SBOM & CBOM Guide
Software Bill of Materials (SBOM)
Section titled “Software Bill of Materials (SBOM)”Supported Ecosystems
Section titled “Supported Ecosystems”| Ecosystem | Lockfile | PURL Prefix |
|---|---|---|
| Rust | Cargo.lock | pkg:cargo/ |
| npm | package-lock.json | pkg:npm/ |
| npm (Yarn) | yarn.lock | pkg:npm/ |
| Python (Poetry) | poetry.lock | pkg:pypi/ |
| Python (Pipenv) | Pipfile.lock | pkg:pypi/ |
| Go | go.sum | pkg:golang/ |
| PHP | composer.lock | pkg:composer/ |
| .NET | packages.lock.json | pkg:nuget/ |
| Ruby | Gemfile.lock | pkg:gem/ |
Output Format
Section titled “Output Format”CycloneDX 1.6 JSON. Each component includes:
{ "type": "library", "name": "serde", "version": "1.0.200", "purl": "pkg:cargo/serde@1.0.200", "licenses": [{ "license": { "id": "MIT OR Apache-2.0" } }], "hashes": [{ "alg": "SHA-256", "content": "abc..." }], "properties": [{ "name": "ecosystem", "value": "cargo" }]}SBOM Diff
Section titled “SBOM Diff”Compare two SBOMs to track changes between versions:
SbomDiff { added: [Component] — New dependencies removed: [Component] — Removed dependencies updated: [{ name, ecosystem, old_version, new_version }]}Vulnerability Enrichment
Section titled “Vulnerability Enrichment”When enabled, the scanner queries OSV.dev for known CVEs:
fleet scan --path . --sbom # Enrichment via pipeline configResults include severity classification:
| CVSS Score | Severity |
|---|---|
| >= 9.0 | Critical |
| 7.0 - 8.9 | High |
| 4.0 - 6.9 | Medium |
| < 4.0 | Low |
Cryptographic Bill of Materials (CBOM)
Section titled “Cryptographic Bill of Materials (CBOM)”What It Detects
Section titled “What It Detects”30 crypto rules across 6 categories:
| Category | Examples |
|---|---|
| Hash | MD5, SHA-1, SHA-256, SHA-384, SHA-512, SHA-3, BLAKE2, BLAKE3 |
| Symmetric cipher | AES-128, AES-256, AES-GCM, ChaCha20-Poly1305, DES, 3DES, RC4 |
| Asymmetric | RSA, ECDSA, Ed25519, X25519 |
| Key derivation | Argon2, bcrypt, scrypt, PBKDF2 |
| Protocol | TLS 1.3, TLS 1.2, TLS 1.0/1.1, SSLv2/v3 |
| PRNG | (detected via crypto detector, not CBOM) |
Compliance Classification
Section titled “Compliance Classification”Each detected primitive is classified:
| Status | Meaning | Action |
|---|---|---|
| Approved | Meets current standards | None required |
| Deprecated | Weakened but not immediately broken | Migration recommended |
| Prohibited | Known broken, must not be used | Remediation required |
Prohibited Algorithms
Section titled “Prohibited Algorithms”| Algorithm | Why | Replace With |
|---|---|---|
| MD5 | Collision attacks since 2004 | SHA-256+ |
| DES | 56-bit key, trivially brute-forced | AES-128+ |
| RC4 | Multiple biases, broken in TLS | AES-GCM or ChaCha20 |
| SSLv2/v3 | Fundamentally broken (POODLE, etc.) | TLS 1.2+ |
Deprecated Algorithms
Section titled “Deprecated Algorithms”| Algorithm | Why | Replace With |
|---|---|---|
| SHA-1 | Collision attacks demonstrated (SHAttered) | SHA-256+ |
| 3DES | Meet-in-the-middle, Sweet32 attack | AES-128+ |
| TLS 1.0/1.1 | Known weaknesses, deprecated by IETF | TLS 1.2+ |
CBOM Output
Section titled “CBOM Output”CycloneDX 1.6 with type: cryptographic-asset:
{ "bomFormat": "CycloneDX", "specVersion": "1.6", "components": [ { "type": "cryptographic-asset", "name": "SHA-256", "properties": [ { "name": "category", "value": "hash" }, { "name": "compliance", "value": "approved" }, { "name": "key-length", "value": "256" }, { "name": "usage-context", "value": "hashing" }, { "name": "source-file", "value": "src/auth.rs" }, { "name": "source-line", "value": "42" } ] } ]}CBOM Summary
Section titled “CBOM Summary”{ "total": 314, "approved": 301, "deprecated": 6, "prohibited": 7, "by_category": { "hash": 120, "symmetric-cipher": 45, "asymmetric-algorithm": 30, "key-derivation": 15, "protocol": 20 }}Usage Context Detection
Section titled “Usage Context Detection”The scanner infers usage context from surrounding code:
| Context | Detected By |
|---|---|
password-hashing | Near password, passwd keywords |
transport-security | Near tls, ssl, https keywords |
digital-signature | Near sign, verify keywords |
encryption | Near encrypt, decrypt, cipher keywords |
hashing | Near hash, digest, hmac, sha keywords |
key-management | Near key, kdf, derive keywords |
authentication | Near token, jwt keywords |
general | No specific context detected |
CRA Relevance
Section titled “CRA Relevance”SBOM and CBOM address multiple CRA Annex I requirements:
| Requirement Area | SBOM/CBOM Role |
|---|---|
| I.2(a) — No known exploitable vulnerabilities | SBOM + vulnerability enrichment |
| I.3(a) — Protect confidentiality | CBOM verifies crypto strength |
| I.3(d) — Protect stored data | CBOM checks encryption at rest |
| II.1 — Identify vulnerabilities | SBOM enables CVE tracking |
| II.3 — Effective remediation | SBOM diff tracks dependency updates |
| Section 2(3) — Secure updates | SBOM tracks update dependencies |