{ "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5e06805c005c87a5208ce9391e212008", "version": 1, "metadata": { "timestamp": "2026-07-12T21:31:02.565966+00:00", "component": { "type": "application", "name": "pqcrypta-discovery", "version": "1.0.3", "description": "PQCrypta Discovery Agent \u2014 the scanner's own Cryptographic Bill of Materials" }, "tools": [ { "vendor": "PQCrypta", "name": "agent-self-cbom", "version": "1.0" } ], "properties": [ { "name": "pqcrypta:transport-crypto", "value": "classical (TLS 1.2/1.3 via rustls) \u2014 quantum-vulnerable, standard for HTTPS today" }, { "name": "pqcrypta:release-signing", "value": "hybrid \u2014 Ed25519 (classical) + ML-DSA-65 (NIST FIPS 204, post-quantum)" }, { "name": "pqcrypta:note", "value": "This CBOM honestly documents the cryptography the scanner itself uses. Its transport is standard classical TLS; its release supply-chain signatures are hybrid classical+PQC." } ] }, "components": [ { "type": "library", "bom-ref": "lib:rustls@0.23.41", "name": "rustls", "version": "0.23.41", "description": "TLS 1.2/1.3 stack used for HTTPS to the API, live-TLS endpoint scanning, and appliance management APIs", "purl": "pkg:cargo/rustls@0.23.41" }, { "type": "library", "bom-ref": "lib:ring@0.17.14", "name": "ring", "version": "0.17.14", "description": "Low-level crypto backend for rustls (AEAD, ECDH, signatures, digests)", "purl": "pkg:cargo/ring@0.17.14" }, { "type": "library", "bom-ref": "lib:rustls-webpki@0.103.13", "name": "rustls-webpki", "version": "0.103.13", "description": "X.509 path validation for TLS", "purl": "pkg:cargo/rustls-webpki@0.103.13" }, { "type": "library", "bom-ref": "lib:x509-parser@0.18.1", "name": "x509-parser", "version": "0.18.1", "description": "Certificate parsing/inspection of discovered assets", "purl": "pkg:cargo/x509-parser@0.18.1" }, { "type": "library", "bom-ref": "lib:sha2@0.11.0", "name": "sha2", "version": "0.11.0", "description": "SHA-256 asset fingerprinting", "purl": "pkg:cargo/sha2@0.11.0" }, { "type": "library", "bom-ref": "lib:sha1@0.11.0", "name": "sha1", "version": "0.11.0", "description": "SHA-1 parsing/identification of legacy material (not used for security)", "purl": "pkg:cargo/sha1@0.11.0" }, { "type": "library", "bom-ref": "lib:rsa@0.9.10", "name": "rsa", "version": "0.9.10", "description": "RSA key parsing/identification", "purl": "pkg:cargo/rsa@0.9.10" }, { "type": "library", "bom-ref": "lib:aes-gcm@0.11.0", "name": "aes-gcm", "version": "0.11.0", "description": "AES-GCM (transitive)", "purl": "pkg:cargo/aes-gcm@0.11.0" }, { "type": "library", "bom-ref": "lib:hmac@0.13.0", "name": "hmac", "version": "0.13.0", "description": "HMAC (transitive, KDF/TLS)", "purl": "pkg:cargo/hmac@0.13.0" }, { "type": "library", "bom-ref": "lib:hkdf@0.12.4", "name": "hkdf", "version": "0.12.4", "description": "HKDF key derivation (TLS)", "purl": "pkg:cargo/hkdf@0.12.4" }, { "type": "cryptographic-asset", "bom-ref": "algo:X25519", "name": "X25519", "description": "TLS key exchange (classical, quantum-vulnerable)", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "key-agreement", "cryptoFunctions": [ "keygen" ] } } }, { "type": "cryptographic-asset", "bom-ref": "algo:ECDHE-P256/P384", "name": "ECDHE-P256/P384", "description": "TLS key exchange fallback (classical)", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "key-agreement", "cryptoFunctions": [ "keygen" ] } } }, { "type": "cryptographic-asset", "bom-ref": "algo:AES-256-GCM", "name": "AES-256-GCM", "description": "TLS record encryption", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "ae", "cryptoFunctions": [ "ae" ] } } }, { "type": "cryptographic-asset", "bom-ref": "algo:ChaCha20-Poly1305", "name": "ChaCha20-Poly1305", "description": "TLS record encryption", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "ae", "cryptoFunctions": [ "ae" ] } } }, { "type": "cryptographic-asset", "bom-ref": "algo:ECDSA-P256/P384", "name": "ECDSA-P256/P384", "description": "TLS certificate signatures (verify)", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "cryptoFunctions": [ "signature" ] } } }, { "type": "cryptographic-asset", "bom-ref": "algo:RSA-PKCS1/PSS", "name": "RSA-PKCS1/PSS", "description": "TLS certificate signatures (verify)", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "cryptoFunctions": [ "signature" ] } } }, { "type": "cryptographic-asset", "bom-ref": "algo:SHA-256", "name": "SHA-256", "description": "TLS + asset fingerprinting", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "hash", "cryptoFunctions": [ "hash" ] } } }, { "type": "cryptographic-asset", "bom-ref": "algo:SHA-384", "name": "SHA-384", "description": "TLS", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "hash", "cryptoFunctions": [ "hash" ] } } } ] }