The CBOMkit library implements commonly used functions such as indexing and scanning source codei for cryptographic assets. Currently we support the programming languages java and python. Per supported language there is an indexer and a scanner. The indexer walks a given directory tree (e.g., a cloned github repo) and identifies the project modules to be scanned. A project module consists of a set of source files that provide some common functionality and that may be published as an individual software package. The scanner scans the idenified project modules and produces a scan result object that contains the resulting CBOM and some scanning statistics.
The accuracy of the java scanner depends on the availability of build artifacts such dependency jars and compiled class files. Scanning source code only (no classes, no jars) is disabled by default as it provides the least accurate results. Source-only scanning can be enabled via JavaScannerService.setBuildRequired(false). Class files can be provided via JavaScannerService.addJavaClassDir(String dir) which takes a comma-seperated list of directory glob patterns. Jars can be set via JavaScannerService.addJavaDependencyJar(String jar) which accepts a comma-separated list of glob patterns pointing to either directories or .jar/.zip files.