Cryptography related dependencies are not represented correctly

IBM / sonar-cryptography

This repository contains a SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.

Apache License 2.0

23 stars 4 forks source link

Cryptography related dependencies are not represented correctly #66

Open n1ckl0sk0rtge opened 3 months ago

n1ckl0sk0rtge commented 3 months ago

If cryptographic values are interdependent, the “internal” cryptographic references should be used to define these relationships.

Example:

if a key dependence on an algorithm use the cryptoRef field in the relatedCryptoMaterialsProperties to reference the algorithm.

n1ckl0sk0rtge commented 1 month ago

At the moment, this topic is on hold. In the current version of CBOM, there is no option to reference algorithms from other algorithms. This is necessary for many scenarios (signature algorithm uses digest algorithm). As this reference cannot be expressed via the algorithm properties and for reasons of conciseness, we present all dependencies in the Dependencies section.