Introduction

This release is to formally announce cdxgen with support for 1.6 specifications. To recap, below are the features that are part of the 10.3.x release.

Cryptography Bill of Materials (CBOM) support

Quatum-based threats and Harvest now, decrypt later attacks are closer than we think. A precise inventory of all crypto libraries, assets such as keys, secrets, algorithms in use at an organization is important to give us an early start.

cdxgen now includes a brand new command called cbom to generate a Cryptography Bill of Materials (CBOM) document. This is supported for Java projects at launch and is powered by atom.

cbom -t java

Crypto properties

cdxgen can identify a range of crypto properties such as the algorithm names and their Object IDs. It can also identify the package that provides the implementation for the detected algorithms and add both occurrence and call-stack evidences to the CBOM document to help locate them.

Detailed formulation

cdxgen can identify a range of platform components that are used to compile, build, test, and deploy applications. We can now identify possible crypto libraries that might get statically-linked to the applications.

One more thing

cdxgen can now include components from the git tree and construct an OmniBOR Artifact Dependency Graph for git projects.

This feature is currently part of the --include-formulation argument although could become a dedicated command with a future release.

Full Changelog: v10.2.6...v10.3.5