Metadata-Version: 2.4
Name: cobalt-sbom
Version: 0.5.0
Summary: Cryptographic Bill of Materials generator — CycloneDX 1.6, binary scanning, PCAP network scanner, hardware boundary report, ML-DSA signed
Author-email: QreativeLab / OMEGA <dominik@qreativelab.io>
License: MIT
Project-URL: Homepage, https://github.com/dom-omg/cobalt-sbom
Project-URL: Repository, https://github.com/dom-omg/cobalt-sbom
Keywords: cbom,sbom,pqc,cryptography,cyclonedx,quantum
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Topic :: Security :: Cryptography
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Requires-Python: >=3.11
Description-Content-Type: text/markdown
Requires-Dist: rich>=13.0
Requires-Dist: requests>=2.31
Requires-Dist: click>=8.1
Requires-Dist: dpkt>=1.9.8

# COBALT SBOM

**Cryptographic Bill of Materials generator — CycloneDX 1.6, ML-DSA-65 signed.**

Scan any codebase in seconds. Find every cryptographic algorithm. Know your quantum exposure.

## What it does

- Detects 30+ crypto primitives across Python, TypeScript, JavaScript, Go, C/C++, Java, Rust
- **Scans compiled binaries** (ELF, PE, dylib) — OpenSSL, wolfSSL, mbedTLS, liboqs symbol detection
- Outputs a signed **CycloneDX 1.6 CBOM** (Cryptographic Bill of Materials)
- Scores your **quantum readiness (0-100)**
- Flags broken algorithms (DES, MD5, RC4) and deprecated ones (SHA-1, TLS-1.0)
- Integrates into CI/CD via GitHub Actions — gate PRs on quantum safety

## Install

```bash
pip install cobalt-sbom
```

## Usage

```bash
# Scan a repo (source + binaries)
cobalt-sbom scan ./myrepo --output cbom.cdx.json

# Scan + sign with ML-DSA-65 (via AXIOM)
cobalt-sbom scan ./myrepo --output cbom.cdx.json --sign

# CI mode — fail if quantum-unsafe algorithms present
cobalt-sbom scan ./myrepo --ci

# Fail if quantum readiness score below 80
cobalt-sbom scan ./myrepo --fail-score 80

# Source only, skip binaries
cobalt-sbom scan ./myrepo --no-binaries

# Display an existing CBOM
cobalt-sbom show cbom.cdx.json
```

## GitHub Actions

Add to `.github/workflows/cbom.yml`:

```yaml
- name: Install cobalt-sbom
  run: pip install cobalt-sbom

- name: Scan cryptographic assets
  run: cobalt-sbom scan . --output cbom.cdx.json --sign --fail-score 60
```

## Output format

CycloneDX 1.6 JSON — validated against the official schema, compatible with all CBOM/SBOM toolchains:

```json
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "components": [
    {
      "type": "cryptographic-asset",
      "name": "ML-DSA-65",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "primitive": "signature",
          "nistQuantumSecurityLevel": 3,
          "cryptoFunctions": ["sign", "verify"]
        }
      },
      "evidence": {
        "occurrences": [
          { "location": "src/auth.py", "line": 42 }
        ]
      },
      "properties": [
        { "name": "cobalt:quantumSafety", "value": "quantum-safe" }
      ]
    }
  ],
  "summary": {
    "quantum_readiness_score": 72,
    "quantum_unsafe": 15,
    "quantum_safe": 16,
    "broken_algorithms": ["DES", "SHA-1"]
  }
}
```

## Why CBOM

Governments (USA EO 14028, EU CRA, NIST IR 8547) are mandating cryptographic inventories. The CBOM Working Group (CycloneDX) is standardizing the format. **First movers own the toolchain.**

---

Built on [OMEGA](https://omega-sovereign.fly.dev) — sovereign intelligence stack.
Signing powered by [AXIOM](https://axiom-trust.fly.dev) — ML-DSA-65 post-quantum certificates.
