Generate CBOM with the Xygeni CLI

A Cryptographic Bill of Materials (CBOM) is a structured inventory of every cryptographic asset — algorithm, protocol, certificate, and key material — found in your project's source code. Xygeni produces CycloneDX 1.6 CBOM JSON using the inventory --cbom command.

What the CBOM covers

Xygeni scans source code across 8 languages and emits four types of cryptographic assets:

Asset type

Examples

Algorithm

AES-256-GCM, SHA-256, RSA-3072, Ed25519, MD5 (weak), DES (weak)

Protocol

TLS 1.3, TLS 1.2

Certificate

PEM/DER files, X.509 certificate references

Related material

PBKDF2 key derivation, key wrapping, IV/salt references

Supported languages: Java, Kotlin, JavaScript/TypeScript, Python, Go, C#, PHP, Swift.

Running a CBOM scan

Use the inventory command with the --cbom flag and specify the output file path:

xygeni inventory --cbom cbom-output.json

To scan a specific directory:

xygeni inventory --dir /path/to/project --cbom cbom-output.json

The --cbom flag implies CycloneDX 1.6 format automatically. No --sbom-format is required.

Generating SBOM and CBOM together

--cbom is independent from --sbom / --sbom-format: a single inventory invocation can emit both an SBOM and a CBOM, each to its own file, in one pass over the project. This is the recommended way to produce both artifacts in CI — the scanner walks the codebase once and the two reports are guaranteed to describe the same revision.

xygeni inventory --dir /path/to/project \
                 --sbom sbom.json --sbom-format cyclonedx \
                 --cbom cbom.json

This produces:

sbom.json — the dependency SBOM in the format selected by --sbom-format (cyclonedx or spdx).
cbom.json — the Cryptographic BOM, always CycloneDX 1.6.

Notes:

--sbom and --sbom-format must always be used together. --cbom may be used with or without them.
The two outputs are written to separate files; do not point --sbom and --cbom at the same path.
When --sbom-format is cyclonedx, the SBOM and CBOM share the CycloneDX schema family but are distinct documents (one describes components/dependencies, the other describes cryptographic assets).

Understanding the output

The output is a CycloneDX 1.6 JSON file. Each cryptographic asset appears as a cryptographic-asset component with:

cryptoProperties.assetType — algorithm, certificate, related-crypto-material, or protocol
cryptoProperties.algorithmProperties — primitive, mode, parameterSetIdentifier (key size)
evidence.occurrences — the exact source file and line number of every usage

Assets are deduplicated: if AES-256-GCM is used in ten files, the CBOM carries one component with ten occurrences. This mirrors the IBM cbomkit convention.

Example output snippet

{
  "type": "cryptographic-asset",
  "name": "AES",
  "cryptoProperties": {
    "assetType": "algorithm",
    "algorithmProperties": {
      "primitive": "ae",
      "mode": "GCM",
      "parameterSetIdentifier": "256"
    }
  },
  "evidence": {
    "occurrences": [
      { "location": "src/main/java/Crypto.java", "line": 42 },
      { "location": "src/main/python/crypto.py", "line": 17 }
    ]
  }
}

Weak and broken algorithms

The CBOM is an inventory, not a policy gate. Weak algorithms (MD5, DES, RSA-1024, SHA-1) are included alongside strong ones. Use Xygeni's SAST scanner or policy rules to flag weak crypto as findings — the CBOM data feeds those rules automatically.

CI/CD integration

Add CBOM generation to any CI/CD pipeline by calling the scanner as a build step:

# GitHub Actions example — CBOM only
- name: Generate CBOM
  run: xygeni inventory --cbom ${{ github.workspace }}/cbom.json

To produce both an SBOM and a CBOM in the same job (one scan, two artifacts):

# GitHub Actions example — SBOM + CBOM in one step
- name: Generate SBOM and CBOM
  run: |
    xygeni inventory \
      --sbom ${{ github.workspace }}/sbom.json --sbom-format cyclonedx \
      --cbom ${{ github.workspace }}/cbom.json

PreviousGenerate SBOM with the Xygeni CLI NextCLI utils

Last updated 11 days ago