This issue is to collect and track the use cases from the CycloneDX CBOM WG. Big thanks to all WG contributors for the feedback and the use cases!
[x] Discovering weak algorithms
-> by querying cryptoProperties/algorithmProperties/classicalSecurityLevel
[x] Quantium unsafe algorithms
-> by querying cryptoProperties/algorithmProperties/nistQuantumSecurityLevel
[x] Certifications
[x] FIPS 140-2 / 140-3
[x] Common Criteria
-> captured in cryptoProperties/algorithmProperties/certificationLevel
[ ] check how to leverage CycloneDX Attestation framework
[x] Configuration - Algorithm supported but (not) configured or enabled
-> difference with dependencyType “used”/implemented”
[ ] Vulnerability in implementation vs algorithm
[x] Algorithms supported on a given service
[x] Standardized way to represent and query for certificate and key expiry
-> certificates: certificateProperties/notValidAfter
-> keys: keyProperties/expirationDate
[x] Standardized way to represent and query expiry for any or token, or other asset
-> for other relatedCryptoMaterials (e.g. metadata for token, password, etc): add a property
[ ] Inventory of which tokens are in-use from which sources with which permissions etc.
-> tokens captured in relatedCryptoMaterialProperties/token
(todo: research authn/authz specification Steve “discovered” a while back
[x] information on the CAs
-> certificate chain up to root CA can be added to cryptoProperties/certificateProperties, linked via “issuerName”
This issue is to collect and track the use cases from the CycloneDX CBOM WG. Big thanks to all WG contributors for the feedback and the use cases!
[x] Discovering weak algorithms -> by querying cryptoProperties/algorithmProperties/classicalSecurityLevel
[x] Quantium unsafe algorithms -> by querying cryptoProperties/algorithmProperties/nistQuantumSecurityLevel
[x] Certifications
[x] Configuration - Algorithm supported but (not) configured or enabled -> difference with dependencyType “used”/implemented”
[ ] Vulnerability in implementation vs algorithm
[x] Algorithms supported on a given service
[x] Standardized way to represent and query for certificate and key expiry -> certificates: certificateProperties/notValidAfter -> keys: keyProperties/expirationDate
[x] Standardized way to represent and query expiry for any or token, or other asset -> for other relatedCryptoMaterials (e.g. metadata for token, password, etc): add a property
[ ] Inventory of which tokens are in-use from which sources with which permissions etc. -> tokens captured in relatedCryptoMaterialProperties/token (todo: research authn/authz specification Steve “discovered” a while back
[x] information on the CAs -> certificate chain up to root CA can be added to cryptoProperties/certificateProperties, linked via “issuerName”