quantum-Safe Dependency Analysis for Your Software Supply Chain**\n\nFind every cryptographic vulnerability in your dependencies. Know your quantum risk. Focus on what matters.\n\n[![CI](https://github.com/csnp/qramm-cryptodeps/actions/workflows/ci.yml/badge.svg)](https://github.com/csnp/qramm-cryptodeps/actions/workflows/ci.yml)\n[![Go Report Card](https://img.shields.io/badge/go%20report-A-brightgreen)](https://goreportcard.com/report/github.com/csnp/qramm-cryptodeps)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)\n[![Go Version](https://img.shields.io/github/go-mod/go-version/csnp/qramm-cryptodeps)](go.mod)\n\n[Why CryptoDeps](#why-cryptodeps) | [Quick Start](#quick-start) | [Features](#features) | [Full Documentation](#cli-reference) | [Patterns](PATTERNS.md) | [Contributing](#contributing)\n\n---\n\n## The Quantum Computing Challenge\n\nQuantum computers will break RSA, ECDSA, and Diffie-Hellman within the next decade. This isn't speculationβ€”the NSA, NIST, and major technology companies are already migrating to post-quantum cryptography (PQC).\n\nThe challenge? **You can't migrate what you can't find.**\n\nYour code might be quantum-safe, but what about your **dependencies**? The average software project has 300-1000+ transitive dependencies. Each one potentially uses cryptographic algorithms that quantum computers will break. Traditional security scanners miss thisβ€”they focus on CVEs, not cryptographic readiness.\n\nCryptoDeps solves this by analyzing your entire dependency tree and using **reachability analysis** to show exactly which crypto your code actually uses versus what's merely present in libraries.\n\n---\n\n## Why CryptoDeps\n\nCryptoDeps is purpose-built for quantum readiness assessment:\n\n| Capability | CryptoDeps | grep/ripgrep | Commercial Tools |\n|------------|------------|--------------|------------------|\n| Dependency tree analysis | Yes | No | Some |\n| Reachability analysis | Yes (Go) | No | Rarely |\n| Quantum risk classification | Yes | No | Some |\n| Context-aware confidence | Yes | No | Varies |\n| CBOM output | Yes | No | Rarely |\n| SARIF for GitHub Security | Yes | No | Yes |\n| GitHub URL scanning | Yes | No | Some |\n| Migration guidance | Yes | No | Varies |\n| Multi-ecosystem support | Yes | Manual | Varies |\n| Open source | Yes | Yes | No |\n| Price | Free | Free | $$ |\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eWhat These Capabilities Mean\u003c/strong\u003e\u003c/summary\u003e\n\n- **Dependency tree analysis**: Scans all transitive dependencies, not just direct ones\n- **Reachability analysis**: Traces call graphs to find crypto your code actually invokes\n- **Quantum risk classification**: Categorizes by threat level (VULNERABLE, PARTIAL, SAFE)\n- **Context-aware confidence**: Distinguishes confirmed usage from mere availability\n- **CBOM output**: Cryptographic Bill of Materials for OMB M-23-02 compliance\n- **SARIF output**: Integrates with GitHub Security tab\n- **GitHub URL scanning**: Analyze any public/private GitHub repository directly\n- **Migration guidance**: Actionable recommendations with NIST standards references\n- **Multi-ecosystem support**: Go, npm, Python, Maven from a single tool\n\n\u003c/details\u003e\n\n---\n\n## Quick Start\n\n### Installation\n\n**Option 1: Build from Source**\n\nRequires Go 1.21+ ([install Go](https://golang.org/doc/install))\n\nCopy and paste this entire block:\n\n```bash\ngit clone https://github.com/csnp/qramm-cryptodeps.git\ncd qramm-cryptodeps\nmake build\nsudo mv cryptodeps /usr/local/bin/\ncd .. \ncryptodeps version\n```\n\n**Option 2: Go Install**\n\nFor Go developers:\n\n```bash\ngo install github.com/csnp/qramm-cryptodeps/cmd/cryptodeps@latest\n```\n\n**Option 3: Download Binary**\n\nDownload pre-built binaries from [GitHub Releases](https://github.com/csnp/qramm-cryptodeps/releases).\n\n### Basic Usage\n\n```bash\n# Analyze a local directory\ncryptodeps analyze .\n\n# Analyze a GitHub repository directly\ncryptodeps analyze hashicorp/vault\ncryptodeps analyze https://github.com/golang-jwt/jwt\n\n# Output to JSON for automation\ncryptodeps analyze . --format json \u003e findings.json\n\n# Generate SARIF for GitHub Security integration\ncryptodeps analyze . --format sarif \u003e results.sarif\n\n# Generate CBOM for compliance\ncryptodeps analyze . --format cbom \u003e crypto-bom.json\n```\n\n### Try It Out\n\nThis repository includes a sample vulnerable project for testing:\n\n```bash\n# Clone and build\ngit clone https://github.com/csnp/qramm-cryptodeps.git\ncd qramm-cryptodeps\nmake build\n\n# Scan the sample project\n./cryptodeps analyze ./examples/vulnerable-demo\n\n# Expected: Findings showing Ed25519, RSA, ECDSA usage\n# - CONFIRMED crypto your code calls\n# - AVAILABLE crypto in dependencies\n# - Remediation guidance for each\n```\n\n---\n\n## Features\n\n### Reachability Analysis\n\nCryptoDeps goes beyond simple dependency scanning by analyzing your code's call graph:\n\n| Level | Meaning | Action |\n|-------|---------|--------|\n| **CONFIRMED** | Your code directly calls this crypto | Immediate remediation required |\n| **REACHABLE** | In call graph from your code | Monitor and plan migration |\n| **AVAILABLE** | In dependency but not called | Lower priority (future planning) |\n\n### Multi-Ecosystem Support\n\n| Ecosystem | Manifest Files |\n|-----------|----------------|\n| Go | `go.mod`, `go.sum` |\n| npm | `package.json`, `package-lock.json` |\n| Python | `requirements.txt`, `pyproject.toml`, `Pipfile` |\n| Maven | `pom.xml` |\n\n### Workspace \u0026 Monorepo Support\n\nCryptoDeps automatically discovers all manifest files in workspaces and monorepos:\n\n- **npm/yarn/pnpm**: Detects `workspaces` in package.json and pnpm-workspace.yaml\n- **Go**: Detects `go.work` files and all `go.mod` in subdirectories\n- **Recursive discovery**: Walks directory tree to find all manifests\n- **Smart filtering**: Skips node_modules, vendor, .git, build directories\n\n```bash\n# Scan entire monorepo - finds all projects automatically\ncryptodeps analyze /path/to/monorepo\n\n# Disable workspace discovery (scan single manifest only)\ncryptodeps analyze /path/to/monorepo --no-workspaces\n```\n\n### Quantum Risk Classification\n\nEvery finding is classified by quantum computing threat level:\n\n| Symbol | Risk Level | Quantum Threat | Examples |\n|--------|------------|----------------|----------|\n| πŸ”΄ | VULNERABLE | Shor's algorithm | RSA, ECDSA, Ed25519, ECDH, DH, DSA |\n| 🟑 | PARTIAL | Grover's algorithm | AES-128, SHA-256, HMAC-SHA256 |\n| 🟒 | SAFE | Resistant | AES-256, SHA-384+, ChaCha20, Argon2 |\n\n### Smart Remediation\n\nContext-aware recommendations that consider:\n- Token lifetimes (short-lived JWTs vs long-lived certificates)\n- Industry standards (wait for PQ-JWT vs migrate now)\n- Migration effort (simple change vs architectural overhaul)\n- NIST standards references (FIPS 203, 204, 205)\n\n### Multiple Output Formats\n\n```bash\n# Human-readable table (default)\ncryptodeps analyze .\n\n# JSON for automation\ncryptodeps analyze . --format json\n\n# CycloneDX CBOM for compliance\ncryptodeps analyze . --format cbom\n\n# SARIF for GitHub Security\ncryptodeps analyze . --format sarif\n\n# Markdown for reports\ncryptodeps analyze . --format markdown\n```\n\n---\n\n## CLI Reference\n\n```\ncryptodeps \u003ccommand\u003e [flags]\n\nCommands:\n analyze Analyze project dependencies for cryptographic usage\n update Download latest crypto knowledge database\n status Show database statistics and cache info\n version Print version information\n\nAnalyze Flags:\n -f, --format string Output format: table, json, cbom, sarif, markdown (default \"table\")\n --fail-on string Fail threshold: vulnerable, partial, any, none (default \"vulnerable\")\n --reachability Analyze call graph for actual crypto usage (default true, Go only)\n --deep Force AST analysis for packages not in database\n --offline Use only local database, skip auto-updates\n --no-workspaces Disable workspace discovery (scan single manifest only)\n --risk string Filter by risk: vulnerable, partial, all\n --min-severity string Minimum severity to report\n -h, --help Show help\n```\n\n### Common Workflows\n\n```bash\n# Focus on confirmed vulnerabilities only (what you actually use)\ncryptodeps analyze . --reachability\n\n# CI/CD: Fail if quantum-vulnerable crypto is detected\ncryptodeps analyze . --fail-on vulnerable\n\n# Quick scan without call graph analysis\ncryptodeps analyze . --reachability=false\n\n# Analyze a specific manifest file\ncryptodeps analyze ./go.mod\n\n# Offline mode (use cached database)\ncryptodeps analyze . --offline\n\n# Update the crypto knowledge database\ncryptodeps update\n\n# Check database status\ncryptodeps status\n```\n\n---\n\n## Sample Output\n\n```\n[*] Scanning go.mod... found 36 dependencies\n\n[!] CONFIRMED - Actually used by your code (requires action):\n──────────────────────────────────────────────────────────────────────────────────────────\n πŸ”΄ Ed25519 VULNERABLE 1-2yr low\n └─ golang.org/x/crypto@v0.31.0\n \u003e Called from: crypto.GenerateEd25519KeyPair\n \u003e Called from: crypto.SignMessage\n\n 🟑 HS256 PARTIAL - low\n └─ github.com/golang-jwt/jwt/v5@v5.3.0\n \u003e Called from: auth.JWTService.GenerateAccessToken\n\n 🟒 bcrypt SAFE - -\n └─ golang.org/x/crypto@v0.31.0\n \u003e Called from: auth.HashPassword\n\n[.] AVAILABLE - In dependencies but not called (lower priority):\n──────────────────────────────────────────────────────────────────────────────────────────\n golang.org/x/crypto@v0.31.0\n └─ πŸ”΄ X25519, 🟒 ChaCha20-Poly1305, 🟒 Argon2\n\n══════════════════════════════════════════════════════════════════════════════════════════\nSUMMARY: 36 deps | 2 with crypto | 8 vulnerable | 2 partial\nREACHABILITY: 3 confirmed | 0 reachable | 11 available-only\n\nREMEDIATION GUIDANCE:\n══════════════════════════════════════════════════════════════════════════════════════════\n\nπŸ”΄ Ed25519 [PRIORITY]\n──────────────────────────────────────────────────\n Action: Plan migration to ML-DSA; prioritize if signing long-lived data\n Replace with: ML-DSA-65 (FIPS 204)\n NIST: FIPS 204\n Timeline: Short-term (1-2 years)\n Effort: Low (simple change)\n Libraries: github.com/cloudflare/circl/sign/mldsa\n```\n\n---\n\n## CI/CD Integration\n\n### GitHub Actions with SARIF\n\n```yaml\n# .github/workflows/crypto-scan.yml\nname: Quantum Security Scan\n\non:\n push:\n branches: [main]\n pull_request:\n branches: [main]\n\njobs:\n cryptodeps:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n contents: read\n steps:\n - uses: actions/checkout@v4\n\n - name: Setup Go\n uses: actions/setup-go@v5\n with:\n go-version: '1.22'\n\n - name: Install CryptoDeps\n run: go install github.com/csnp/qramm-cryptodeps/cmd/cryptodeps@latest\n\n - name: Run Scan\n run: cryptodeps analyze . --format sarif \u003e results.sarif\n\n - name: Upload SARIF to GitHub Security\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n\n - name: Fail on Vulnerable Crypto\n run: cryptodeps analyze . --fail-on vulnerable\n```\n\n### GitLab CI\n\n```yaml\ncryptodeps:\n stage: security\n image: golang:1.22\n script:\n - go install github.com/csnp/qramm-cryptodeps/cmd/cryptodeps@latest\n - cryptodeps analyze . --format json \u003e crypto-findings.json\n - cryptodeps analyze . --fail-on vulnerable\n artifacts:\n paths:\n - crypto-findings.json\n```\n\n### Exit Codes\n\n| Code | Meaning | Trigger |\n|------|---------|---------|\n| `0` | Success | No findings matching `--fail-on` threshold |\n| `1` | Vulnerable | Quantum-vulnerable crypto detected |\n| `2` | Error | Analysis failed (invalid manifest, network error) |\n| `3` | Partial | Partial-risk crypto detected (with `--fail-on partial`) |\n\n---\n\n## Output Formats Explained\n\n### SARIF (Static Analysis Results Interchange Format)\n\nSARIF output integrates with GitHub Code Scanning, VS Code SARIF Viewer, and other security tools:\n\n```json\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [{\n \"tool\": {\n \"driver\": {\n \"name\": \"CryptoDeps\",\n \"informationUri\": \"https://github.com/csnp/qramm-cryptodeps\"\n }\n },\n \"results\": [...]\n }]\n}\n```\n\n### CBOM (Cryptographic Bill of Materials)\n\nJust as an SBOM inventories software dependencies, a CBOM inventories all cryptographic algorithms in your systems. Required by emerging regulations (OMB M-23-02, NIST guidelines).\n\n```json\n{\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"serialNumber\": \"urn:uuid:...\",\n \"components\": [\n {\n \"type\": \"cryptographic-asset\",\n \"name\": \"RSA-2048\",\n \"cryptoProperties\": {\n \"assetType\": \"algorithm\",\n \"algorithmProperties\": {\n \"primitive\": \"pke\",\n \"parameterSetIdentifier\": \"2048\"\n }\n }\n }\n ]\n}\n```\n\n---\n\n## Architecture\n\n```\nqramm-cryptodeps/\nβ”œβ”€β”€ cmd/cryptodeps/ # CLI entry point\nβ”œβ”€β”€ internal/\nβ”‚ β”œβ”€β”€ analyzer/ # Core analysis engine\nβ”‚ β”‚ β”œβ”€β”€ ast/ # Language-specific AST parsing\nβ”‚ β”‚ β”œβ”€β”€ ondemand/ # Source code fetching \u0026 analysis\nβ”‚ β”‚ β”œβ”€β”€ reachability/ # Call graph analysis (Go)\nβ”‚ β”‚ └── source/ # Package source resolution\nβ”‚ β”œβ”€β”€ database/ # Crypto knowledge database\nβ”‚ β”œβ”€β”€ manifest/ # Dependency manifest parsers\nβ”‚ └── registry/ # Package registry fetchers\nβ”œβ”€β”€ pkg/\nβ”‚ β”œβ”€β”€ crypto/ # Algorithm patterns \u0026 remediation\nβ”‚ β”œβ”€β”€ output/ # Formatters (table, JSON, CBOM, SARIF)\nβ”‚ └── types/ # Shared type definitions\nβ”œβ”€β”€ data/ # Curated crypto database (1,100+ packages)\n└── examples/ # Sample projects for testing\n```\n\n---\n\n## Roadmap\n\n### v1.2 (Current Release)\n\n- [x] Multi-ecosystem dependency scanning (Go, npm, Python, Maven)\n- [x] Reachability analysis for Go projects\n- [x] Multiple output formats (table, JSON, CBOM, SARIF, Markdown)\n- [x] Quantum risk classification with CNSA 2.0 timeline\n- [x] Smart remediation guidance with NIST references\n- [x] GitHub repository URL scanning\n- [x] Curated database of 1,100+ packages\n- [x] Workspace \u0026 monorepo support (npm, pnpm, Go workspaces)\n- [x] Multi-project aggregated results\n\n### v1.3 (Next)\n\n- [ ] Improved reachability for npm/Python projects\n- [ ] Transitive dependency crypto inheritance\n- [ ] Configuration file support (.cryptodeps.yaml)\n- [ ] Watch mode for continuous monitoring\n\n### v2.0 (Future)\n\n- [ ] Direct integration with SBOMs (merge SBOM + CBOM)\n- [ ] Cloud KMS detection (AWS, Azure, GCP)\n- [ ] Certificate chain analysis\n- [ ] IDE plugins (VS Code, JetBrains)\n\n---\n\n## Contributing\n\nWe welcome contributions from the community! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n### Development Setup\n\n```bash\n# Clone the repository\ngit clone https://github.com/csnp/qramm-cryptodeps.git\ncd qramm-cryptodeps\n\n# Install dependencies\ngo mod download\n\n# Run tests\ngo test -race ./...\n\n# Build\ngo build -o cryptodeps ./cmd/cryptodeps\n\n# Run linter\ngolangci-lint run\n```\n\n### Adding Package Data\n\nHelp expand the crypto knowledge database by contributing analysis for new packages. See [CONTRIBUTING.md](CONTRIBUTING.md) for the package entry format.\n\n---\n\n## About CSNP\n\nCryptoDeps is developed by the [Cyber Security Non-Profit (CSNP)](https://csnp.org), a 501(c)(3) organization dedicated to making cybersecurity knowledge accessible to everyone through education, community, and practical resources.\n\n### Our Mission\n\nWe believe that:\n\n- **Accessibility**: Cybersecurity knowledge should be available to everyone\n- **Community**: Supportive communities help people learn and grow together\n- **Education**: Practical resources empower people to implement better security\n- **Integrity**: The highest ethical standards in all operations\n\n### QRAMM Toolkit\n\nCryptoDeps is part of the Quantum Readiness Assurance Maturity Model (QRAMM) toolkit:\n\n| Tool | Description |\n|------|-------------|\n| **CryptoDeps** | Dependency cryptographic analysis (this project) |\n| [CryptoScan](https://github.com/csnp/qramm-cryptoscan) | Source code cryptographic discovery |\n| [TLS Analyzer](https://github.com/csnp/qramm-tls-analyzer) | TLS/SSL configuration analysis |\n\nLearn more at [qramm.org](https://qramm.org) and [csnp.org](https://csnp.org).\n\n---\n\n## References\n\n### NIST Post-Quantum Cryptography Standards\n\n- [FIPS 203 - ML-KEM](https://csrc.nist.gov/pubs/fips/203/final) β€” Module-Lattice-Based Key-Encapsulation Mechanism (replaces RSA/ECDH)\n- [FIPS 204 - ML-DSA](https://csrc.nist.gov/pubs/fips/204/final) β€” Module-Lattice-Based Digital Signature Algorithm (replaces RSA/ECDSA)\n- [FIPS 205 - SLH-DSA](https://csrc.nist.gov/pubs/fips/205/final) β€” Stateless Hash-Based Digital Signature Algorithm\n- [NIST SP 800-131A Rev 2](https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final) β€” Transitioning cryptographic algorithms and key lengths\n\n### Additional Resources\n\n- [NSA CNSA 2.0](https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF) β€” Commercial National Security Algorithm Suite\n- [OMB M-23-02](https://www.whitehouse.gov/wp-content/uploads/2022/11/M-23-02-M-Memo-on-Migrating-to-Post-Quantum-Cryptography.pdf) β€” Federal PQC Migration Requirements\n- [CISA Post-Quantum Cryptography Initiative](https://www.cisa.gov/quantum)\n- [CycloneDX CBOM](https://cyclonedx.org/capabilities/cbom/) β€” Cryptographic Bill of Materials\n\n---\n\n## License\n\nApache License 2.0 β€” see [LICENSE](LICENSE) for details.\n\nCopyright 2025 Cyber Security Non-Profit (CSNP)\n\n---\n\nBuilt with purpose by [CSNP](https://csnp.org) β€” Advancing cybersecurity for everyone\n\n[QRAMM](https://qramm.org) | [CSNP](https://csnp.org) | [Issues](https://github.com/csnp/qramm-cryptodeps/issues) | [Twitter](https://twitter.com/caborgsec)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsnp%2Fqramm-cryptodeps","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcsnp%2Fqramm-cryptodeps","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsnp%2Fqramm-cryptodeps/lists"}