The CBOMKit pipeline is designed to generate a Cryptographic Bill of Materials (CBOM) for a repository and its dependencies. It works by:
- Running the SonarCryptography plugin to identify cryptographic assets in the project repository.
- Getting a list of the project dependencies by generating a Software Bill of Materials (SBOM) using cdxgen.
- Scanning project dependencies with the SonarCryptography plugin.
- Storing all resulting CBOMs in the CBOMKit database.
This pipeline was tested on Azure DevOps (with this version of CBOMKit) and can be integrated with existing workflows.
- Clone Mastercard client-encryption-java into your Azure DevOps repository.
- Create a new Azure DevOps pipeline and copy the content of the
pipeline.ymlfile into it.
- Install SonarQube.
- Install the SonarCryptography plugin.
- Create a project in SonarQube.
- Note the project key, project name, and project token.
- Update the script and replace
<your-project-key>and<your-project-name>with your values.
- Create a service connection using the IP/URL of your SonarQube instance and your project token.
- Note the service connection name.
- Update the script and replace
<your-service-connection-name>with your connection name.
- Add the SonarCryptography ruleset to your SonarQube project.
- Deploy CBOMKit
- Update your script and replace
<your-CBOMKit-IP>with your CBOMKit server IP/URL.
The pipeline is experimental and has certain known limitations:
- Not all dependencies may be resolved (due to limitations of the 3rd‑party service used by the SonarCryptography plugin).
- Only the languages and libraries from CBOMKit's list of supported languages and libraries will result in a CBOM. For Java projects, only the ones built with Maven are currently scannable.
- Scans for large repositories may fail — increase RAM/CPU for the CBOMKit instance if needed.
- The CBOMKit Docker container may run out of disk space — clean leftover artifacts regularly.
- If using a VPN, import the VPN certificates into the Java Trust Store of the CBOMKit Docker container.