KORTHEXkorthex.flowence.cc

CBOM / CycloneDX

Cryptographic Bill of Materials (CBOM) Generator

Korthex generates a complete CBOM from source code, dependencies, binaries, TLS / PKI certificates, databases and git history: every cryptographic primitive with file:line evidence, severity, taint verdict, post-quantum readiness and compliance status - exported as CycloneDX, SARIF, JSON, PDF or .kxr. 100% on-premise.

What is a cryptographic bill of materials?

A cryptographic bill of materials (CBOM) is a machine-readable inventory of every cryptographic asset in a software system: algorithms, modes, key sizes, certificates, protocols, libraries, and the dependencies between them. CycloneDX 1.6, standardized as ECMA-424, defines the industry format. A CBOM is to cryptography what an SBOM is to dependencies: the inventory you need before you can migrate anything, and increasingly the artifact auditors ask for.

Regulation is catching up: PCI DSS 4.0 requirement 12.3.3 requires a documented inventory of cipher suites and protocols in use, and NIST, BSI and EU post-quantum migration guidance all name a cryptographic inventory as the mandatory first step.

What a useful CBOM must contain

  • Every primitive with algorithm, mode and key size: hashes (MD5, SHA-1, SHA-256, SHA-3), symmetric ciphers (DES, 3DES, RC4, Blowfish, AES with mode), asymmetric primitives (RSA, ECC, Diffie-Hellman, DSA)
  • File and line evidence for every entry, so each finding is directly actionable
  • A severity score and a taint-based verdict that separates reachable production usage from dead code and test fixtures
  • A post-quantum readiness bucket per finding
  • Compliance status against NIST FIPS 140-3, FIPS 203 / 204 / 205, BSI IT-Grundschutz, BSI TR-02102, PCI-DSS and ISO 27001
  • Certificates, TLS configurations and database encryption state - not just application code

How Korthex generates a CBOM

Five correlating engines (Scanner, Context, KorthexNN, plus the binary and TLS / PKI analyzers) read the codebase as one pass across 18 languages, including dependencies, binaries and git history. A typical scan of 50,000 to 500,000 lines completes in under two minutes and exports the CBOM as CycloneDX, SARIF, JSON, PDF or the native .kxr format.

Findings from code, configuration, TLS / PKI, databases and git history merge into cross-engine attack paths - one reachability-scored chain per issue instead of flat, file-local findings - so the CBOM shows not only that a weak primitive exists, but how it is actually reachable.

Open-source CBOM tools, and where Korthex differs

If you want a free, open-source starting point, IBM's CBOMkit is the reference toolset: it scans git repositories and container images, produces CycloneDX CBOMs, and ships a viewer and compliance checks. The CycloneDX project maintains the CBOM specification itself and general SBOM tooling around it.

Korthex is a commercial, fully on-premise scanner that differs in four ways: cross-engine detection (code, binaries, TLS, databases, git history - not source alone), taint-based false-positive filtering with a verdict per finding, a generated migration plan with impact simulation attached to every CBOM entry, and offensive verification that grades extracted cryptography by emulation against NIST Known-Answer Tests. Teams that outgrow inventory-only tooling typically move up when they need the migration plan and the proof.

From CBOM to crypto agility

Crypto agility is the ability to swap algorithms when standards change without breaking production. It rests on four building blocks: a current inventory (the CBOM), risk scoring, a migration path, and a CI/CD gate that keeps the inventory honest on every commit. Korthex ships all four - the CBOM is the foundation, the migration plan and the pipeline gate make it operational.

Frequently asked questions

Which formats does the Korthex CBOM export?

CycloneDX, SARIF, JSON, PDF, and the native .kxr format. The CBOM lists every cryptographic primitive with file path, line number, severity, taint verdict, post-quantum readiness and compliance status.

Is a CBOM required by regulation?

Increasingly, yes. PCI DSS 4.0 requirement 12.3.3 requires a documented inventory of cipher suites and protocols. NIST IR 8547, BSI guidance and the EU post-quantum roadmap all define a cryptographic inventory as the first migration step. A CBOM is the standard machine-readable way to satisfy these.

What is the difference between an SBOM and a CBOM?

An SBOM inventories software components and their versions. A CBOM inventories cryptographic assets - algorithms, keys, certificates, protocols - and their dependencies. They are complementary, and CycloneDX defines both.

Does CBOM generation work air-gapped?

Yes. Korthex runs 100% on-premise, including air-gapped operation. Source code never leaves your infrastructure.

Can I gate CI/CD on the CBOM?

Yes. The GitHub Actions step, GitLab CI template and generic CLI exit code fail the build above a configurable risk threshold - for example when new weak or quantum-vulnerable cryptography appears in a pull request.