Skip to content

Enterprise CBOM/QBOM platform: QBOM Discovery API, live vault connectors, exploitability engine, AI remediation, Armis + automotive compliance#1

Open
rajnishprecogs wants to merge 17 commits into
mainfrom
feat/pqr-api-vault-ai-armis
Open

Enterprise CBOM/QBOM platform: QBOM Discovery API, live vault connectors, exploitability engine, AI remediation, Armis + automotive compliance#1
rajnishprecogs wants to merge 17 commits into
mainfrom
feat/pqr-api-vault-ai-armis

Conversation

@rajnishprecogs

Copy link
Copy Markdown

Overview

Turns the v2.0.0 CBOM/QBOM engine into an enterprise Post-Quantum Repository platform for the JLR PoC — closing the feature gaps vs IBM Guardium Quantum Safe while adding differentiators (exploitability ranking, AI auto-fix, Armis) that IBM and AppviewX don't have. Everything is pure-Node, air-gap-friendly, zero-SDK, and emits standards CycloneDX 1.6.

3 commits, 38 files, +4,807 lines. 56 unit tests passing.

What's new

QBOM Discovery API (cbom serve) — pure-Node REST service (the Post-Quantum Repository). ECUs/CI pipelines register a project and request CBOMs/QBOMs on demand via source tarball, firmware ELF, certificate, live endpoint, or vault. Bearer auth, persistent JSON store (Postgres-swappable), fleet portfolio roll-up. docs/API.md.

Live vault connectors (cbom vault azure|aws|hashicorp) — metadata-only REST enumeration of Azure Key Vault, AWS KMS+ACM, HashiCorp Vault. SigV4 signing implemented in pure node:crypto; zero SDK deps; key material never requested.

Crypto asset graph + exploitability engine (cbom graph) — the "which findings actually matter" layer nobody else has. Scores every finding by intrinsic severity × reachability/exposure × data longevity (HNDL) × blast radius, and clusters findings by shared root. The same critical AES-128-ECB scores 72 (HIGH) in an auth handler but 53 (MEDIUM) in a test fixture. Persisted in every CBOM (cbom:exploitability).

AI crypto-remediation agent (cbom fix) — turns the exploitability-ranked shortlist into concrete fixes. Tier 1 mechanical (deterministic, offline): MD5/SHA-1→SHA-256, DES/3DES/RC4→AES-256-GCM, ECB→GCM, weak RSA re-key, legacy TLS/SSH config, hardcoded secret→vault reference. Tier 2 AI-assisted via BYOK Claude (customer's own key/endpoint keeps LLM traffic in their tenant), offline-graceful.

Portfolio / CISO dashboard (cbom portfolio) — quantum-readiness heat map, harvest-now-decrypt-later register, expiring certs, compliance verdicts, scan-over-scan trends. Self-contained HTML + JSON.

Policy engine + webhooks--policy custom YAML crypto policy with --fail-on-policy CI gate; --webhook (JSON/Slack) for Jira/ServiceNow/SIEM.

Automotive compliance — UNECE R155 (CSMS) and ISO/SAE 21434 frameworks.

AI executive summaries (cbom summary) — offline deterministic narrative, or --ai board-ready Claude summary (non-sensitive roll-up only; offline fallback).

Armis integration (cbom armis) — correlate crypto posture with the Armis asset inventory (which tracked ECUs run quantum-vulnerable crypto), bidirectional.

For reviewers

  • Everything degrades gracefully offline — AI and cloud connectors are opt-in and never fail a scan.
  • CBOM/QBOM output validated against the official CycloneDX 1.6 schema (cbom validate).
  • Developer docs: docs/API.md, docs/INTEGRATIONS.md. Tests: npm test (56 passing).
  • @anthropic-ai/sdk is an optional dependency — keep it out of air-gapped installs.

🤖 Generated with Claude Code

rajnishprecogs and others added 17 commits July 6, 2026 01:13
… automotive compliance

Adds the platform layer on top of the CBOM/QBOM engine (v2.0.0 -> 2.1.0):

- QBOM Discovery API (`cbom serve`): pure-Node REST service — the Post-Quantum
  Repository. ECUs/pipelines register projects and request CBOMs/QBOMs on demand
  (source tarball, firmware ELF, certificate, live endpoint, or vault). Bearer
  auth, persistent JSON store (Postgres-swappable), fleet portfolio roll-up.
- Live vault connectors (`cbom vault azure|aws|hashicorp`): metadata-only REST
  enumeration of Azure Key Vault, AWS KMS+ACM, HashiCorp Vault. SigV4 signing in
  pure node:crypto; zero SDK deps; key material never requested. Findings flow
  through the normal risk/PQC/CBOM pipeline.
- Portfolio dashboard (`cbom portfolio`): CISO roll-up across all BOMs — quantum
  readiness heat map, harvest-now-decrypt-later register, expiring certs,
  compliance verdicts, scan-over-scan trends. Self-contained HTML + JSON.
- Policy engine (`--policy`) + CI gate (`--fail-on-policy`) and webhooks
  (`--webhook`, JSON/Slack) for Jira/ServiceNow/SIEM.
- Automotive compliance frameworks: UNECE R155 (CSMS) and ISO/SAE 21434.
- AI executive summaries (`cbom summary`): offline deterministic narrative, or
  `--ai` Claude-written board summary (non-sensitive roll-up; offline fallback).
- Armis integration (`cbom armis`): correlate crypto posture with the Armis
  asset inventory; bidirectional (pull devices, push crypto risk).
- Developer docs: docs/API.md, docs/INTEGRATIONS.md. Tests: 28 -> 46 passing.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ings that matter

Adds the "so-what" layer on top of the flat findings inventory. Every scanner
produces a severity; this scores which findings actually MATTER.

- src/graph/exploitability.js: transparent, tunable weighted model —
  priority = intrinsic·0.45 + exposure·0.30 + longevity·0.15 + blast·0.10.
  Exposure = reachability heuristic (live network/vault/binary vs. static, and
  file-role: network-facing/entrypoint vs. test/vendored). Longevity = harvest-
  now-decrypt-later (Shor-vulnerable × long-lived data). Blast = shared-root
  fan-out (a weak library in 40 modules > a one-off). Each score carries a
  human-readable `reasons` array — never a black box. Same critical AES-128-ECB
  scores 72 (HIGH) in an auth handler vs 53 (MEDIUM) in a test fixture.
- Asset graph: clusters findings by shared root (library/key/cert/algo family);
  connected-component view + ranked "fix these first" shortlist.
- `cbom graph <dir|cbom.json>`: scan+score or score an existing CBOM post-hoc →
  interactive self-contained HTML graph + ranked JSON.
- Wired into the engine so every `cbom scan`/netscan/vault/image computes it;
  persisted in the CBOM (cbom:exploitability per component, :actNow roll-up,
  schema-valid); surfaced in the QBOM Discovery API response, the executive
  summary, and available to the portfolio dashboard.
- 53 tests passing (+7). Docs updated (README, FEATURES, docs/API.md).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…m fix`

- src/agent/remediation.js: turns exploitability-ranked findings into concrete
  fixes. Tier 1 mechanical (deterministic, offline, no LLM): MD5/SHA-1->SHA-256,
  DES/3DES/RC4->AES-256-GCM, ECB->GCM, weak RSA re-key, legacy TLS/SSH config,
  hardcoded secret->vault reference. Tier 2 AI-assisted (BYOK Claude - customer's
  own key/endpoint keeps traffic in their tenant) for judgment fixes; offline-
  graceful (falls back to mechanical/manual, never throws).
- `cbom fix <dir|cbom.json>` - plan remediations for the top-N exploitability
  findings; --ai for the BYOK judgment tier. 56 tests passing (+3).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…k for UI/UX

- docs/TESTING.md: how to test the engine (CLI), the API server CBOM module
  (all 5 discovery probes, portfolio, autofix, SSE), and the WebApp section;
  end-to-end JLR demo script + use-case coverage matrix + troubleshooting.
- docs/mockups/cbom-dashboard.html: faithful static mock of the CISO dashboard,
  multi-input discovery launcher, and asset/auto-fix views using the exact
  design tokens from the WebApp — UI/UX can copy styles/markup 1:1.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Verify the token via auth/token/lookup-self before mount discovery, so a bad/
expired/revoked token returns a clear auth error instead of silently falling
back to default mounts and reporting an empty inventory. A valid-but-limited
token (no sys/mounts) still works via the default-mount fallback.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Exact read-only credentials/permissions per provider (AWS IAM policy, Azure SP
+ RBAC roles, HashiCorp policy HCL), three ways to test (CLI/API/WebApp),
demo-key recipe, and the security guarantees to state to JLR.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ding + registry + migration simulator)

CBOM = what crypto you have; QBOM = what's quantum-vulnerable; PQR = the
migration authority JLR named as their third deliverable.

- data/pqc-registry.json: curated registry of NIST-standardized PQC algorithms
  (ML-KEM/FIPS203, ML-DSA/FIPS204, SLH-DSA/FIPS205, LMS/XMSS/SP800-208), with
  CNSA 2.0 flags, hybrids, and deadlines.
- data/migration-playbooks.json: per-family migration guidance (target, hybrid,
  steps, effort, gotchas).
- src/pqr/index.js: readiness reading (index+grade+runway to 2035+HNDL),
  playbook lookup, and a MIGRATION SIMULATOR ('migrate RSA → readiness 8→92')
  with dependency-ordered waves and biggest-bang-per-family ranking.
- cbom pqr <path> + self-contained HTML report. 62 tests passing (+6).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
NIST-PQC rules matched on `f.algorithm`, but certificate/key findings expose
the key algorithm as `publicKeyAlgorithm` and carry no `category`. As a result
RSA/ECDSA certificates (pqcVulnerable=true) slipped past every rule and NIST PQC
wrongly reported PASS on quantum-vulnerable certs.

Add an `algoOf()` helper that reads `algorithm` or `publicKeyAlgorithm`, and
treat `type === 'certificate'` as signature material in FIPS-204. Quantum-
vulnerable certs/keys now correctly WARN; classical-only weaknesses (MD5) and
PQC-safe certs are unaffected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
probeSsh only handled connect/data/timeout/error. When pointed at a non-SSH
service (e.g. an HTTPS server on 443) that accepts the TCP connection then
closes it gracefully without sending an SSH banner, the socket inactivity
timeout is cancelled and no handler fires, so the promise never resolves and
the scan hangs indefinitely.

Add a 'close' handler (resolves with error 'closed-without-ssh-banner' when no
banner was seen) and a hard-deadline backstop timer.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
familyOf() only knew AES-128, so AES-256/AES-192, ChaCha20, SHA-512, SHA-3 fell
through to "unknown" instead of quantum-safe, and a bare "EC" key type wasn't
recognized as Shor-breakable. Add a QUANTUM_RESISTANT set + isQuantumSafe(),
normalize cipher-mode suffixes (AES-256-GCM → AES-256), and map EC/ECC → ECDSA.
qbom.quantumThreat()/isQuantumRelevant() now use isQuantumSafe, so per-finding
quantum posture and the shor/grover/safe roll-ups are accurate.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants