cobalt-sbom 0.1.0__tar.gz

cobalt_sbom-0.1.0/PKG-INFO

@@ -0,0 +1,113 @@
+Metadata-Version: 2.4
+Name: cobalt-sbom
+Version: 0.1.0
+Summary: Cryptographic Bill of Materials generator — CycloneDX 1.5, ML-DSA signed
+Author-email: QreativeLab / OMEGA <dominik@qreativelab.io>
+License: MIT
+Project-URL: Homepage, https://github.com/dom-omg/cobalt-sbom
+Project-URL: Repository, https://github.com/dom-omg/cobalt-sbom
+Keywords: cbom,sbom,pqc,cryptography,cyclonedx,quantum
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: Topic :: Security :: Cryptography
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: rich>=13.0
+Requires-Dist: requests>=2.31
+Requires-Dist: click>=8.1
+
+# COBALT SBOM
+
+**Cryptographic Bill of Materials generator — CycloneDX 1.6, ML-DSA-65 signed.**
+
+Scan any codebase in seconds. Find every cryptographic algorithm. Know your quantum exposure.
+
+## What it does
+
+- Detects 30+ crypto primitives across Python, TypeScript, JavaScript, Go, C/C++, Java, Rust
+- Outputs a signed **CycloneDX 1.6 CBOM** (Cryptographic Bill of Materials)
+- Scores your **quantum readiness (0-100)**
+- Flags broken algorithms (DES, MD5, RC4) and deprecated ones (SHA-1, TLS-1.0)
+- Integrates into CI/CD via GitHub Actions — gate PRs on quantum safety
+
+## Install
+
+```bash
+pip install cobalt-sbom
+```
+
+## Usage
+
+```bash
+# Scan a repo
+cobalt-sbom scan ./myrepo --output cbom.cdx.json
+
+# Scan + sign with ML-DSA-65 (via AXIOM)
+cobalt-sbom scan ./myrepo --output cbom.cdx.json --sign
+
+# CI mode — fail if quantum-unsafe algorithms present
+cobalt-sbom scan ./myrepo --ci
+
+# Fail if quantum readiness score below 80
+cobalt-sbom scan ./myrepo --fail-score 80
+
+# Display an existing CBOM
+cobalt-sbom show cbom.cdx.json
+```
+
+## GitHub Actions
+
+Add to `.github/workflows/cbom.yml`:
+
+```yaml
+- name: Install cobalt-sbom
+  run: pip install cobalt-sbom
+
+- name: Scan cryptographic assets
+  run: cobalt-sbom scan . --output cbom.cdx.json --sign --fail-score 60
+```
+
+## Output format
+
+CycloneDX 1.6 JSON — compatible with all CBOM/SBOM toolchains:
+
+```json
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "components": [
+    {
+      "type": "cryptographic-asset",
+      "name": "ML-DSA-65",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "primitive": "sign",
+          "nistQuantumSecurityLevel": 3,
+          "cryptoFunctions": ["sign", "verify"]
+        },
+        "quantumSafety": "quantum-safe"
+      }
+    }
+  ],
+  "summary": {
+    "quantum_readiness_score": 72,
+    "quantum_unsafe": 15,
+    "quantum_safe": 16,
+    "broken_algorithms": ["DES", "SHA-1"]
+  }
+}
+```
+
+## Why CBOM
+
+Governments (USA EO 14028, EU CRA, NIST IR 8547) are mandating cryptographic inventories. The CBOM Working Group (CycloneDX) is standardizing the format. **First movers own the toolchain.**
+
+---
+
+Built on [OMEGA](https://omega-sovereign.fly.dev) — sovereign intelligence stack.
+Signing powered by [AXIOM](https://axiom-trust.fly.dev) — ML-DSA-65 post-quantum certificates.

cobalt_sbom-0.1.0/README.md

@@ -0,0 +1,91 @@
+# COBALT SBOM
+
+**Cryptographic Bill of Materials generator — CycloneDX 1.6, ML-DSA-65 signed.**
+
+Scan any codebase in seconds. Find every cryptographic algorithm. Know your quantum exposure.
+
+## What it does
+
+- Detects 30+ crypto primitives across Python, TypeScript, JavaScript, Go, C/C++, Java, Rust
+- Outputs a signed **CycloneDX 1.6 CBOM** (Cryptographic Bill of Materials)
+- Scores your **quantum readiness (0-100)**
+- Flags broken algorithms (DES, MD5, RC4) and deprecated ones (SHA-1, TLS-1.0)
+- Integrates into CI/CD via GitHub Actions — gate PRs on quantum safety
+
+## Install
+
+```bash
+pip install cobalt-sbom
+```
+
+## Usage
+
+```bash
+# Scan a repo
+cobalt-sbom scan ./myrepo --output cbom.cdx.json
+
+# Scan + sign with ML-DSA-65 (via AXIOM)
+cobalt-sbom scan ./myrepo --output cbom.cdx.json --sign
+
+# CI mode — fail if quantum-unsafe algorithms present
+cobalt-sbom scan ./myrepo --ci
+
+# Fail if quantum readiness score below 80
+cobalt-sbom scan ./myrepo --fail-score 80
+
+# Display an existing CBOM
+cobalt-sbom show cbom.cdx.json
+```
+
+## GitHub Actions
+
+Add to `.github/workflows/cbom.yml`:
+
+```yaml
+- name: Install cobalt-sbom
+  run: pip install cobalt-sbom
+
+- name: Scan cryptographic assets
+  run: cobalt-sbom scan . --output cbom.cdx.json --sign --fail-score 60
+```
+
+## Output format
+
+CycloneDX 1.6 JSON — compatible with all CBOM/SBOM toolchains:
+
+```json
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "components": [
+    {
+      "type": "cryptographic-asset",
+      "name": "ML-DSA-65",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "primitive": "sign",
+          "nistQuantumSecurityLevel": 3,
+          "cryptoFunctions": ["sign", "verify"]
+        },
+        "quantumSafety": "quantum-safe"
+      }
+    }
+  ],
+  "summary": {
+    "quantum_readiness_score": 72,
+    "quantum_unsafe": 15,
+    "quantum_safe": 16,
+    "broken_algorithms": ["DES", "SHA-1"]
+  }
+}
+```
+
+## Why CBOM
+
+Governments (USA EO 14028, EU CRA, NIST IR 8547) are mandating cryptographic inventories. The CBOM Working Group (CycloneDX) is standardizing the format. **First movers own the toolchain.**
+
+---
+
+Built on [OMEGA](https://omega-sovereign.fly.dev) — sovereign intelligence stack.
+Signing powered by [AXIOM](https://axiom-trust.fly.dev) — ML-DSA-65 post-quantum certificates.

cobalt_sbom-0.1.0/cobalt_sbom/__init__.py

@@ -0,0 +1,2 @@
+"""COBALT SBOM — Cryptographic Bill of Materials generator."""
+__version__ = "0.1.0"

cobalt_sbom-0.1.0/cobalt_sbom/cli.py

@@ -0,0 +1,194 @@
+"""COBALT SBOM CLI."""
+
+from __future__ import annotations
+import json
+import sys
+from pathlib import Path
+
+import click
+from rich.console import Console
+from rich.table import Table
+from rich import box
+from rich.panel import Panel
+from rich.text import Text
+
+from .detectors import scan_repo, CryptoAsset
+from .cyclonedx import build_cbom
+from .signer import sign_cbom
+
+console = Console()
+
+QUANTUM_SAFE_ALGOS = {"ML-KEM", "ML-DSA", "FN-DSA", "SLH-DSA", "AES", "ChaCha20", "SHA-256", "SHA-384", "SHA-512", "SHA3-256", "SHA3-512", "HMAC-SHA256", "HMAC-SHA384", "HMAC-SHA512"}
+
+
+def _safety_color(safety: str) -> str:
+    return {"quantum-safe": "green", "quantum-unsafe": "red", "hybrid": "yellow"}.get(safety, "dim")
+
+
+@click.group()
+def main() -> None:
+    """COBALT SBOM — Cryptographic Bill of Materials generator."""
+
+
+@main.command()
+@click.argument("target", type=click.Path(exists=True, file_okay=False))
+@click.option("--output", "-o", default="cbom.cdx.json", help="Output file path")
+@click.option("--sign", is_flag=True, default=False, help="Sign with ML-DSA-65 via AXIOM")
+@click.option("--include-tests", is_flag=True, default=False, help="Include test files")
+@click.option("--ci", is_flag=True, default=False, help="CI mode: exit 1 if quantum-unsafe algorithms detected")
+@click.option("--fail-score", default=0, type=int, help="CI: fail if quantum readiness score below threshold (0-100)")
+@click.option("--json-only", is_flag=True, default=False, help="Suppress terminal output, write JSON only")
+def scan(
+    target: str,
+    output: str,
+    sign: bool,
+    include_tests: bool,
+    ci: bool,
+    fail_score: int,
+    json_only: bool,
+) -> None:
+    """Scan TARGET repo and generate a CycloneDX 1.6 CBOM."""
+    target_path = Path(target)
+    target = target_path  # type: ignore[assignment]
+    if not json_only:
+        console.print(Panel(
+            f"[bold cyan]COBALT SBOM[/bold cyan]  Cryptographic Bill of Materials\n"
+            f"Target: [cyan]{target.resolve()}[/cyan]",
+            box=box.ROUNDED,
+        ))
+
+    assets: list[CryptoAsset] = scan_repo(target, include_tests=include_tests)
+
+    if not json_only:
+        console.print(f"  Scanned: [bold]{len(list(target.rglob('*')))}[/bold] files — "
+                      f"[bold]{len(assets)}[/bold] crypto usages found\n")
+
+    signature = None
+    if sign:
+        if not json_only:
+            console.print("  Signing with ML-DSA-65 via AXIOM...", end=" ")
+        signature = sign_cbom({})
+        if not json_only:
+            console.print("[green]✓[/green]" if signature else "[yellow]⚠ AXIOM unreachable, unsigned[/yellow]")
+
+    cbom = build_cbom(assets, target, signature)
+    out_path = Path(output)
+    out_path.write_text(json.dumps(cbom, indent=2))
+
+    if not json_only:
+        _print_summary(cbom, assets)
+
+    if not json_only:
+        console.print(f"\n  Output: [cyan]{out_path.resolve()}[/cyan]")
+
+    score: int = cbom["summary"]["quantum_readiness_score"]
+
+    if ci:
+        unsafe_algos = cbom["summary"]["quantum_unsafe"]
+        if unsafe_algos > 0:
+            console.print(f"\n[red]CI FAIL[/red] — {unsafe_algos} quantum-unsafe algorithm(s) detected", err=True)
+            sys.exit(1)
+
+    if fail_score and score < fail_score:
+        console.print(f"\n[red]CI FAIL[/red] — quantum readiness score {score} < threshold {fail_score}", err=True)
+        sys.exit(1)
+
+
+@main.command()
+@click.argument("cbom_file", type=click.Path(exists=True))
+def show(cbom_file: str) -> None:
+    """Display a CBOM file in a human-readable table."""
+    cbom = json.loads(Path(cbom_file).read_text())
+    assets_raw = cbom.get("components", [])
+
+    table = Table(show_header=True, header_style="bold cyan", box=box.SIMPLE_HEAVY)
+    table.add_column("Algorithm", style="bold")
+    table.add_column("Type")
+    table.add_column("Primitive")
+    table.add_column("Library")
+    table.add_column("Quantum")
+    table.add_column("Bits")
+    table.add_column("NIST PQC Level")
+
+    for comp in assets_raw:
+        cp = comp.get("cryptoProperties", {})
+        ap = cp.get("algorithmProperties", {})
+        safety = cp.get("quantumSafety", "unknown")
+        color = _safety_color(safety)
+        table.add_row(
+            comp.get("name", ""),
+            cp.get("assetType", ""),
+            ap.get("primitive", ""),
+            ap.get("implementationPlatform", ""),
+            f"[{color}]{safety}[/{color}]",
+            str(ap.get("classicalSecurityLevel", "—")),
+            str(ap.get("nistQuantumSecurityLevel", "—")),
+        )
+
+    console.print(table)
+
+    summary = cbom.get("summary", {})
+    score = summary.get("quantum_readiness_score", 0)
+    score_color = "green" if score >= 80 else ("yellow" if score >= 50 else "red")
+    console.print(f"\nQuantum Readiness Score: [{score_color}]{score}/100[/{score_color}]")
+
+    broken = summary.get("broken_algorithms", [])
+    if broken:
+        console.print(f"[red]Broken algorithms (immediate risk):[/red] {', '.join(broken)}")
+
+    deprecated = summary.get("deprecated_algorithms", [])
+    if deprecated:
+        console.print(f"[yellow]Deprecated algorithms:[/yellow] {', '.join(deprecated)}")
+
+
+def _print_summary(cbom: dict, assets: list[CryptoAsset]) -> None:
+    summary = cbom["summary"]
+    score: int = summary["quantum_readiness_score"]
+    score_color = "green" if score >= 80 else ("yellow" if score >= 50 else "red")
+
+    table = Table(show_header=True, header_style="bold", box=box.SIMPLE_HEAVY)
+    table.add_column("Algorithm", style="bold")
+    table.add_column("Primitive")
+    table.add_column("Library")
+    table.add_column("Quantum Safety")
+    table.add_column("Classical Bits")
+    table.add_column("NIST PQC Level")
+    table.add_column("Occurrences")
+
+    from collections import Counter
+    counts: Counter[str] = Counter(a.name for a in assets)
+
+    seen: set[str] = set()
+    for a in assets:
+        if a.name in seen:
+            continue
+        seen.add(a.name)
+        color = _safety_color(a.quantum_safety)
+        table.add_row(
+            a.name,
+            a.primitive,
+            a.library,
+            f"[{color}]{a.quantum_safety}[/{color}]",
+            str(a.classical_bits) if a.classical_bits else "—",
+            str(a.nist_quantum_level) if a.nist_quantum_level else "—",
+            str(counts[a.name]),
+        )
+
+    console.print(table)
+
+    broken = summary.get("broken_algorithms", [])
+    deprecated = summary.get("deprecated_algorithms", [])
+
+    score_text = Text(f"  Quantum Readiness Score: {score}/100", style=f"bold {score_color}")
+    console.print(score_text)
+
+    if broken:
+        console.print(f"  [bold red]CRITICAL — Broken algorithms:[/bold red] {', '.join(broken)}")
+    if deprecated:
+        console.print(f"  [bold yellow]WARNING — Deprecated algorithms:[/bold yellow] {', '.join(deprecated)}")
+
+    console.print(
+        f"\n  Quantum-safe: [green]{summary['quantum_safe']}[/green]  "
+        f"Quantum-unsafe: [red]{summary['quantum_unsafe']}[/red]  "
+        f"Total unique: [bold]{summary['unique_algorithms']}[/bold]"
+    )

cobalt_sbom-0.1.0/cobalt_sbom/cyclonedx.py

@@ -0,0 +1,190 @@
+"""CycloneDX 1.5 CBOM serializer — spec-compliant."""
+
+from __future__ import annotations
+import json
+import uuid
+from collections import defaultdict
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from .detectors import CryptoAsset
+
+# CycloneDX 1.5 spec: cryptoFunctions valid values
+_CRYPTO_FUNCTIONS: dict[str, list[str]] = {
+    "ae":           ["encrypt", "decrypt"],
+    "hash":         ["digest"],
+    "ecc":          ["sign", "verify"],
+    "dsa":          ["sign", "verify"],
+    "rsa":          ["sign", "verify", "encrypt", "decrypt"],
+    "ecDH":         ["keyDerive"],
+    "ff-dh":        ["keyDerive"],
+    "post-quantum":  ["encapsulate", "decapsulate", "sign", "verify"],
+    "mac":          ["generate", "verify"],
+    "kdf":          ["derive"],
+    "drbg":         ["generate"],
+    "stream-cipher": ["encrypt", "decrypt"],
+    "other":        [],
+}
+
+# CycloneDX 1.5 spec valid values for executionEnvironment
+_EXEC_ENV = "software-plain-ram"
+
+
+def _aggregate(assets: list[CryptoAsset]) -> list[dict]:
+    """Group by algorithm name, aggregate all occurrences and libraries."""
+    groups: dict[str, dict] = {}
+
+    for a in assets:
+        key = a.name
+        if key not in groups:
+            groups[key] = {
+                "asset": a,
+                "occurrences": [],
+                "libraries": set(),
+            }
+        groups[key]["occurrences"].append({
+            "location": a.location,
+            "line": a.line,
+            "symbol": a.evidence[:100] if a.evidence else "",
+        })
+        if a.library and a.library != "unknown":
+            groups[key]["libraries"].add(a.library)
+
+    return list(groups.values())
+
+
+def _component(group: dict, idx: int) -> dict:
+    a: CryptoAsset = group["asset"]
+    occurrences: list[dict] = group["occurrences"]
+    libraries: set[str] = group["libraries"]
+
+    crypto_funcs = _CRYPTO_FUNCTIONS.get(a.primitive, [])
+    # Post-quantum: distinguish KEM vs signature by name
+    if a.primitive == "post-quantum":
+        name_up = a.name.upper()
+        if "KEM" in name_up or "KYBER" in name_up:
+            crypto_funcs = ["encapsulate", "decapsulate"]
+        else:
+            crypto_funcs = ["sign", "verify"]
+
+    algo: dict = {
+        "primitive": a.primitive,
+        "executionEnvironment": _EXEC_ENV,
+        "cryptoFunctions": crypto_funcs,
+    }
+
+    if a.param_set:
+        algo["parameterSetIdentifier"] = a.param_set
+    if a.curve:
+        algo["curve"] = a.curve
+    if a.mode:
+        algo["mode"] = a.mode
+    if a.classical_bits:
+        algo["classicalSecurityLevel"] = a.classical_bits
+    if a.nist_quantum_level:
+        algo["nistQuantumSecurityLevel"] = a.nist_quantum_level
+
+    crypto_props: dict = {
+        "assetType": a.asset_type,
+        "algorithmProperties": algo,
+    }
+    if a.oid:
+        crypto_props["oid"] = a.oid
+
+    # Custom properties: quantum safety + library (not in spec, use properties array)
+    props = [
+        {"name": "cobalt:quantumSafety", "value": a.quantum_safety},
+    ]
+    if libraries:
+        props.append({"name": "cobalt:library", "value": ", ".join(sorted(libraries))})
+    props.append({"name": "cobalt:occurrenceCount", "value": str(len(occurrences))})
+
+    comp: dict = {
+        "type": "cryptographic-asset",
+        "bom-ref": f"crypto-{idx}",
+        "name": a.name,
+        "cryptoProperties": crypto_props,
+        # CycloneDX 1.5 spec: occurrences go in evidence.occurrences
+        "evidence": {
+            "occurrences": occurrences,
+        },
+        "properties": props,
+    }
+
+    return comp
+
+
+def _metadata(root: Path) -> dict:
+    return {
+        "timestamp": datetime.now(timezone.utc).isoformat(),
+        "tools": [
+            {
+                "type": "application",
+                "vendor": "OMEGA / QreativeLab",
+                "name": "COBALT SBOM",
+                "version": "0.1.0",
+                "externalReferences": [
+                    {"type": "website", "url": "https://axiom-trust.fly.dev"},
+                ],
+            }
+        ],
+        "component": {
+            "type": "library",
+            "name": root.name,
+            "bom-ref": "root-component",
+        },
+    }
+
+
+def build_cbom(
+    assets: list[CryptoAsset],
+    root: Path,
+    signature: dict | None = None,
+) -> dict:
+    groups = _aggregate(assets)
+    serial = str(uuid.uuid4())
+
+    cbom: dict = {
+        "bomFormat": "CycloneDX",
+        "specVersion": "1.5",
+        "serialNumber": f"urn:uuid:{serial}",
+        "version": 1,
+        "metadata": _metadata(root),
+        "components": [_component(g, i) for i, g in enumerate(groups)],
+        "summary": _summary(assets),
+    }
+
+    if signature:
+        cbom["signature"] = signature
+
+    return cbom
+
+
+def _summary(assets: list[CryptoAsset]) -> dict:
+    unsafe = {a.name for a in assets if a.quantum_safety == "quantum-unsafe"}
+    safe = {a.name for a in assets if a.quantum_safety == "quantum-safe"}
+    unique_names = {a.name for a in assets}
+    broken = {a.name for a in assets if 0 < a.classical_bits < 112}
+    deprecated = {"MD5", "SHA-1", "DES", "RC4", "3DES", "TLS-1.0", "TLS-1.2"}
+
+    return {
+        "total_findings": len(assets),
+        "unique_algorithms": len(unique_names),
+        "quantum_unsafe": len(unsafe),
+        "quantum_safe": len(safe),
+        "broken_algorithms": sorted(broken),
+        "deprecated_algorithms": sorted(deprecated & unique_names),
+        "quantum_readiness_score": _readiness_score(assets),
+    }
+
+
+def _readiness_score(assets: list[CryptoAsset]) -> int:
+    if not assets:
+        return 100
+    total = len(assets)
+    unsafe = sum(1 for a in assets if a.quantum_safety == "quantum-unsafe")
+    broken = sum(1 for a in assets if 0 < a.classical_bits < 112)
+    score = max(0, 100 - int((unsafe / total) * 70) - int((broken / total) * 30))
+    return score

cobalt_sbom-0.1.0/cobalt_sbom/detectors.py

@@ -0,0 +1,390 @@
+"""Multi-language cryptographic asset detectors for CBOM generation."""
+
+from __future__ import annotations
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Literal
+
+AssetType = Literal["algorithm", "protocol", "related-crypto-material", "certificate"]
+# CycloneDX 1.5 CBOM primitive values
+Primitive = Literal[
+    "ae", "dsa", "ecc", "ecDH", "ecMQV", "factoring", "ff-dh",
+    "hash", "integer-factorization", "kdf", "lattice", "mac",
+    "nestedEncryption", "other", "pke", "post-quantum", "rsa",
+    "stream-cipher", "xor", "drbg",
+]
+QuantumSafety = Literal["quantum-safe", "quantum-unsafe", "hybrid", "unknown"]
+
+NIST_QUANTUM_LEVELS: dict[str, int] = {
+    "ml-kem-512": 1, "kyber512": 1,
+    "ml-kem-768": 3, "kyber768": 3,
+    "ml-kem-1024": 5, "kyber1024": 5,
+    "ml-dsa-44": 2, "dilithium2": 2,
+    "ml-dsa-65": 3, "dilithium3": 3,
+    "ml-dsa-87": 5, "dilithium5": 5,
+    "slh-dsa-shake-128s": 1,
+    "slh-dsa-shake-192s": 3,
+    "slh-dsa-shake-256s": 5,
+    "sphincs+-shake-128s": 1,
+    "fn-dsa-512": 1, "falcon512": 1,
+    "fn-dsa-1024": 5, "falcon1024": 5,
+}
+
+CLASSICAL_SECURITY_BITS: dict[str, int] = {
+    "rsa-1024": 80, "rsa-2048": 112, "rsa-3072": 128, "rsa-4096": 140,
+    "ecdsa-p-256": 128, "ecdsa-p-384": 192, "ecdsa-p-521": 260,
+    "ecdsa-p256": 128, "ecdsa-p384": 192, "ecdsa-p521": 260,
+    "ecdsa-secp256k1": 128,
+    "ed25519": 128, "ed448": 224,
+    "ecdh-p-256": 128, "ecdh-p-384": 192, "ecdh-p-521": 260,
+    "ecdh-p256": 128, "ecdh-p384": 192,
+    "x25519": 128, "x448": 224,
+    "aes-128": 128, "aes-192": 192, "aes-256": 256,
+    "chacha20": 256, "chacha20-poly1305": 256,
+    "sha-1": 80, "sha-256": 128, "sha-384": 192, "sha-512": 256,
+    "sha3-256": 128, "sha3-512": 256,
+    "hmac-sha256": 128, "hmac-sha384": 192, "hmac-sha512": 256,
+    "3des": 112, "des": 56, "rc4": 0, "md5": 0,
+}
+
+
+@dataclass
+class CryptoAsset:
+    name: str
+    asset_type: AssetType
+    primitive: Primitive
+    location: str
+    line: int
+    library: str
+    mode: str = ""
+    curve: str = ""
+    param_set: str = ""
+    classical_bits: int = 0
+    nist_quantum_level: int = 0
+    quantum_safety: QuantumSafety = "unknown"
+    oid: str = ""
+    evidence: str = ""
+
+    def normalize_name(self) -> str:
+        return self.name.lower().replace("_", "-")
+
+
+ALGO_PATTERNS: list[dict] = [
+    # ── RSA ──────────────────────────────────────────────────────────────────
+    {"pattern": r"RSA[_\-]?(\d{3,4})|rsa\.generate\s*\(\s*(\d{3,4})|genrsa.*?(\d{3,4})|RSA\.generate\s*\((\d{3,4})",
+     "name_fn": lambda m: f"RSA-{m.group(1) or m.group(2) or m.group(3) or m.group(4)}",
+     "primitive": "rsa", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.2.840.113549.1.1.1"},
+
+    # ── ECDSA ─────────────────────────────────────────────────────────────────
+    {"pattern": r"(?:ECDSA|ecdsa)[_\-]?(P-?256|P-?384|P-?521|secp256k1|secp384r1|secp521r1)?|EC_KEY_new|ec\.generate_private_key\s*\(\s*(?:ec\.\s*)?(\w+)",
+     "name_fn": lambda m: f"ECDSA-{(m.group(1) or m.group(2) or 'P-256').upper()}",
+     "primitive": "ecc", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.2.840.10045.4.3.2"},
+
+    # ── ECDH ──────────────────────────────────────────────────────────────────
+    {"pattern": r"(?:ECDH|ecdh)[_\-]?(P-?256|P-?384|P-?521|X25519|X448)?|ec\.ECDH\(",
+     "name_fn": lambda m: f"ECDH-{(m.group(1) or 'P-256').upper()}",
+     "primitive": "ecDH", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.3.132.1.12"},
+
+    # ── Ed25519 / Ed448 ───────────────────────────────────────────────────────
+    {"pattern": r"Ed25519|ed25519|edwards25519|ed25519_dalek|ed25519-dalek",
+     "name_fn": lambda m: "Ed25519",
+     "primitive": "ecc", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.3.101.112"},
+
+    {"pattern": r"Ed448|ed448",
+     "name_fn": lambda m: "Ed448",
+     "primitive": "ecc", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.3.101.113"},
+
+    # ── X25519 / X448 ─────────────────────────────────────────────────────────
+    {"pattern": r"X25519|x25519|curve25519|Curve25519",
+     "name_fn": lambda m: "X25519",
+     "primitive": "ecDH", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.3.101.110"},
+
+    {"pattern": r"X448|x448",
+     "name_fn": lambda m: "X448",
+     "primitive": "ecDH", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.3.101.111"},
+
+    # ── AES ───────────────────────────────────────────────────────────────────
+    {"pattern": r"AES[_\-]?(128|192|256)?[_\-]?(GCM|CBC|CTR|CCM|SIV|ECB|CFB|OFB|XTS)?|AES\.new\(|EVP_aes_(\d+)_(\w+)|createCipheriv\(['\"]aes[_\-](\d+)[_\-](\w+)",
+     "name_fn": lambda m: f"AES-{m.group(1) or m.group(3) or m.group(5) or '256'}-{(m.group(2) or m.group(4) or m.group(6) or 'GCM').upper()}",
+     "primitive": "ae", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "2.16.840.1.101.3.4.1"},
+
+    # ── ChaCha20-Poly1305 ─────────────────────────────────────────────────────
+    {"pattern": r"ChaCha20[_\-]?Poly1305|chacha20[_\-]poly1305|chacha20_poly1305",
+     "name_fn": lambda m: "ChaCha20-Poly1305",
+     "primitive": "ae", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "1.2.840.113549.1.9.16.3.18"},
+
+    # ── SHA ───────────────────────────────────────────────────────────────────
+    {"pattern": r"SHA[_\-]?1\b|sha1\b|SHA1\b|hashlib\.sha1",
+     "name_fn": lambda m: "SHA-1",
+     "primitive": "hash", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.3.14.3.2.26"},
+
+    {"pattern": r"SHA[_\-]?256\b|sha256\b|SHA256\b|hashlib\.sha256|EVP_sha256",
+     "name_fn": lambda m: "SHA-256",
+     "primitive": "hash", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "2.16.840.1.101.3.4.2.1"},
+
+    {"pattern": r"SHA[_\-]?384\b|sha384\b|SHA384\b|hashlib\.sha384",
+     "name_fn": lambda m: "SHA-384",
+     "primitive": "hash", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "2.16.840.1.101.3.4.2.2"},
+
+    {"pattern": r"SHA[_\-]?512\b|sha512\b|SHA512\b|hashlib\.sha512",
+     "name_fn": lambda m: "SHA-512",
+     "primitive": "hash", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "2.16.840.1.101.3.4.2.3"},
+
+    {"pattern": r"SHA3[_\-]?256\b|sha3_256\b|SHA3_256\b|sha3[_\-]256",
+     "name_fn": lambda m: "SHA3-256",
+     "primitive": "hash", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "2.16.840.1.101.3.4.2.8"},
+
+    {"pattern": r"SHA3[_\-]?512\b|sha3_512\b|SHA3_512\b|sha3[_\-]512",
+     "name_fn": lambda m: "SHA3-512",
+     "primitive": "hash", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "2.16.840.1.101.3.4.2.10"},
+
+    {"pattern": r"\bMD5\b|hashlib\.md5\b|EVP_md5\b",
+     "name_fn": lambda m: "MD5",
+     "primitive": "hash", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.2.840.113549.2.5"},
+
+    # ── HMAC ──────────────────────────────────────────────────────────────────
+    {"pattern": r"HMAC[_\-]?SHA[_\-]?(256|384|512)|hmac\.new\(|createHmac\(['\"]sha(256|384|512)",
+     "name_fn": lambda m: f"HMAC-SHA{m.group(1) or m.group(2) or '256'}",
+     "primitive": "mac", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "1.2.840.113549.2.9"},
+
+    # ── 3DES / DES ────────────────────────────────────────────────────────────
+    {"pattern": r"3DES|TripleDES|DES3|des3\b|EVP_des_ede3",
+     "name_fn": lambda m: "3DES",
+     "primitive": "ae", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.2.840.113549.3.7"},
+
+    {"pattern": r"\bDES\b(?!3)|EVP_des_cbc\b",
+     "name_fn": lambda m: "DES",
+     "primitive": "ae", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.3.14.3.2.7"},
+
+    # ── RC4 ───────────────────────────────────────────────────────────────────
+    {"pattern": r"\bRC4\b|arcfour|EVP_rc4\b",
+     "name_fn": lambda m: "RC4",
+     "primitive": "stream-cipher", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.2.840.113549.3.4"},
+
+    # ── DH ────────────────────────────────────────────────────────────────────
+    {"pattern": r"\bDH\b|DHE\b|dh\.generate_parameters|EVP_PKEY_DH|DiffieHellman\(",
+     "name_fn": lambda m: "DH",
+     "primitive": "ff-dh", "asset_type": "algorithm", "quantum_safety": "quantum-unsafe",
+     "oid": "1.2.840.113549.1.3.1"},
+
+    # ── PQC: ML-KEM ───────────────────────────────────────────────────────────
+    {"pattern": r"ML[_\-]KEM[_\-]?(512|768|1024)?|Kyber(?:512|768|1024)?|kyber(?:512|768|1024)?|ml_kem|mlkem",
+     "name_fn": lambda m: f"ML-KEM-{m.group(1) or '768'}",
+     "primitive": "post-quantum", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "1.3.6.1.4.1.22554.5.6.1"},
+
+    # ── PQC: ML-DSA ───────────────────────────────────────────────────────────
+    {"pattern": r"ML[_\-]DSA[_\-]?(44|65|87)?|Dilithium(?:2|3|5)?|dilithium(?:2|3|5)?|ml_dsa|mldsa",
+     "name_fn": lambda m: f"ML-DSA-{m.group(1) or '65'}",
+     "primitive": "post-quantum", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "1.3.6.1.4.1.22554.5.6.2"},
+
+    # ── PQC: FN-DSA ───────────────────────────────────────────────────────────
+    {"pattern": r"FN[_\-]DSA[_\-]?(512|1024)?|Falcon(?:512|1024)?|falcon(?:512|1024)?|fn_dsa",
+     "name_fn": lambda m: f"FN-DSA-{m.group(1) or '512'}",
+     "primitive": "post-quantum", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "1.3.6.1.4.1.22554.5.6.3"},
+
+    # ── PQC: SLH-DSA ──────────────────────────────────────────────────────────
+    {"pattern": r"SLH[_\-]DSA|SPHINCS\+?|sphincs_plus|slh_dsa",
+     "name_fn": lambda m: "SLH-DSA-SHAKE-128s",
+     "primitive": "post-quantum", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "1.3.6.1.4.1.22554.5.6.4"},
+
+    # ── TLS ───────────────────────────────────────────────────────────────────
+    {"pattern": r"TLS[_\s]?1[_\.]?0\b|SSL[_\s]?3\b|TLSv1\b|SSLv3\b",
+     "name_fn": lambda m: "TLS-1.0",
+     "primitive": "other", "asset_type": "protocol", "quantum_safety": "quantum-unsafe",
+     "oid": ""},
+
+    {"pattern": r"TLS[_\s]?1[_\.]?2\b|TLSv1_2\b|TLS\.TLSv1_2",
+     "name_fn": lambda m: "TLS-1.2",
+     "primitive": "other", "asset_type": "protocol", "quantum_safety": "quantum-unsafe",
+     "oid": ""},
+
+    {"pattern": r"TLS[_\s]?1[_\.]?3\b|TLSv1_3\b|ssl\.PROTOCOL_TLS",
+     "name_fn": lambda m: "TLS-1.3",
+     "primitive": "other", "asset_type": "protocol", "quantum_safety": "quantum-unsafe",
+     "oid": ""},
+
+    # ── JWT ───────────────────────────────────────────────────────────────────
+    {"pattern": r"['\"]HS256['\"]|['\"]RS256['\"]|['\"]ES256['\"]|['\"]PS256['\"]|jwt\.sign\(|jwt\.verify\(|jose\.",
+     "name_fn": lambda m: f"JWT-{m.group(0).strip(chr(39)).strip(chr(34)) if m.group(0).startswith((chr(39), chr(34))) else 'RS256'}",
+     "primitive": "other", "asset_type": "protocol", "quantum_safety": "quantum-unsafe",
+     "oid": ""},
+
+    # ── KDF ───────────────────────────────────────────────────────────────────
+    {"pattern": r"PBKDF2|pbkdf2_hmac|bcrypt|argon2|scrypt",
+     "name_fn": lambda m: m.group(0).upper().replace("_HMAC", ""),
+     "primitive": "kdf", "asset_type": "algorithm", "quantum_safety": "quantum-safe",
+     "oid": "1.2.840.113549.1.5.12"},
+]
+
+LIBRARY_PATTERNS: list[tuple[re.Pattern, str]] = [
+    (re.compile(r"#include\s+[<\"]openssl/|import\s+openssl"), "openssl"),
+    (re.compile(r"from\s+cryptography|import\s+cryptography"), "cryptography-py"),
+    (re.compile(r"require\(['\"]crypto['\"]\)|from\s+['\"]crypto['\"]|import\s+crypto\s+from"), "node-crypto"),
+    (re.compile(r"['\"]jose['\"]|['\"]jsonwebtoken['\"]|node-jose"), "jose"),
+    (re.compile(r"#include\s+[<\"]wolfssl/|import\s+wolfssl"), "wolfssl"),
+    (re.compile(r"mbedtls/|psa/crypto"), "mbedtls"),
+    (re.compile(r"liboqs|oqs\."), "liboqs"),
+    (re.compile(r"use\s+ring::|extern\s+crate\s+ring"), "ring-rust"),
+    (re.compile(r"ed25519[_\-]dalek|p256::|rsa::"), "rust-crypto"),
+    (re.compile(r"BoringSSL|boringssl"), "boringssl"),
+    (re.compile(r"import\s+javax\.crypto|import\s+java\.security"), "java-jce"),
+    (re.compile(r"\"crypto/rsa\"|\"crypto/ecdsa\"|\"x/crypto"), "go-stdlib"),
+    (re.compile(r"tweetnacl|libsodium|sodium\.random"), "libsodium"),
+    (re.compile(r"org\.bouncycastle"), "bouncycastle"),
+    (re.compile(r"aws-lc|aws_lc"), "aws-lc"),
+    (re.compile(r"nss\.|mozilla.*nss"), "nss"),
+]
+
+LANG_EXTENSIONS: dict[str, list[str]] = {
+    "python":     [".py"],
+    "typescript": [".ts", ".tsx"],
+    "javascript": [".js", ".jsx", ".mjs", ".cjs"],
+    "go":         [".go"],
+    "c":          [".c", ".h"],
+    "cpp":        [".cpp", ".cc", ".cxx", ".hpp", ".hh"],
+    "java":       [".java"],
+    "rust":       [".rs"],
+    "kotlin":     [".kt"],
+    "swift":      [".swift"],
+}
+
+SKIP_DIRS: set[str] = {
+    "node_modules", ".git", ".next", "dist", "build", "__pycache__",
+    ".venv", "venv", "vendor", "target", ".cargo", "coverage",
+}
+
+
+def _detect_libraries(source: str) -> list[str]:
+    """Return all detected crypto libraries in a source file."""
+    found = [lib for pat, lib in LIBRARY_PATTERNS if pat.search(source)]
+    return found if found else []
+
+
+def _extract_curve(name: str) -> str:
+    n = name.upper()
+    if "P-256" in n or "P256" in n or "SECP256R1" in n: return "P-256"
+    if "P-384" in n or "P384" in n or "SECP384R1" in n: return "P-384"
+    if "P-521" in n or "P521" in n or "SECP521R1" in n: return "P-521"
+    if "SECP256K1" in n: return "secp256k1"
+    if "25519" in name: return "Curve25519"
+    if "448" in name: return "Curve448"
+    return ""
+
+
+def _extract_param_set(name: str) -> str:
+    """Extract key/parameter size from algorithm name."""
+    import re as _re
+    m = _re.search(r"[-_](\d{2,4})(?:[-_]|$)", name)
+    return m.group(1) if m else ""
+
+
+def _extract_mode(name: str) -> str:
+    n = name.upper()
+    for mode in ("GCM", "CBC", "CTR", "CCM", "SIV", "ECB", "CFB", "OFB", "XTS"):
+        if mode in n:
+            return mode.lower()
+    return ""
+
+
+def scan_file(path: Path) -> list[CryptoAsset]:
+    try:
+        source = path.read_text(encoding="utf-8", errors="ignore")
+    except (OSError, PermissionError):
+        return []
+
+    libraries = _detect_libraries(source)
+    primary_lib = libraries[0] if libraries else "unknown"
+    lines = source.splitlines()
+    assets: list[CryptoAsset] = []
+    seen: set[tuple[str, int]] = set()
+
+    for detector in ALGO_PATTERNS:
+        pat = re.compile(detector["pattern"], re.IGNORECASE | re.MULTILINE)
+        for m in pat.finditer(source):
+            try:
+                name = detector["name_fn"](m)
+            except (IndexError, AttributeError):
+                continue
+
+            line_no = source[: m.start()].count("\n") + 1
+            key = (name.lower(), line_no)
+            if key in seen:
+                continue
+            seen.add(key)
+
+            norm = name.lower().replace("_", "-")
+            # Try exact match, then prefix match for classical_bits
+            classical_bits = CLASSICAL_SECURITY_BITS.get(norm, 0)
+            if not classical_bits:
+                for prefix in ("aes-128", "aes-192", "aes-256"):
+                    if norm.startswith(prefix):
+                        classical_bits = CLASSICAL_SECURITY_BITS[prefix]
+                        break
+
+            nist_level = NIST_QUANTUM_LEVELS.get(norm, 0)
+            evidence = lines[line_no - 1].strip()[:120] if line_no <= len(lines) else ""
+
+            assets.append(CryptoAsset(
+                name=name,
+                asset_type=detector["asset_type"],
+                primitive=detector["primitive"],
+                location=str(path),
+                line=line_no,
+                library=primary_lib,
+                mode=_extract_mode(name),
+                curve=_extract_curve(name),
+                param_set=_extract_param_set(name),
+                classical_bits=classical_bits,
+                nist_quantum_level=nist_level,
+                quantum_safety=detector["quantum_safety"],
+                oid=detector.get("oid", ""),
+                evidence=evidence,
+            ))
+
+    return assets
+
+
+def scan_repo(root: Path, include_tests: bool = False) -> list[CryptoAsset]:
+    all_assets: list[CryptoAsset] = []
+    extensions = {ext for exts in LANG_EXTENSIONS.values() for ext in exts}
+
+    for file_path in root.rglob("*"):
+        if not file_path.is_file():
+            continue
+        if any(part in SKIP_DIRS for part in file_path.parts):
+            continue
+        if not include_tests and any(
+            p in ("test", "tests", "spec", "__tests__", "__test__") for p in file_path.parts
+        ):
+            continue
+        if file_path.suffix.lower() not in extensions:
+            continue
+
+        all_assets.extend(scan_file(file_path))
+
+    return all_assets

cobalt_sbom-0.1.0/cobalt_sbom/signer.py

@@ -0,0 +1,63 @@
+"""ML-DSA-65 signing via AXIOM API."""
+
+from __future__ import annotations
+import hashlib
+import json
+from typing import TYPE_CHECKING
+
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+AXIOM_URL = "https://axiom-trust.fly.dev"
+
+
+def sign_cbom(cbom: dict) -> dict | None:
+    """Sign the CBOM payload via AXIOM ML-DSA-65 endpoint. Returns signature block or None."""
+    if not HAS_REQUESTS:
+        return None
+
+    # Sign the actual CBOM content, not an empty dict
+    cbom_without_sig = {k: v for k, v in cbom.items() if k != "signature"}
+    payload_bytes = json.dumps(cbom_without_sig, separators=(",", ":"), sort_keys=True).encode()
+    digest = hashlib.sha3_256(payload_bytes).hexdigest()
+
+    try:
+        resp = requests.post(
+            f"{AXIOM_URL}/api/sign",
+            json={"payload": digest, "algorithm": "ML-DSA-65"},
+            timeout=10,
+        )
+        if resp.status_code == 200:
+            data = resp.json()
+            return {
+                "algorithm": "ML-DSA-65",
+                "publicKey": data.get("publicKey", ""),
+                "value": data.get("signature", ""),
+                "digest": digest,
+                "certRef": data.get("certRef", ""),
+            }
+    except Exception:
+        pass
+    return None
+
+
+def verify_cbom(cbom: dict, signature_block: dict) -> bool:
+    if not HAS_REQUESTS:
+        return False
+    try:
+        resp = requests.post(
+            f"{AXIOM_URL}/api/verify",
+            json={
+                "digest": signature_block["digest"],
+                "signature": signature_block["value"],
+                "publicKey": signature_block["publicKey"],
+                "algorithm": "ML-DSA-65",
+            },
+            timeout=10,
+        )
+        return resp.status_code == 200 and resp.json().get("valid") is True
+    except Exception:
+        return False

cobalt_sbom-0.1.0/cobalt_sbom.egg-info/PKG-INFO

@@ -0,0 +1,113 @@
+Metadata-Version: 2.4
+Name: cobalt-sbom
+Version: 0.1.0
+Summary: Cryptographic Bill of Materials generator — CycloneDX 1.5, ML-DSA signed
+Author-email: QreativeLab / OMEGA <dominik@qreativelab.io>
+License: MIT
+Project-URL: Homepage, https://github.com/dom-omg/cobalt-sbom
+Project-URL: Repository, https://github.com/dom-omg/cobalt-sbom
+Keywords: cbom,sbom,pqc,cryptography,cyclonedx,quantum
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: Topic :: Security :: Cryptography
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: rich>=13.0
+Requires-Dist: requests>=2.31
+Requires-Dist: click>=8.1
+
+# COBALT SBOM
+
+**Cryptographic Bill of Materials generator — CycloneDX 1.6, ML-DSA-65 signed.**
+
+Scan any codebase in seconds. Find every cryptographic algorithm. Know your quantum exposure.
+
+## What it does
+
+- Detects 30+ crypto primitives across Python, TypeScript, JavaScript, Go, C/C++, Java, Rust
+- Outputs a signed **CycloneDX 1.6 CBOM** (Cryptographic Bill of Materials)
+- Scores your **quantum readiness (0-100)**
+- Flags broken algorithms (DES, MD5, RC4) and deprecated ones (SHA-1, TLS-1.0)
+- Integrates into CI/CD via GitHub Actions — gate PRs on quantum safety
+
+## Install
+
+```bash
+pip install cobalt-sbom
+```
+
+## Usage
+
+```bash
+# Scan a repo
+cobalt-sbom scan ./myrepo --output cbom.cdx.json
+
+# Scan + sign with ML-DSA-65 (via AXIOM)
+cobalt-sbom scan ./myrepo --output cbom.cdx.json --sign
+
+# CI mode — fail if quantum-unsafe algorithms present
+cobalt-sbom scan ./myrepo --ci
+
+# Fail if quantum readiness score below 80
+cobalt-sbom scan ./myrepo --fail-score 80
+
+# Display an existing CBOM
+cobalt-sbom show cbom.cdx.json
+```
+
+## GitHub Actions
+
+Add to `.github/workflows/cbom.yml`:
+
+```yaml
+- name: Install cobalt-sbom
+  run: pip install cobalt-sbom
+
+- name: Scan cryptographic assets
+  run: cobalt-sbom scan . --output cbom.cdx.json --sign --fail-score 60
+```
+
+## Output format
+
+CycloneDX 1.6 JSON — compatible with all CBOM/SBOM toolchains:
+
+```json
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "components": [
+    {
+      "type": "cryptographic-asset",
+      "name": "ML-DSA-65",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "primitive": "sign",
+          "nistQuantumSecurityLevel": 3,
+          "cryptoFunctions": ["sign", "verify"]
+        },
+        "quantumSafety": "quantum-safe"
+      }
+    }
+  ],
+  "summary": {
+    "quantum_readiness_score": 72,
+    "quantum_unsafe": 15,
+    "quantum_safe": 16,
+    "broken_algorithms": ["DES", "SHA-1"]
+  }
+}
+```
+
+## Why CBOM
+
+Governments (USA EO 14028, EU CRA, NIST IR 8547) are mandating cryptographic inventories. The CBOM Working Group (CycloneDX) is standardizing the format. **First movers own the toolchain.**
+
+---
+
+Built on [OMEGA](https://omega-sovereign.fly.dev) — sovereign intelligence stack.
+Signing powered by [AXIOM](https://axiom-trust.fly.dev) — ML-DSA-65 post-quantum certificates.

cobalt_sbom-0.1.0/cobalt_sbom.egg-info/SOURCES.txt

@@ -0,0 +1,13 @@
+README.md
+pyproject.toml
+cobalt_sbom/__init__.py
+cobalt_sbom/cli.py
+cobalt_sbom/cyclonedx.py
+cobalt_sbom/detectors.py
+cobalt_sbom/signer.py
+cobalt_sbom.egg-info/PKG-INFO
+cobalt_sbom.egg-info/SOURCES.txt
+cobalt_sbom.egg-info/dependency_links.txt
+cobalt_sbom.egg-info/entry_points.txt
+cobalt_sbom.egg-info/requires.txt
+cobalt_sbom.egg-info/top_level.txt

cobalt_sbom-0.1.0/cobalt_sbom.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

cobalt_sbom-0.1.0/cobalt_sbom.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+cobalt-sbom = cobalt_sbom.cli:main

cobalt_sbom-0.1.0/cobalt_sbom.egg-info/requires.txt

@@ -0,0 +1,3 @@
+rich>=13.0
+requests>=2.31
+click>=8.1

cobalt_sbom-0.1.0/cobalt_sbom.egg-info/top_level.txt

@@ -0,0 +1 @@
+cobalt_sbom

cobalt_sbom-0.1.0/pyproject.toml

@@ -0,0 +1,38 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "cobalt-sbom"
+version = "0.1.0"
+description = "Cryptographic Bill of Materials generator — CycloneDX 1.5, ML-DSA signed"
+readme = "README.md"
+requires-python = ">=3.11"
+license = {text = "MIT"}
+authors = [{name = "QreativeLab / OMEGA", email = "dominik@qreativelab.io"}]
+keywords = ["cbom", "sbom", "pqc", "cryptography", "cyclonedx", "quantum"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Intended Audience :: Information Technology",
+    "Topic :: Security :: Cryptography",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+]
+dependencies = [
+    "rich>=13.0",
+    "requests>=2.31",
+    "click>=8.1",
+]
+
+[project.urls]
+Homepage = "https://github.com/dom-omg/cobalt-sbom"
+Repository = "https://github.com/dom-omg/cobalt-sbom"
+
+[project.scripts]
+cobalt-sbom = "cobalt_sbom.cli:main"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["cobalt_sbom*"]

cobalt_sbom-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+