Skip to content
QCecuring

Architecture

Architecture

Section titled “Architecture”

CBOM is a three-tier system: distributed Sensors discover cryptographic assets, a central API ingests and analyzes them, and an Angular UI provides visualization and management.

System Overview

Section titled “System Overview”
┌─────────────────────────────────────────────────────────────┐
│                     UI (Angular 21 + Tailwind)               │
│  Dashboard │ Inventory │ Sensors │ Relationships │ ...       │
└────────────────────────────┬────────────────────────────────┘
                             │ HTTP (port 4200 dev / embedded prod)
┌────────────────────────────▼────────────────────────────────┐
│                     API (Spring Boot, port 9090)             │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
│  │  Ingestion   │  │  Quantum     │  │  CycloneDX   │      │
│  │  Service     │  │  Risk Engine │  │  Export       │      │
│  └──────────────┘  └──────────────┘  └──────────────┘      │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
│  │ Relationship │  │ Attestation  │  │  Scheduler   │      │
│  │  Linker      │  │  Service     │  │  Service     │      │
│  └──────────────┘  └──────────────┘  └──────────────┘      │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
│  │   Alert      │  │  BOM-Link    │  │  Settings    │      │
│  │  Service     │  │  Service     │  │  Service     │      │
│  └──────────────┘  └──────────────┘  └──────────────┘      │
└────────────────────────────┬────────────────────────────────┘
                             
┌────────────────────────────▼────────────────────────────────┐
│                    MongoDB (crypto_assets collection)        │
└─────────────────────────────────────────────────────────────┘


         ▲ REST push (API key auth)
         
┌────────┴────────────────────────────────────────────────────┐
│                    Sensor (Spring Boot CLI)                  │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
│  │   HTTPS      │  │  Filesystem  │  │   Java       │      │
│  │  Endpoint    │  │  Scanner     │  │  Keystore    │      │
│  └──────────────┘  └──────────────┘  └──────────────┘      │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐      │
│  │  SSH Key     │  │  Windows     │  │  Source      │      │
│  │  Scanner     │  │  CertStore   │  │  Code        │      │
│  └──────────────┘  └──────────────┘  └──────────────┘      │
│  ┌──────────────┐  ┌──────────────┐                        │
│  │   Binary     │  │    AWS       │                        │
│  │  Scanner     │  │  Scanner     │                        │
│  └──────────────┘  └──────────────┘                        │
│  ┌──────────────┐                                          │
│  │  Active Dir  │                                          │
│  │  Scanner     │                                          │
│  └──────────────┘                                          │
└─────────────────────────────────────────────────────────────┘
         
         ▼ Scans local infrastructure
   [Endpoints, Files, Keystores, Cloud, AD]

Components

Section titled “Components”

Sensor (Java Spring Boot)

Section titled “Sensor (Java Spring Boot)”

The sensor is a standalone CLI application that runs near the infrastructure it scans.

  • Deployment: java -jar cbom-sensor.jar --config=path/to/config.yml
  • Mode: Non-web (spring.main.web-application-type: none)
  • Communication: Pushes discovered assets to the API via REST with API key authentication
  • Dual-use: Also importable as a library by the API for embedded scanning

Each sensor config file specifies:

  • Scanner type (e.g., https-endpoint, filesystem, aws)
  • API URL and API key
  • Scanner-specific configuration
scanner: https-endpoint
apiUrl: http://localhost:9090
apiKey: your-api-key-here
config:
  endpoints:
    - api.example.com:443
  timeoutMs: 10000

The sensor computes a SHA-256 fingerprint for each discovered asset, enabling content-based deduplication on the API side.

API (Java Spring Boot, port 9090)

Section titled “API (Java Spring Boot, port 9090)”

The central service handling all business logic:

ServiceResponsibility
AssetIngestionServiceReceives assets from sensors, deduplicates by fingerprint, stores in MongoDB
QuantumRiskServiceClassifies every asset’s quantum vulnerability (CRITICAL/HIGH/MEDIUM/LOW/NONE)
RelationshipLinkerServiceBuilds relationships between assets (issuer chains, keystore containment, key associations)
CycloneDxExportServiceGenerates CycloneDX v1.6 JSON with full spec compliance
BomLinkServiceGenerates BOM-Link URNs for cross-referencing with SBOMs
AttestationServiceEvaluates assets against compliance policy templates
AlertServiceManages alert rules and email notifications
SchedulerServiceManages scan schedules (cron-based)
SettingsServicePlatform configuration (crypto definitions, SMTP, etc.)

Authentication: JWT-based for UI users, API key for sensors.

Production mode: Serves the Angular UI as embedded static resources from the same JAR (single-artifact deployment).

UI (Angular 21, Tailwind CSS)

Section titled “UI (Angular 21, Tailwind CSS)”

Single-page application with these pages:

  • Dashboard — Risk summary, asset counts, scan activity
  • Inventory — Searchable asset table with filters
  • Sensors — Registered sensors, scan runs, scanner assignments
  • Alerts — Alert rules and scheduled scans
  • Relationships — Interactive SVG relationship graph
  • Compliance — Policy evaluation and attestation management
  • Import/Export — CycloneDX import/export, BOM-Link
  • Users — User management (admin/viewer roles)
  • Settings — YAML config editor with CodeMirror, crypto definitions catalog

Development: Runs on port 4200 with proxy to API at 9090.
Production: Built into the API JAR as static resources.

Database (MongoDB)

Section titled “Database (MongoDB)”

Single database (cbom) with primary collection:

  • crypto_assets — All discovered cryptographic material, discriminated by assetType

Key indexes:

  • fingerprint (unique) — Content-based deduplication
  • assetType — Fast filtering by type
  • quantumRiskLevel — Risk-based queries

Data Flow

Section titled “Data Flow”
  1. Sensor executes scan — Connects to target (endpoint, filesystem, cloud API, etc.)
  2. Sensor extracts crypto material — Parses certificates, keys, algorithms, protocols
  3. Sensor computes fingerprint — SHA-256 of intrinsic content for deduplication
  4. Sensor pushes to APIPOST /api/ingest with API key header
  5. API deduplicates — Upserts by fingerprint, merges location data
  6. API classifies riskQuantumRiskService assigns quantum risk level
  7. API links relationshipsRelationshipLinkerService connects related assets
  8. UI displays results — Dashboard, inventory, relationship graph

Deployment Models

Section titled “Deployment Models”

Development

Section titled “Development”
Sensor (CLI) → API (port 9090) ← UI (port 4200, proxied)
                    
              MongoDB (localhost:27017)

Production (Single JAR)

Section titled “Production (Single JAR)”
Sensor (CLI) → API+UI (port 9090, embedded Angular)
                    
              MongoDB (replica set)

The production profile (--spring.profiles.active=prod) enables:

  • Embedded UI serving via AngularRoutingFilter
  • CORS disabled (same-origin)
  • Response compression
  • Static resource caching (1 year max-age)

Security

Section titled “Security”
  • Sensor → API: API key authentication over HTTPS
  • UI → API: JWT tokens (24h expiration by default)
  • User roles: Admin (full access) and Viewer (read-only)
  • Secrets: JWT secret, MongoDB credentials, SMTP password via environment variables
  • No key material stored in plaintext: Only metadata and fingerprints
Section titled “Related”