Fix: enrich asset collections (#344)

* Fix: enrich asset collections

Signed-off-by: san-zrl <san@zurich.ibm.com>

* improved protocol encodings: fixed empty ref for TLS dependecies; added cryptoRefArray to protocols; added IPSec protocol object

Signed-off-by: san-zrl <san@zurich.ibm.com>

* replaced deprecated code

Signed-off-by: san-zrl <san@zurich.ibm.com>

* added IKE protocol type to mapper API

Signed-off-by: san-zrl <san@zurich.ibm.com>

---------

Signed-off-by: san-zrl <san@zurich.ibm.com>

Author: san-zrl

enricher/src/main/java/com/ibm/enricher/Enricher.java

@@ -20,6 +20,7 @@
 package com.ibm.enricher;
 
 import com.ibm.enricher.algorithm.AESEnricher;
+import com.ibm.enricher.algorithm.AbstractAssetCollectionEnricher;
 import com.ibm.enricher.algorithm.DESEnricher;
 import com.ibm.enricher.algorithm.DHEnricher;
 import com.ibm.enricher.algorithm.DSAEnricher;
@@ -94,7 +95,8 @@ private static INode enrichTree(@Nonnull INode node) {
                     new SignatureEnricher(),
                     new TagOrDigestEnricher(),
                     new KEMEnricher(),
-                    new SecretKeyEnricher());
+                    new SecretKeyEnricher(),
+                    new AbstractAssetCollectionEnricher());
 
     /**
      * Enriches the given node with additional information.

enricher/src/main/java/com/ibm/enricher/algorithm/AbstractAssetCollectionEnricher.java

@@ -0,0 +1,39 @@
+/*
+ * Sonar Cryptography Plugin
+ * Copyright (C) 2024 PQCA
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.enricher.algorithm;
+
+import com.ibm.enricher.Enricher;
+import com.ibm.enricher.IEnricher;
+import com.ibm.mapper.model.INode;
+import com.ibm.mapper.model.collections.AbstractAssetCollection;
+import java.util.ArrayList;
+import javax.annotation.Nonnull;
+
+public class AbstractAssetCollectionEnricher implements IEnricher {
+
+    @Nonnull
+    @Override
+    public INode enrich(@Nonnull INode node) {
+        if (node instanceof AbstractAssetCollection<? extends INode> aac) {
+            Enricher.enrich(new ArrayList<INode>(aac.getCollection()));
+        }
+        return node;
+    }
+}

mapper/src/main/java/com/ibm/mapper/model/protocol/IKE.java

@@ -0,0 +1,37 @@
+/*
+ * Sonar Cryptography Plugin
+ * Copyright (C) 2024 PQCA
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.mapper.model.protocol;
+
+import com.ibm.mapper.model.Protocol;
+import com.ibm.mapper.model.Version;
+import com.ibm.mapper.utils.DetectionLocation;
+import javax.annotation.Nonnull;
+
+public final class IKE extends Protocol {
+
+    public IKE(@Nonnull DetectionLocation detectionLocation) {
+        super(new Protocol("IKE", detectionLocation), IKE.class);
+    }
+
+    public IKE(@Nonnull Version version) {
+        super(new Protocol("IKE" + version.asString(), version.getDetectionContext()), IKE.class);
+        this.put(version);
+    }
+}

mapper/src/main/java/com/ibm/mapper/model/protocol/IPSec.java

@@ -0,0 +1,31 @@
+/*
+ * Sonar Cryptography Plugin
+ * Copyright (C) 2024 PQCA
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.mapper.model.protocol;
+
+import com.ibm.mapper.model.Protocol;
+import com.ibm.mapper.utils.DetectionLocation;
+import javax.annotation.Nonnull;
+
+public final class IPSec extends Protocol {
+
+    public IPSec(@Nonnull DetectionLocation detectionLocation) {
+        super(new Protocol("IPSec", detectionLocation), IPSec.class);
+    }
+}

output/src/main/java/com/ibm/output/cyclondx/CBOMOutputFile.java

@@ -87,6 +87,7 @@
 import org.cyclonedx.model.Metadata;
 import org.cyclonedx.model.OrganizationalEntity;
 import org.cyclonedx.model.Service;
+import org.cyclonedx.model.component.crypto.CryptoRef;
 import org.cyclonedx.model.component.evidence.Occurrence;
 import org.cyclonedx.model.metadata.ToolInformation;
 import org.slf4j.Logger;
@@ -201,6 +202,14 @@ private void createProtocolComponent(@Nullable String parentBomRef, @Nonnull Pro
             return;
         }
         addComponentAndDependencies(protocol, optionalId.get(), parentBomRef, node);
+
+        Dependency protocolDependency = dependencies.get(protocol.getBomRef());
+        if (protocolDependency != null) {
+            CryptoRef cryptoRef = new CryptoRef();
+            cryptoRef.setRef(
+                    protocolDependency.getDependencies().stream().map(Dependency::getRef).toList());
+            protocol.getCryptoProperties().getProtocolProperties().setCryptoRefArray(cryptoRef);
+        }
     }
 
     private void createCipherSuiteComponent(

output/src/main/java/com/ibm/output/cyclondx/builder/ProtocolComponentBuilder.java

@@ -25,6 +25,8 @@
 import com.ibm.mapper.model.Identifier;
 import com.ibm.mapper.model.Protocol;
 import com.ibm.mapper.model.collections.CipherSuiteCollection;
+import com.ibm.mapper.model.protocol.IKE;
+import com.ibm.mapper.model.protocol.IPSec;
 import com.ibm.mapper.model.protocol.TLS;
 import java.util.ArrayList;
 import java.util.List;
@@ -49,6 +51,7 @@ public class ProtocolComponentBuilder implements IProtocolComponentBuilder {
     protected ProtocolComponentBuilder(
             @Nonnull BiFunction<String, Algorithm, String> algorithmComponentBuilder) {
         this.component = new Component();
+        this.component.setBomRef(UUID.randomUUID().toString());
         this.cryptoProperties = new CryptoProperties();
         this.protocolProperties = new ProtocolProperties();
         this.algorithmComponentBuilder = algorithmComponentBuilder;
@@ -95,6 +98,10 @@ public IProtocolComponentBuilder type(@Nullable Protocol type) {
 
         if (type instanceof TLS) {
             protocolProperties.setType(ProtocolType.TLS);
+        } else if (type instanceof IPSec) {
+            protocolProperties.setType(ProtocolType.IPSEC);
+        } else if (type instanceof IKE) {
+            protocolProperties.setType(ProtocolType.IKE);
         } else {
             protocolProperties.setType(ProtocolType.OTHER);
         }
@@ -140,7 +147,7 @@ public IProtocolComponentBuilder cipherSuites(@Nullable INode node) {
                                         if (asset instanceof Algorithm algorithm) {
                                             final String ref =
                                                     this.algorithmComponentBuilder.apply(
-                                                            "", algorithm);
+                                                            component.getBomRef(), algorithm);
                                             algorithmRefs.add(ref);
                                         }
                                     }
@@ -189,7 +196,6 @@ public Component build() {
 
         this.component.setType(Component.Type.CRYPTOGRAPHIC_ASSET);
         this.component.setCryptoProperties(this.cryptoProperties);
-        this.component.setBomRef(UUID.randomUUID().toString());
 
         return this.component;
     }

output/src/test/java/com/ibm/output/cyclonedx/ProtocolTest.java

@@ -29,11 +29,13 @@
 import com.ibm.mapper.model.algorithms.AES;
 import com.ibm.mapper.model.algorithms.DH;
 import com.ibm.mapper.model.algorithms.DSA;
+import com.ibm.mapper.model.algorithms.RSA;
 import com.ibm.mapper.model.algorithms.SHA2;
 import com.ibm.mapper.model.collections.AssetCollection;
 import com.ibm.mapper.model.collections.CipherSuiteCollection;
 import com.ibm.mapper.model.collections.IdentifierCollection;
 import com.ibm.mapper.model.mode.CBC;
+import com.ibm.mapper.model.protocol.IPSec;
 import com.ibm.mapper.model.protocol.TLS;
 import java.util.List;
 import org.cyclonedx.model.Component;
@@ -223,6 +225,8 @@ void protocolWithCipherSuite() {
                             assertThat(protocolProperties.getVersion()).isEqualTo("1.3");
                             assertThat(protocolProperties.getCipherSuites()).isNotNull();
                             assertThat(protocolProperties.getCipherSuites()).hasSize(1);
+                            assertThat(protocolProperties.getCryptoRefArray()).isNotNull();
+                            assertThat(protocolProperties.getCryptoRefArray().getRef()).hasSize(3);
 
                             final org.cyclonedx.model.component.crypto.CipherSuite cipherSuite =
                                     protocolProperties.getCipherSuites().get(0);
@@ -235,4 +239,37 @@ void protocolWithCipherSuite() {
                     }
                 });
     }
+
+    @Test
+    void protocolOther() {
+        this.assertsNode(
+                () -> {
+                    final IPSec ipsec = new IPSec(detectionLocation);
+                    ipsec.put(new AES(128, new CBC(detectionLocation), detectionLocation));
+                    ipsec.put(new RSA(detectionLocation));
+                    return ipsec;
+                },
+                bom -> {
+                    assertThat(bom.getComponents()).hasSize(3);
+                    assertThat(bom.getComponents().stream().map(Component::getName))
+                            .contains("AES128-CBC", "RSA", "IPSec");
+
+                    for (Component component : bom.getComponents()) {
+                        asserts(component.getEvidence());
+                        assertThat(component.getCryptoProperties()).isNotNull();
+                        final CryptoProperties cryptoProperties = component.getCryptoProperties();
+                        if (cryptoProperties.getAssetType().equals(AssetType.PROTOCOL)) {
+                            assertThat(component.getName()).isEqualTo("IPSec");
+                            assertThat(cryptoProperties.getProtocolProperties()).isNotNull();
+                            final ProtocolProperties protocolProperties =
+                                    cryptoProperties.getProtocolProperties();
+                            assertThat(protocolProperties.getType()).isEqualTo(ProtocolType.IPSEC);
+                            assertThat(protocolProperties.getVersion()).isNull();
+                            assertThat(protocolProperties.getCipherSuites()).isNull();
+                            assertThat(protocolProperties.getCryptoRefArray()).isNotNull();
+                            assertThat(protocolProperties.getCryptoRefArray().getRef()).hasSize(2);
+                        }
+                    }
+                });
+    }
 }

sonar-cryptography-plugin/src/main/java/com/ibm/plugin/Configuration.java

@@ -22,7 +22,7 @@
 import java.util.List;
 import javax.annotation.Nonnull;
 import org.sonar.api.config.PropertyDefinition;
-import org.sonar.api.resources.Qualifiers;
+import org.sonar.api.config.PropertyDefinition.ConfigScope;
 
 public final class Configuration {
 
@@ -31,7 +31,7 @@ private Configuration() {}
     public static @Nonnull List<PropertyDefinition> getPropertyDefinitions() {
         return List.of(
                 PropertyDefinition.builder(Constants.CBOM_OUTPUT_NAME)
-                        .onQualifiers(Qualifiers.PROJECT)
+                        .onConfigScopes(ConfigScope.PROJECT)
                         .subCategory(Constants.SUB_CATEGORY_GENERAL)
                         .name("CBOM filename")
                         .description("Filename for the generated CBOM")