Skip to content

CBOM

AQtive Guard supports uploading Cryptographic Bill of Materials (CBOM) files in JSON format for analysis and inventory. CBOM provides a comprehensive inventory of an application’s cryptographic objects and dependencies to expand your cryptographic and IT asset inventory in AQtive Guard.

Prerequisites

  • A valid Cryptographic Bill of Materials (CBOM) JSON file. AQtive Guard supports the following formats:
    • CycloneDX version 1.4 - AQtive Guard validated this version with outputs from CryptoBOM Forge by Santander.
    • CycloneDX version 1.6 - AQtive Guard validated this version using outputs from Sonarqube by IBM.

Tip

The OWASP CycloneDX Tool Center lists numerous tools capable of generating CycloneDX 1.4 or 1.6 files. While some of these tools may produce compatible outputs, they aren’t formally tested or supported by AQtive Guard, and functionality cannot be guaranteed.

Upload a CBOM file

To upload a CBOM file, follow these steps:

  1. Navigate to Data Sources from the main menu, then select Upload in the CBOM panel.

  2. Enter the following metadata to provide attributes for the CBOM data in AQtive Guard:

    • Application Name - Enter the name of the application or codebase that this CBOM data belongs to, typically referencing the root name of the codebase.
    • Language - The programming language used for the application, as provided by the CBOM, or the tool used to scan the application.

    Note

    Make sure the metadata is entered correctly before you upload the JSON file. It’s used to identify the CBOM data in the associated AQtive Guard tables.

  3. To upload the CBOM JSON file, either:

    • Click in the target area and select the file from your local system.
    • Drag and drop the file into the target upload area.

    The data will begin uploading automatically.

CBOM data

AQtive Guard ingests and analyzes the following data directly from a CBOM file:

  • component.cryptographic-asset - a reference to the source code where cryptographic primitives are found.
  • related_crypto_material (private_key, secret_key) - this data maps to a Key object in AQtive Guard.
  • primitive.block_cipher and primitive.ae (authenticated encryption) - block cipher and authenticated encryption algorithms such as AES, DES, DES_EDE_3KEY, CAST5, and CHACHA20POLY1305. This data maps to a CipherOperation/SymmetricCipher object in AQG.
  • primitive.stream_cipher - stream cipher algorithms such as RC4, SALSA20, and CHACHA20. This data maps to a CipherOperation/SymmetricCipher object in AQG.
  • primitive.PKE (public-key encryption) - PKE algorithms such as RSA, DSA, DH, EC, ECDH, and ECDSA. This data maps to a CipherOperation/AsymmetricCipher object in AQG.
  • primitive.KDF (key derivation function) - KDF algorithms such as PBKDF2, HMAC, and SCRYPT. This data maps to a Derivation type in AQG.
  • primitive.MAC - MAC algorithms such as HMAC, MD2, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, KECCAK variants, SHA3 variants, SHAKE variants, SM3, POLY1305, BLAKE2B, BLAKE2S, and SCRYPT. This data maps to a MacOperation object in AQG.
  • primitive.hash - hash algorithms such as HMAC, MD2, MD5, SHA1, SHA224, SHA256, SHA384, SHA512, KECCAK variants, SHA3 variants, SHAKE variants, SM3, POLY1305, BLAKE2B, BLAKE2S, and SCRYPT. This data maps to a DigestOperation object in AQG.
  • primitive.signature - signature algorithms such as RSA, DSA, DH, ECDSA, ECDH, EDDSA, ED25519, and ED448. This data maps to a Signature Operation object in AQG.