Enterprise CBOM/QBOM platform: QBOM Discovery API, live vault connectors, exploitability engine, AI remediation, Armis + automotive compliance#1
Open
rajnishprecogs wants to merge 17 commits into
Conversation
… automotive compliance Adds the platform layer on top of the CBOM/QBOM engine (v2.0.0 -> 2.1.0): - QBOM Discovery API (`cbom serve`): pure-Node REST service — the Post-Quantum Repository. ECUs/pipelines register projects and request CBOMs/QBOMs on demand (source tarball, firmware ELF, certificate, live endpoint, or vault). Bearer auth, persistent JSON store (Postgres-swappable), fleet portfolio roll-up. - Live vault connectors (`cbom vault azure|aws|hashicorp`): metadata-only REST enumeration of Azure Key Vault, AWS KMS+ACM, HashiCorp Vault. SigV4 signing in pure node:crypto; zero SDK deps; key material never requested. Findings flow through the normal risk/PQC/CBOM pipeline. - Portfolio dashboard (`cbom portfolio`): CISO roll-up across all BOMs — quantum readiness heat map, harvest-now-decrypt-later register, expiring certs, compliance verdicts, scan-over-scan trends. Self-contained HTML + JSON. - Policy engine (`--policy`) + CI gate (`--fail-on-policy`) and webhooks (`--webhook`, JSON/Slack) for Jira/ServiceNow/SIEM. - Automotive compliance frameworks: UNECE R155 (CSMS) and ISO/SAE 21434. - AI executive summaries (`cbom summary`): offline deterministic narrative, or `--ai` Claude-written board summary (non-sensitive roll-up; offline fallback). - Armis integration (`cbom armis`): correlate crypto posture with the Armis asset inventory; bidirectional (pull devices, push crypto risk). - Developer docs: docs/API.md, docs/INTEGRATIONS.md. Tests: 28 -> 46 passing. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ings that matter Adds the "so-what" layer on top of the flat findings inventory. Every scanner produces a severity; this scores which findings actually MATTER. - src/graph/exploitability.js: transparent, tunable weighted model — priority = intrinsic·0.45 + exposure·0.30 + longevity·0.15 + blast·0.10. Exposure = reachability heuristic (live network/vault/binary vs. static, and file-role: network-facing/entrypoint vs. test/vendored). Longevity = harvest- now-decrypt-later (Shor-vulnerable × long-lived data). Blast = shared-root fan-out (a weak library in 40 modules > a one-off). Each score carries a human-readable `reasons` array — never a black box. Same critical AES-128-ECB scores 72 (HIGH) in an auth handler vs 53 (MEDIUM) in a test fixture. - Asset graph: clusters findings by shared root (library/key/cert/algo family); connected-component view + ranked "fix these first" shortlist. - `cbom graph <dir|cbom.json>`: scan+score or score an existing CBOM post-hoc → interactive self-contained HTML graph + ranked JSON. - Wired into the engine so every `cbom scan`/netscan/vault/image computes it; persisted in the CBOM (cbom:exploitability per component, :actNow roll-up, schema-valid); surfaced in the QBOM Discovery API response, the executive summary, and available to the portfolio dashboard. - 53 tests passing (+7). Docs updated (README, FEATURES, docs/API.md). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…m fix` - src/agent/remediation.js: turns exploitability-ranked findings into concrete fixes. Tier 1 mechanical (deterministic, offline, no LLM): MD5/SHA-1->SHA-256, DES/3DES/RC4->AES-256-GCM, ECB->GCM, weak RSA re-key, legacy TLS/SSH config, hardcoded secret->vault reference. Tier 2 AI-assisted (BYOK Claude - customer's own key/endpoint keeps traffic in their tenant) for judgment fixes; offline- graceful (falls back to mechanical/manual, never throws). - `cbom fix <dir|cbom.json>` - plan remediations for the top-N exploitability findings; --ai for the BYOK judgment tier. 56 tests passing (+3). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…k for UI/UX - docs/TESTING.md: how to test the engine (CLI), the API server CBOM module (all 5 discovery probes, portfolio, autofix, SSE), and the WebApp section; end-to-end JLR demo script + use-case coverage matrix + troubleshooting. - docs/mockups/cbom-dashboard.html: faithful static mock of the CISO dashboard, multi-input discovery launcher, and asset/auto-fix views using the exact design tokens from the WebApp — UI/UX can copy styles/markup 1:1. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Verify the token via auth/token/lookup-self before mount discovery, so a bad/ expired/revoked token returns a clear auth error instead of silently falling back to default mounts and reporting an empty inventory. A valid-but-limited token (no sys/mounts) still works via the default-mount fallback. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Exact read-only credentials/permissions per provider (AWS IAM policy, Azure SP + RBAC roles, HashiCorp policy HCL), three ways to test (CLI/API/WebApp), demo-key recipe, and the security guarantees to state to JLR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ding + registry + migration simulator)
CBOM = what crypto you have; QBOM = what's quantum-vulnerable; PQR = the
migration authority JLR named as their third deliverable.
- data/pqc-registry.json: curated registry of NIST-standardized PQC algorithms
(ML-KEM/FIPS203, ML-DSA/FIPS204, SLH-DSA/FIPS205, LMS/XMSS/SP800-208), with
CNSA 2.0 flags, hybrids, and deadlines.
- data/migration-playbooks.json: per-family migration guidance (target, hybrid,
steps, effort, gotchas).
- src/pqr/index.js: readiness reading (index+grade+runway to 2035+HNDL),
playbook lookup, and a MIGRATION SIMULATOR ('migrate RSA → readiness 8→92')
with dependency-ordered waves and biggest-bang-per-family ranking.
- cbom pqr <path> + self-contained HTML report. 62 tests passing (+6).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… exports to mockup v3.1
NIST-PQC rules matched on `f.algorithm`, but certificate/key findings expose the key algorithm as `publicKeyAlgorithm` and carry no `category`. As a result RSA/ECDSA certificates (pqcVulnerable=true) slipped past every rule and NIST PQC wrongly reported PASS on quantum-vulnerable certs. Add an `algoOf()` helper that reads `algorithm` or `publicKeyAlgorithm`, and treat `type === 'certificate'` as signature material in FIPS-204. Quantum- vulnerable certs/keys now correctly WARN; classical-only weaknesses (MD5) and PQC-safe certs are unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
probeSsh only handled connect/data/timeout/error. When pointed at a non-SSH service (e.g. an HTTPS server on 443) that accepts the TCP connection then closes it gracefully without sending an SSH banner, the socket inactivity timeout is cancelled and no handler fires, so the promise never resolves and the scan hangs indefinitely. Add a 'close' handler (resolves with error 'closed-without-ssh-banner' when no banner was seen) and a hard-deadline backstop timer. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
familyOf() only knew AES-128, so AES-256/AES-192, ChaCha20, SHA-512, SHA-3 fell through to "unknown" instead of quantum-safe, and a bare "EC" key type wasn't recognized as Shor-breakable. Add a QUANTUM_RESISTANT set + isQuantumSafe(), normalize cipher-mode suffixes (AES-256-GCM → AES-256), and map EC/ECC → ECDSA. qbom.quantumThreat()/isQuantumRelevant() now use isQuantumSafe, so per-finding quantum posture and the shor/grover/safe roll-ups are accurate. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Turns the v2.0.0 CBOM/QBOM engine into an enterprise Post-Quantum Repository platform for the JLR PoC — closing the feature gaps vs IBM Guardium Quantum Safe while adding differentiators (exploitability ranking, AI auto-fix, Armis) that IBM and AppviewX don't have. Everything is pure-Node, air-gap-friendly, zero-SDK, and emits standards CycloneDX 1.6.
3 commits, 38 files, +4,807 lines. 56 unit tests passing.
What's new
QBOM Discovery API (
cbom serve) — pure-Node REST service (the Post-Quantum Repository). ECUs/CI pipelines register a project and request CBOMs/QBOMs on demand via source tarball, firmware ELF, certificate, live endpoint, or vault. Bearer auth, persistent JSON store (Postgres-swappable), fleet portfolio roll-up.docs/API.md.Live vault connectors (
cbom vault azure|aws|hashicorp) — metadata-only REST enumeration of Azure Key Vault, AWS KMS+ACM, HashiCorp Vault. SigV4 signing implemented in purenode:crypto; zero SDK deps; key material never requested.Crypto asset graph + exploitability engine (
cbom graph) — the "which findings actually matter" layer nobody else has. Scores every finding by intrinsic severity × reachability/exposure × data longevity (HNDL) × blast radius, and clusters findings by shared root. The same critical AES-128-ECB scores 72 (HIGH) in an auth handler but 53 (MEDIUM) in a test fixture. Persisted in every CBOM (cbom:exploitability).AI crypto-remediation agent (
cbom fix) — turns the exploitability-ranked shortlist into concrete fixes. Tier 1 mechanical (deterministic, offline): MD5/SHA-1→SHA-256, DES/3DES/RC4→AES-256-GCM, ECB→GCM, weak RSA re-key, legacy TLS/SSH config, hardcoded secret→vault reference. Tier 2 AI-assisted via BYOK Claude (customer's own key/endpoint keeps LLM traffic in their tenant), offline-graceful.Portfolio / CISO dashboard (
cbom portfolio) — quantum-readiness heat map, harvest-now-decrypt-later register, expiring certs, compliance verdicts, scan-over-scan trends. Self-contained HTML + JSON.Policy engine + webhooks —
--policycustom YAML crypto policy with--fail-on-policyCI gate;--webhook(JSON/Slack) for Jira/ServiceNow/SIEM.Automotive compliance — UNECE R155 (CSMS) and ISO/SAE 21434 frameworks.
AI executive summaries (
cbom summary) — offline deterministic narrative, or--aiboard-ready Claude summary (non-sensitive roll-up only; offline fallback).Armis integration (
cbom armis) — correlate crypto posture with the Armis asset inventory (which tracked ECUs run quantum-vulnerable crypto), bidirectional.For reviewers
cbom validate).docs/API.md,docs/INTEGRATIONS.md. Tests:npm test(56 passing).@anthropic-ai/sdkis an optional dependency — keep it out of air-gapped installs.🤖 Generated with Claude Code