Use cases from CycloneDX CBOM WG

[bhess]

This issue is to collect and track the use cases from the CycloneDX CBOM WG. Big thanks to all WG contributors for the feedback and the use cases!

• [x] Discovering weak algorithms -> by querying cryptoProperties/algorithmProperties/classicalSecurityLevel

• [x] Quantium unsafe algorithms -> by querying cryptoProperties/algorithmProperties/nistQuantumSecurityLevel

• [x] Certifications

  • [x] FIPS 140-2 / 140-3
  • [x] Common Criteria -> captured in cryptoProperties/algorithmProperties/certificationLevel
  • [ ] check how to leverage CycloneDX Attestation framework

• [x] Configuration - Algorithm supported but (not) configured or enabled -> difference with dependencyType “used”/implemented”

• [ ] Vulnerability in implementation vs algorithm

• [x] Algorithms supported on a given service

• [x] Standardized way to represent and query for certificate and key expiry -> certificates: certificateProperties/notValidAfter -> keys: keyProperties/expirationDate

• [x] Standardized way to represent and query expiry for any or token, or other asset -> for other relatedCryptoMaterials (e.g. metadata for token, password, etc): add a property

• [ ] Inventory of which tokens are in-use from which sources with which permissions etc. -> tokens captured in relatedCryptoMaterialProperties/token (todo: research authn/authz specification Steve “discovered” a while back

• [x] information on the CAs -> certificate chain up to root CA can be added to cryptoProperties/certificateProperties, linked via “issuerName”

[bhess]

Closing with the upstream to CycloneDX 1.6.