CBOM Output Format - TYCHON Quantum Readiness Documentation

Overview

The CBOM (Cryptographic Bill of Materials) format follows the CycloneDX 1.6 specification, which introduced native first-class CBOM support. It provides a comprehensive inventory of all cryptographic assets discovered during scanning and validates against the official CycloneDX 1.6 JSON schema.

Standards Compliance

• CycloneDX 1.6 (native CBOM support)
• Validated with official CycloneDX CLI
• Compatible with OWASP Dependency-Track
• Cryptographically random UUID v4 serial numbers

Usage

.\certscanner-windows-amd64.exe -host example.com `
  -outputformat cbom `
  -output compliance.cbom.json

./certscanner-linux-x64 -host example.com \
  -outputformat cbom \
  -output compliance.cbom.json

# Intel Macs
./certscanner-darwin-amd64 -host example.com \
  -outputformat cbom \
  -output compliance.cbom.json

# Apple Silicon Macs
./certscanner-darwin-arm64 -host example.com \
  -outputformat cbom \
  -output compliance.cbom.json

CBOM Schema Structure

Required Top-Level Fields

Field	Type	Description	Example
bomFormat	String	Must be "CycloneDX"	"CycloneDX"
specVersion	String	CycloneDX specification version	"1.6"
serialNumber	String	Cryptographically random UUID v4	"urn:uuid:..."
version	Integer	BOM version number	1
metadata	Object	Scan metadata and tool info	See below
components	Array	All cryptographic components	See below
services	Array	Network services discovered	Optional

CycloneDX 1.6 tools format: metadata.tools is an object containing a components array — not a bare array as in earlier spec versions. The generating tool is represented as a component with type: "application".

Component Types

Component Type	Asset Type	Description
cryptographic-asset	algorithm	TLS cipher suites and crypto algorithms
cryptographic-asset	certificate	X.509 certificates (network, filesystem, keystore)
cryptographic-asset	related-crypto-material	SSH host keys and other key material
cryptographic-asset	protocol	IPSec tunnels and network protocol configurations
library	—	Cryptographic libraries in process memory
file	—	Outlook archives and keystore files
application	—	VPN clients and running applications with crypto context

All four assetType values are the complete set defined by the CycloneDX 1.6 schema. Custom values will fail schema validation.

Crypto Properties Schema

Property Type	Key Fields	Use Case
algorithmProperties	primitive, parameterSetIdentifier, curve, executionEnvironment, mode, padding, classicalSecurityLevel, nistQuantumSecurityLevel	Cipher suites, crypto algorithms
certificateProperties	subjectName, issuerName, notValidBefore, notValidAfter, certificateFormat, certificateExtension	X.509 certificates
protocolProperties	type, version, cipherSuites, ikev2TransformTypes, cryptoRefArray	TLS/SSH/IPSec protocols
relatedCryptoMaterialProperties	type, algorithmRef, size, format, state, creationDate, activationDate, expirationDate, securedBy	SSH keys, crypto key material

Complete Schema Reference

algorithmProperties

primitive: Fundamental cryptographic operation (e.g., "cipher-suite", "encryption", "hash", "signature")

parameterSetIdentifier: Specific algorithm name (e.g., "TLS_AES_256_GCM_SHA384", "RSA-2048")

curve: Elliptic curve name (e.g., "secp256r1", "curve25519")

executionEnvironment: Where algorithm runs (e.g., "tls-connection", "software", "hardware")

implementationPlatform: Platform details (e.g., "OpenSSL 3.0", "Windows CNG")

certificationLevel: Certification standards (e.g., ["FIPS 140-2 Level 1"])

mode: Block cipher mode (e.g., "CBC", "GCM", "CTR")

padding: Padding scheme (e.g., "PKCS7", "OAEP")

cryptoFunctions: Supported functions (e.g., ["encrypt", "decrypt", "sign"])

classicalSecurityLevel: Bits of classical security (e.g., 128, 256)

nistQuantumSecurityLevel: NIST PQC security level 1–5

certificateProperties

subjectName: Certificate subject DN (e.g., "CN=example.com,O=Example Corp")

issuerName: Certificate issuer DN

notValidBefore: Validity start date (RFC3339 format)

notValidAfter: Validity end date (RFC3339 format)

signatureAlgorithmRef: bom-ref to the signature algorithm component

subjectPublicKeyRef: bom-ref to the public key component

certificateFormat: Format standard (e.g., "X.509", "PGP")

certificateExtension: File encoding (e.g., "DER/PEM", "P7B", "PFX")

protocolProperties

type: Protocol enum — one of tls, ssh, ipsec, ike, sstp, wpa (lowercase, schema-enforced)

version: Protocol version (e.g., "1.3", "2.0")

cipherSuites: Array of cipher suite objects — each has name, optional algorithms (bom-refs), optional identifiers

ikev2TransformTypes: IKEv2 algorithm bom-refs grouped by transform — encr (encryption), integ (integrity), prf (pseudo-random), dh (key exchange groups)

cryptoRefArray: Array of bom-refs to algorithm components used by this protocol

The schema sets additionalProperties: false — fields like supportedDHGroups, supportedEncryptions, supportedHashes, or ikevVersion will fail validation.

relatedCryptoMaterialProperties

type: Material type enum — e.g., "public-key", "private-key", "secret-key", "password", "token", "digest"

id: Unique identifier for the material

algorithmRef: bom-ref to the algorithm component describing this key's algorithm (not a string name — a reference)

size: Key size in bits (e.g., 2048, 256, 4096)

format: Key format (e.g., "SSH", "PEM", "DER", "JWK")

state: Key lifecycle state enum — "pre-activation", "active", "suspended", "deactivated", "compromised", "destroyed"

creationDate: When key was created (RFC3339)

activationDate: When key became active (RFC3339)

expirationDate: When key expires (RFC3339)

value: Key material value (when safe to include)

securedBy: Object with mechanism and optional algorithmRef fields — not a plain string

Note: the SSH key type string (e.g., "ssh-ed25519") is not a bom-ref and should be stored in a custom property, not in algorithmRef.

Custom Properties Reference

Cipher Suite Properties

cipher:openssl-name

cipher:key-length

cipher:is-preferred

cipher:negotiated-group

cipher:intel:security_level

Certificate Custom Properties

cert:serial-number

cert:signature-algorithm

cert:public-key-algorithm

cert:public-key-size

cert:is-self-signed

cert:is-ca

cert:source-file

cert:keystore-path

cert:keystore-type

cert:alias

cert:has-private-key

cert:key-usage

cert:ext-key-usage

SSH Host Key Properties

ssh:key-type — algorithm string (e.g., "ssh-ed25519")

ssh:fingerprint-sha256

ssh:banner

VPN Client Properties

application:vendor

application:install-path

application:config-path

application:active

application:status

detection:method

detection:confidence

pqc:is-ready

pqc:quantum-resistance

pqc:migration-status

pqc:supported-algorithms

process:pid

IPSec Tunnel Properties

ipsec:implementation

ipsec:status

ipsec:active

ipsec:local-subnet

ipsec:remote-subnet

ipsec:encryption-algorithm

ipsec:integrity-algorithm

ipsec:dh-group

detection:method

detection:confidence

Keystore Properties

file:path

file:size

file:owner

file:permissions

file:last-modified

keystore:type

keystore:cert-count

keystore:accessible

keystore:requires-auth

keystore:error

Crypto Library Properties

library:path

library:crypto-type

library:product-name

library:company-name

library:crypto-features

process:pid

process:name

vulnerability:is-vulnerable

vulnerability:risk-level

vulnerability:risk-reason

vulnerability:cve-list

vulnerability:fixed-in-version

Sample CBOM Output

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:4a3f9c2d-1b7e-4f08-82a1-9e0c3d5f6a7b",
  "version": 1,
  "metadata": {
    "timestamp": "2026-05-10T09:00:17-04:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "name": "TYCHON Quantum Crypto Manager",
          "version": "1.1.97",
          "properties": [
            { "name": "vendor", "value": "Tychon LLC" }
          ]
        }
      ]
    },
    "properties": [
      { "name": "scan:type",      "value": "remote" },
      { "name": "scan:target",    "value": "example.com:443" },
      { "name": "observer:hostname", "value": "scanner-host" }
    ]
  },
  "components": [
    {
      "type": "cryptographic-asset",
      "bom-ref": "cipher:example.com:443:TLS_AES_256_GCM_SHA384",
      "name": "TLS_AES_256_GCM_SHA384",
      "version": "TLSv1.3",
      "description": "TLS cipher suite TLS_AES_256_GCM_SHA384 on example.com:443",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "primitive": "cipher-suite",
          "parameterSetIdentifier": "TLS_AES_256_GCM_SHA384",
          "executionEnvironment": "tls-connection"
        }
      },
      "properties": [
        { "name": "cipher:key-length",  "value": "256" },
        { "name": "cipher:is-preferred","value": "true" }
      ]
    },
    {
      "type": "cryptographic-asset",
      "bom-ref": "cert:example.com:443:123456789012345678901234567890",
      "name": "example.com",
      "description": "X.509 certificate for example.com:443",
      "hashes": [
        { "alg": "SHA-256", "content": "ab:cd:ef:12:34:56:78:90:..." }
      ],
      "cryptoProperties": {
        "assetType": "certificate",
        "certificateProperties": {
          "subjectName": "CN=example.com,O=Example Corp,C=US",
          "issuerName": "CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US",
          "notValidBefore": "2024-03-01T00:00:00Z",
          "notValidAfter": "2025-03-01T23:59:59Z",
          "certificateFormat": "X.509",
          "certificateExtension": "DER/PEM"
        }
      },
      "properties": [
        { "name": "cert:serial-number",       "value": "123456789012345678901234567890" },
        { "name": "cert:signature-algorithm", "value": "SHA256-RSA" },
        { "name": "cert:public-key-algorithm","value": "RSA" },
        { "name": "cert:public-key-size",     "value": "2048" }
      ]
    },
    {
      "type": "cryptographic-asset",
      "bom-ref": "ssh:example.com:22:ssh-ed25519",
      "name": "SSH Host Key (ssh-ed25519)",
      "description": "SSH host key for example.com:22",
      "cryptoProperties": {
        "assetType": "related-crypto-material",
        "relatedCryptoMaterialProperties": {
          "type": "public-key",
          "format": "SSH",
          "size": 256
        }
      },
      "properties": [
        { "name": "ssh:key-type",          "value": "ssh-ed25519" },
        { "name": "ssh:fingerprint-sha256","value": "SHA256:abc123..." }
      ]
    },
    {
      "type": "cryptographic-asset",
      "bom-ref": "ipsec-tunnel:VPN-HQ",
      "name": "VPN-HQ",
      "version": "IKEv2",
      "description": "IPSec tunnel configuration: VPN-HQ",
      "cryptoProperties": {
        "assetType": "protocol",
        "protocolProperties": {
          "type": "ipsec",
          "version": "IKEv2",
          "ikev2TransformTypes": {
            "encr":  ["AES-256-GCM"],
            "integ": ["SHA256"],
            "dh":    ["group19"]
          }
        }
      },
      "properties": [
        { "name": "ipsec:implementation", "value": "strongSwan" },
        { "name": "pqc:is-ready",         "value": "false" }
      ]
    },
    {
      "type": "application",
      "bom-ref": "vpn-client:Cloudflare-WARP:2024.6.415",
      "name": "Cloudflare WARP",
      "version": "2024.6.415",
      "description": "VPN client application: Cloudflare WARP",
      "properties": [
        { "name": "application:vendor",          "value": "Cloudflare Inc." },
        { "name": "application:active",          "value": "true" },
        { "name": "pqc:is-ready",               "value": "true" },
        { "name": "pqc:supported-algorithms",   "value": "Kyber768,X25519Kyber768Draft00" }
      ]
    }
  ],
  "services": [
    {
      "bom-ref": "service:example.com:443",
      "name": "example.com:443",
      "description": "Network service on example.com port 443",
      "endpoints": ["example.com:443"],
      "properties": [
        { "name": "port",     "value": "443" },
        { "name": "status",   "value": "open" },
        { "name": "protocol", "value": "TLS" }
      ]
    }
  ]
}

Cryptographic Asset Types

Cipher Suite Components

Each negotiated TLS cipher suite becomes a cryptographic-asset component

Asset Type: algorithm
Properties: primitive="cipher-suite", parameterSetIdentifier=cipher name
Custom Properties: openssl-name, key-length, is-preferred, intel data

Certificate Components

X.509 certificates from network connections, filesystem, and keystores

Asset Type: certificate
Properties: subjectName, issuerName, validity periods
Hashes: SHA-256 certificate fingerprints

SSH Host Key Components

SSH host keys discovered during network scanning

Asset Type: related-crypto-material
Properties: type="public-key", format="SSH", size=bits
Custom Properties: ssh:key-type (algorithm string), ssh:fingerprint-sha256, ssh:banner

Cryptographic Library Components

Crypto libraries discovered in process memory

Component Type: library
Properties: path, crypto-type, product-name, company-name
Process Context: PID, process name
Note: bom-ref includes PID + name + path hash to prevent collisions when the same library appears under multiple paths in a process

VPN Client Components

VPN client applications with PQC readiness assessments

Component Type: application
Properties: client-name, vendor, version, install-path
PQC Assessment: is-pqc-ready, quantum-resistance, supported-algorithms

IPSec Tunnel Components

IPSec tunnel configurations — uses CycloneDX 1.6 ikev2TransformTypes for algorithm grouping

Asset Type: protocol
Protocol type enum: "ipsec" (lowercase, schema-enforced)
IKEv2 algorithms: encr / integ / prf / dh arrays in ikev2TransformTypes
Custom Properties: local-subnet, remote-subnet, implementation, pqc assessment

Keystore Certificate Components

Certificates from PKCS12, JKS, Windows Certificate Store, and macOS Keychain

Asset Type: certificate
Properties: subjectName, issuerName, validity, certificateFormat
Custom Properties: keystore-path, keystore-type, alias, has-private-key
Note: bom-ref includes keystore path + serial + subject to handle shared serial numbers across keychain entries

Keystore File Components

Keystore files and certificate containers discovered on the filesystem

Component Type: file
Properties: keystore-type, cert-count, accessible, requires-auth
File Properties: path, size, owner, permissions, last-modified

Use Cases & Integration

Compliance & Governance

• Regulatory Compliance: NIST, FIPS, Common Criteria
• Audit Trails: Complete cryptographic asset inventory
• Risk Assessment: Identify weak or deprecated crypto
• Supply Chain Security: Track crypto dependencies

Tool Integration

• OWASP Dependency-Track: Direct CBOM import
• Asset Management: Track crypto inventory changes
• Policy Engines: Validate crypto policy compliance
• Reporting Tools: Generate compliance reports

Example Workflows

# Generate quarterly compliance report
.\certscanner-windows-amd64.exe -host production-systems.txt -cipherscan `
  -tags "Q4-2025,compliance-audit" `
  -outputformat cbom -output Q4-crypto-inventory.cbom.json

# Continuous compliance monitoring
.\certscanner-windows-amd64.exe -mode local -scanfilesystem -scanmemory `
  -outputformat cbom -output daily-crypto-inventory.cbom.json

# Validate with CycloneDX CLI
cyclonedx validate --input-file daily-crypto-inventory.cbom.json `
  --input-format json --input-version v1_6

# Generate quarterly compliance report
./certscanner-linux-x64 -host production-systems.txt -cipherscan \
  -tags "Q4-2025,compliance-audit" \
  -outputformat cbom -output Q4-crypto-inventory.cbom.json

# Continuous compliance monitoring
./certscanner-linux-x64 -mode local -scanfilesystem -scanmemory \
  -outputformat cbom -output daily-crypto-inventory.cbom.json

# Validate with CycloneDX CLI
cyclonedx validate --input-file daily-crypto-inventory.cbom.json \
  --input-format json --input-version v1_6

# Generate quarterly compliance report
./certscanner-darwin-arm64 -host production-systems.txt -cipherscan \
  -tags "Q4-2025,compliance-audit" \
  -outputformat cbom -output Q4-crypto-inventory.cbom.json

# Continuous compliance monitoring
./certscanner-darwin-arm64 -mode local -scanfilesystem \
  -outputformat cbom -output daily-crypto-inventory.cbom.json

# Validate with CycloneDX CLI
cyclonedx validate --input-file daily-crypto-inventory.cbom.json \
  --input-format json --input-version v1_6

Metadata Properties Reference

TYCHON Quantum Crypto Manager includes comprehensive metadata in the metadata.properties array:

Scan Metadata Properties

Property Name	Description	Example Value
scan:type	Type of scan performed	"remote", "local"
scan:target	Target hostname or IP	"example.com:443"
scan:timestamp	When scan was performed	"2026-05-10T14:30:00Z"
scan:tags	User-defined tags	"production,compliance"

Observer System Properties

Property Name	Description	Example Value
observer:hostname	Scanner hostname	"scanner-01.example.com"
observer:os	Operating system	"windows"
observer:platform	Platform architecture	"amd64"
observer:version	OS version	"10.0.19045"
observer:fips_mode_enabled	FIPS mode status	"true", "false"
observer:organization	Organization name	"ACME Corporation"

Quantum Readiness Properties

Property Name	Description	Example Value
quantum:assessment_id	Unique assessment ID	"qa_abc123..."
quantum:fips_mode_enabled	System FIPS mode	"true", "false"
quantum:overall_score	Total readiness score	"75"
quantum:max_score	Maximum possible score	"100"
quantum:readiness_status	Overall readiness level	"ready", "partial", "not_ready"
quantum:ready_timeline	Expected timeline	"2025", "2026-2027", "2028+"

Schema Validation

CycloneDX CLI (recommended)

The official open-source CycloneDX CLI validates output against the published 1.6 JSON schema. A zero exit code confirms full compliance.

# Install (macOS / Linux)
brew install cyclonedx/cyclonedx/cyclonedx-cli

# Validate
cyclonedx validate --input-file compliance.cbom.json \
  --input-format json --input-version v1_6

OWASP Dependency-Track

Full end-to-end import test using the reference CBOM consumer. Run locally with Docker Compose:

curl -LO https://dependencytrack.org/docker-compose.yml
docker compose up -d
# then import via the web UI at http://localhost:8080

Automated Go Test Suite

The project ships a CI-ready test suite in evidence/cbom/ using the official github.com/CycloneDX/cyclonedx-go library:

go test ./evidence/cbom/... -v

Tests cover: specVersion, tools object format, valid assetType enums, bom-ref uniqueness, and round-trip decode.