IBM is donating its CBOM toolset to the Linux Foundation

Our world relies on digital systems, and cryptography plays a key role in engineering trust and safety into those systems. With new risks emerging and potentially leading to significant security breaches, our methods of encryption and data management must be continuously improved to keep up with evolving threats.

An important aspect of digital security is related to documenting the cryptographic elements of a system or software — something that is standardized through the use of a cryptographic bill of materials (or CBOM). By collecting and representing cryptographic assets, such as algorithms, keys, certificates, protocols, and their configurations, a CBOM helps organizations understand how and where cryptography is applied in their systems, and whether those implementations meet current and future security standards.

The security group at IBM Research Europe–Zurich has significantly contributed to the CycloneDX CBOM standard. In 2024, IBM open-sourced CBOMkit, a toolset developed by the group to actively manage cryptographic assets within projects. It offers inventory generation, visualization, analysis and storage, empowering both developers and the open-source community.

Since then, the group has been working to improve the adoption of the standard. The researchers have developed a set of tools to support the generation and analysis of CBOM, and recently chose to donate the software to the Post-Quantum Cryptography Alliance (PQCA), a project of the Linux Foundation.

The tool suite transferred to the PQCA comprises several services:

• Sonar-cryptography, a plugin for the SonarQube server that analyzes Java and Python source code, outputting a CBOM object featuring all the identified cryptographic assets as well as the location of these findings.
• CBOMkit, a service for cloning GitHub repositories that scans the source code for cryptographic assets and generates the corresponding CBOM object. It provides a front-end for viewing the analysis results, as well as a server for interfacing with Sonar-cryptography and a database for storing the CBOMs.
• CBOMkit-action, a GitHub action available on the GitHub Marketplace that identifies all the project modules contained within a GitHub repository, scans the corresponding source code and produces a CBOM object per project module. It also generates a consolidated CBOM file that contains all cryptographic findings for the entire repository.
• CBOMkit-theia, a tool for analyzing container images (either Docker or OCI) by scanning the image file system and identifying cryptographic assets in certificates, secrets, and security configurations. The findings can be merged with source-code CBOM objects representing the cryptography used in image dependencies, providing a comprehensive view on the cryptographic posture of the container image.

The team at IBM sees the donation of these tools to the Linux Foundation as an important step in adopting CBOM and solidifying cryptographic standards. In an era where trust and transparency in technology are more important than ever, this effort is representative of a collaborative commitment to make our digital landscape increasingly safer.