GitHunt
CB

cbomkit/sonar-cryptography

This repository contains a SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.

cbomcbom-toolcbomkitcrypto-scannercryptographic-inventorycryptographycryptography-bompost-quantumpost-quantum-cryptographyquantum-safesbomsbom-toolsonarsonarqube

Sonar Cryptography Plugin (CBOMkit-hyperion)

License
Current Release

This repository contains a SonarQube Plugin that detects cryptographic assets
in source code and generates CBOM.
It is part of the CBOMKit toolset.

Table of Contents

Version compatibility

Plugin Version SonarQube Version
1.3.7 and up SonarQube 9.9 (LTS) and up
1.3.2 and 1.3.6 SonarQube 9.8 (LTS) up to 10.8
1.2.0 to 1.3.1 SonarQube 9.8 (LTS) up to 10.4

Supported languages and libraries

Language Cryptographic Library Coverage
Java JCA 100%
BouncyCastle (light-weight API) 100%1
Python pyca/cryptography 100%
Go crypto (standard library) 100%2
golang.org/x/crypto Partial3

Note

The plugin is designed in a modular way so that it can be extended to support additional languages and recognition rules to support more libraries.

Installation

Note

To run the plugin, you need a running SonarQube instance with one of the supported
versions. If you don't have one but want to try the plugin, you can use the
included Docker Compose to set up a development environment. See
here for instructions.

Copy the plugin (the JAR file from the latest releases)
to $SONARQUBE_HOME/extensions/plugins and restart
SonarQube (more).

Using

The plugin provides new inventory rules (Cbomkit Cryptography Repository) regarding the use of cryptography for
the supported languages.
If you enable these rules, a source code scan creates a cryptographic inventory by creating a
CBOM with all cryptographic assets and writing
a cbom.json to the scan directory.

Add Cryptography Rules to your Quality Profile

This plugin incorporates rules specifically focused on cryptography.

To generate a Cryptography Bill of Materials (CBOM), it is mandatory to activate at
least one of these cryptography-related rules.

Activate Rules Crypto Rules

As of the current version, the plugin contains one single rule for creating a cryptographic inventory.
Future updates may introduce additional rules to expand functionality.

Scan Source Code

Now you can follow the SonarQube documentation
to start your first scan.

Visualizing your CBOM

Once you have scanned your source code with the plugin, and obtained a cbom.json file, you can use CBOMkit service to know more about it.
It provides you with general insights about the cryptography used in your source code and its compliance with post-quantum safety.
It also allows you to explore precisely each cryptography asset and its detailed specification, and displays where it appears in your code.

Example Output

The plugin generates a cbom.json file in CycloneDX CBOM format. Here's an example showing detected cryptographic assets:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "metadata": {
    "timestamp": "2026-01-20T10:58:39Z",
    "tools": {
      "services": [
        {
          "name": "CBOMkit",
          "provider": { "name": "PQCA" }
        }
      ]
    }
  },
  "components": [
    {
      "name": "SHA256",
      "type": "cryptographic-asset",
      "bom-ref": "0f4f522b-ef99-43b7-9f98-6e83b3b233ca",
      "evidence": {
        "occurrences": [
          {
            "line": 51,
            "location": "src/main/java/com/example/EncryptionConfig.java",
            "additionalContext": "java.security.MessageDigest#getInstance"
          }
        ]
      },
      "cryptoProperties": {
        "oid": "2.16.840.1.101.3.4.2.1",
        "assetType": "algorithm",
        "algorithmProperties": {
          "primitive": "hash",
          "cryptoFunctions": ["digest"],
          "parameterSetIdentifier": "256"
        }
      }
    },
    {
      "name": "AES128-GCM",
      "type": "cryptographic-asset",
      "bom-ref": "e006c3f1-912a-4de5-8399-79bf0f350cb9",
      "evidence": {
        "occurrences": [
          {
            "line": 29,
            "location": "src/main/java/com/example/aes/AESGCM.java",
            "additionalContext": "javax.crypto.Cipher#getInstance"
          }
        ]
      },
      "cryptoProperties": {
        "oid": "2.16.840.1.101.3.4.1",
        "assetType": "algorithm",
        "algorithmProperties": {
          "mode": "gcm",
          "primitive": "ae",
          "cryptoFunctions": ["decrypt"],
          "parameterSetIdentifier": "128"
        }
      }
    },
    {
      "name": "RSA-OAEP",
      "type": "cryptographic-asset",
      "bom-ref": "ff238e09-dd3d-44c4-ad49-34350f1d9cc7",
      "cryptoProperties": {
        "oid": "1.2.840.113549.1.1.7",
        "assetType": "algorithm",
        "algorithmProperties": {
          "mode": "ecb",
          "padding": "oaep",
          "primitive": "pke",
          "parameterSetIdentifier": "2048"
        }
      }
    }
  ],
  "dependencies": [
    {
      "ref": "secret-key-ref",
      "dependsOn": ["AES128-ref"]
    }
  ]
}

The CBOM includes:

  • Algorithms: Hash functions, ciphers, key exchange mechanisms with their parameters
  • Keys and secrets: Private keys, secret keys, and other cryptographic materials
  • Evidence: Source file locations where each asset was detected
  • Dependencies: Relationships between cryptographic assets (e.g., a secret key depending on an algorithm)

Build

# Build with tests
mvn clean package

# Build without tests (faster)
mvn clean package -DskipTests

# Build specific module
mvn clean package -pl java

# Format code (Google Java Format, AOSP style)
mvn spotless:apply

# Check formatting
mvn spotless:check
Adding packages to sonar-go-to-slang (Go support)

Go cryptographic detection relies on sonar-go-to-slang for type resolution. The default binary includes common packages, but some cryptographic packages may require you to rebuild it with additional package export data.

When is this needed?

If you see "undefined: <identifier>" errors during type checking for packages like crypto/hmac, crypto/elliptic, or crypto/ecdsa, you need to add the missing package export data.

Steps to add a package

  1. Generate the package export data file (.o file):
//go:build ignore

package main

import (
    "fmt"
    "go/importer"
    "go/token"
    "os"
    "golang.org/x/tools/go/gcexportdata"
)

func main() {
    fset := token.NewFileSet()
    imp := importer.ForCompiler(fset, "gc", nil)
    pkg, err := imp.Import("crypto/hmac")  // <-- target package
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error importing package: %v\n", err)
        os.Exit(1)
    }
    file, err := os.Create("packages/crypto_hmac.o")  // <-- output file
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error creating file: %v\n", err)
        os.Exit(1)
    }
    defer file.Close()
    // CRITICAL: Pass nil for fset, NOT the fset used for import
    if err := gcexportdata.Write(file, nil, pkg); err != nil {
        fmt.Fprintf(os.Stderr, "Error writing export data: %v\n", err)
        os.Exit(1)
    }
    fmt.Printf("Successfully created package export data for %s\n", pkg.Path())
}

Run with go run gen_package.go, then delete the script.

CRITICAL: The gcexportdata.Write call must pass nil for the fset parameter. Passing the same fset used for import will embed absolute file paths, causing runtime errors.

  1. Check for dependencies: Some packages depend on types from other packages. Common dependencies:
Package May require
crypto/hmac hash
crypto/cipher io
crypto/* (most) io, hash
  1. Add mapping entry to mapping_generated.go in alphabetical order:
"crypto/hmac": "crypto_hmac.o",
  1. Rebuild the binary: ./make.sh build

File naming convention

Package Path Export Data File
crypto/hmac crypto_hmac.o
crypto/elliptic crypto_elliptic.o
golang.org/x/crypto/bcrypt x_crypto_bcrypt.o

Help and troubleshooting

If you encounter difficulties or unexpected results while installing the plugin with SonarQube, or when trying to scan a repository, please check out our guide Testing your configuration and troubleshooting to run our plugin with step-by-step instructions.

Contribution Guidelines

If you'd like to contribute to Sonar Cryptography Plugin, please take a look at our
contribution guidelines. By participating, you are expected to uphold our code of conduct.

We use GitHub issues for tracking requests and bugs. For questions
start a discussion using GitHub Discussions.

License

Apache License 2.0

Footnotes

  1. We only cover the BouncyCastle light-weight API according to this specification

  2. All packages under crypto are covered except crypto/x509

  3. Covers golang.org/x/crypto/hkdf, golang.org/x/crypto/pbkdf2, and golang.org/x/crypto/sha3

Languages

Java98.7%Python0.9%Go0.3%HTML0.0%Shell0.0%

Contributors

DEN1HUSARY
Apache License 2.0
Created June 10, 2024
Updated March 10, 2026
cbomkit/sonar-cryptography | GitHunt