Add cryptographic algorithm scanning and CycloneDX 1.7 CBOM output

[CortezFrazierJr]

Summary

• Add a Rust-based crypto detection engine (extlib/cryptoscan) that scans source code across 10 ecosystems (Python, Java, Go, Rust, Node.js, Ruby, C#/.NET, PHP, Swift, Elixir) for cryptographic algorithm usage via dependency analysis, import patterns, API calls, and config file scanning
• Integrate crypto scan results into the fossa-cli analysis pipeline: results are converted to SourceUnit format and included in uploads alongside existing dependency analysis
• Add --x-crypto-scan flag to enable scanning, --crypto-cbom-output <file> for local CycloneDX 1.7 CBOM export, and --crypto-fips-report for FIPS 140-3 compliance reporting
• The cryptoscan binary is embedded in the fossa binary (same pattern as berkeleydb/millhone) — no separate distribution needed

What's included

Phase 1 — Rust Crypto Detection Engine (extlib/cryptoscan/)

• Pattern-based detection using ~350+ regex rules across 10 ecosystems
• CycloneDX 1.7 output with cryptographic-asset components, cryptoProperties, and provides dependencies
• FIPS compliance classification (approved/deprecated/not-approved) with key size assessment
• 56 passing integration tests with full test fixtures

Phase 2 — Haskell Integration

• CryptoScan.Analyze — invokes embedded binary, parses JSON results
• CryptoScan.SourceUnit — converts findings to FOSSA SourceUnit with crypto+<algorithm> locators
• CryptoScan.Types — full FromJSON/ToJSON for all crypto types
• Wired into Analyze.hs pipeline: crypto SourceUnit included in upload alongside dependency results

Phase 3 — CycloneDX 1.7 CBOM Output

• --crypto-cbom-output <file> writes standards-compliant CycloneDX 1.7 JSON
• Passes through Rust binary's --format cyclonedx output (complete BOM with components, dependencies, metadata)

Phase 4 — FIPS Compliance Reporting

• --crypto-fips-report renders a color-coded compliance summary to stdout
• Per-algorithm FIPS status with remediation suggestions (e.g., "Replace ChaCha20-Poly1305 → AES-256-GCM")
• Key size warnings, quantum readiness assessment, compliance percentage
• Integrated into existing ScanSummary output

Ecosystems supported

Ecosystem	Libraries Detected
Python	cryptography, pycryptodome, hashlib, ssl
Java	JCA/JCE, BouncyCastle, Conscrypt
Go	crypto/*, x/crypto
Rust	ring, rust-crypto, openssl, rustls
Node.js	crypto (builtin), crypto-js, node-forge, jose
Ruby	OpenSSL, rbnacl, bcrypt-ruby
C#/.NET	System.Security.Cryptography, BouncyCastle
PHP	openssl/sodium extensions, phpseclib
Swift	CryptoKit, CommonCrypto
Elixir	:crypto, Comeonin (bcrypt/argon2), JOSE

Test plan

• All 56 integration tests pass (cargo test -p cryptoscan)
• Unit tests pass for SourceUnit conversion and FIPS report rendering
• E2E validation: fossa analyze --x-crypto-scan --output produces valid JSON with crypto SourceUnit
• E2E validation: --crypto-cbom-output /tmp/cbom.json writes valid CycloneDX 1.7
• E2E validation: --crypto-fips-report renders compliance summary
• CI build succeeds across all platforms (Linux, macOS Intel/ARM, Windows)
• Tested against HashiCorp Vault (580 findings, 23 algorithms, 36 CycloneDX components)

🤖 Generated with Claude Code