Skip to content
QCecuring

Import / Export

Import / Export

Section titled “Import / Export”

The Import/Export page handles CycloneDX CBOM import and export, plus BOM-Link URN generation for cross-referencing with SBOMs.

hidden Import/Export page showing export options and imported CBOM list

CycloneDX v1.6 Export

Section titled “CycloneDX v1.6 Export”

Export your entire crypto inventory (or a filtered subset) as a CycloneDX v1.6 CBOM JSON document.

What’s Included

Section titled “What’s Included”

The export produces a fully spec-compliant document:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:...",
  "version": 1,
  "metadata": {
    "timestamp": "2025-01-15T10:30:00Z",
    "tools": {
      "components": [{
        "type": "application",
        "name": "QCecuring CBOM",
        "version": "0.0.1"
      }]
    },
    "lifecycles": [{ "phase": "operations" }]
  },
  "components": [...],
  "dependencies": [...]
}

Component Properties

Section titled “Component Properties”

Each asset is exported as a component with full cryptoProperties:

For algorithms:

{
  "type": "cryptographic-asset",
  "bom-ref": "fingerprint-hash",
  "name": "AES-256-GCM",
  "cryptoProperties": {
    "assetType": "algorithm",
    "algorithmProperties": {
      "primitive": "ae",
      "algorithmFamily": "AES",
      "parameterSetIdentifier": "256",
      "mode": "gcm",
      "nistQuantumSecurityLevel": 5,
      "classicalSecurityLevel": 256,
      "executionEnvironment": "software-plain-ram",
      "certificationLevel": ["none"]
    },
    "oid": "2.16.840.1.101.3.4.1.46"
  }
}

For certificates:

{
  "type": "cryptographic-asset",
  "bom-ref": "fingerprint-hash",
  "name": "api.example.com TLS cert",
  "cryptoProperties": {
    "assetType": "certificate",
    "certificateProperties": {
      "subjectName": "CN=api.example.com",
      "issuerName": "CN=Let's Encrypt Authority X3",
      "notValidBefore": "2025-01-01",
      "notValidAfter": "2025-04-01",
      "certificateFormat": "X.509",
      "signatureAlgorithm": "SHA256withRSA",
      "fingerprint": { "alg": "SHA-256", "content": "abc123..." },
      "certificateExtensions": [
        { "commonExtensionName": "keyUsage", "commonExtensionValue": "digitalSignature" },
        { "commonExtensionName": "subjectAlternativeName", "commonExtensionValue": "api.example.com, www.example.com" }
      ]
    },
    "algorithmProperties": {
      "primitive": "pke",
      "algorithmFamily": "RSA",
      "parameterSetIdentifier": "2048"
    }
  }
}

For keys:

{
  "type": "cryptographic-asset",
  "bom-ref": "fingerprint-hash",
  "name": "RSA-2048 private key",
  "cryptoProperties": {
    "assetType": "related-crypto-material",
    "relatedCryptoMaterialProperties": {
      "type": "private-key",
      "id": "fingerprint-hash",
      "state": "active",
      "size": 2048,
      "algorithmRef": "RSA"
    },
    "algorithmProperties": {
      "primitive": "pke",
      "algorithmFamily": "RSA",
      "parameterSetIdentifier": "2048",
      "nistQuantumSecurityLevel": 0
    }
  }
}

Dependencies Section

Section titled “Dependencies Section”

Relationships between assets are exported as CycloneDX dependencies:

{
  "dependencies": [
    {
      "ref": "leaf-cert-fingerprint",
      "dependsOn": ["intermediate-ca-fingerprint"]
    },
    {
      "ref": "key-in-keystore-fingerprint",
      "dependsOn": ["keystore-fingerprint"]
    }
  ]
}

Export Options

Section titled “Export Options”
  • Full export — All assets in the inventory
  • Filtered export — Only assets matching current filters (type, risk level, scanner)
  • Download — Save as .json file

CBOM Import

Section titled “CBOM Import”

Import external CycloneDX CBOM files to visualize and analyze third-party cryptographic inventories.

Import Process

Section titled “Import Process”
  1. Upload a CycloneDX JSON file
  2. CBOM parses components and dependencies
  3. View imported assets in a table
  4. Visualize relationships in a graph view

hidden Imported CBOM table view showing parsed components

hidden Imported CBOM graph view showing component relationships

Use Cases

Section titled “Use Cases”
  • Review a vendor’s CBOM for quantum risk
  • Validate a supplier’s cryptographic posture
  • Compare your CBOM against a partner’s
  • Audit third-party software dependencies
Section titled “BOM-Link”

BOM-Link enables cross-referencing between CBOMs and SBOMs using URN identifiers.

URN Format

Section titled “URN Format”

Every exported CBOM gets a unique serial number that can be referenced:

urn:uuid:<serial-number>

SBOM Cross-Referencing

Section titled “SBOM Cross-Referencing”

Use BOM-Link URNs to connect your CBOM to an SBOM:

  1. Export your CBOM (note the serialNumber in the output)
  2. Reference the CBOM URN in your SBOM’s externalReferences
  3. Tools consuming the SBOM can resolve the URN to fetch the full CBOM

This enables supply chain transparency — an SBOM declares what software is present, and the linked CBOM declares what cryptography that software uses.

Section titled “Related”