Detect and report crypto modules
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Gathering crypto modules being used in an application is a tedious and complex task. The challenge comes from multiple factors:
- Crypto modules are sometimes not well known from developers
- Crypto modules can be configured and used in many ways. Sometimes a configuration can change the module being used in the first place.
- Depending again on the configuration, a module can be replaced by another one, for example if a client connects and doesn't support the module configured. Some systems can fall back to another one that could be less secure.
Having this information is essential in many ways, for example when we will reach the post quantum cryptography era. A complete inventory of our crypto modules will be needed to understand where we need to take action, and if our architecture is still compliant with our standards.
The information reported will typically be used to create CBOMs (https://owasp.org/blog/2023/10/03/CycloneDX-Cryptography-CBOM).
Proposal
This is a feature where SAST and Dependency Scanning could overlap. Dependency Scanning could report modules that might be used because they're part of a dependency (which is not something that SAST will usually catch). See #moonshot below.
On the other hand, SAST should be able to report precisely crypto modules when they are being referred to in the source code of the application.
Another way to gather this data could also be by leveraging DAST to fetch data about the modules used in the communication protocols.
Note: This issue is initially labeled for groupcomposition analysis base on the above, but it could change in the future when we figure out the right group.
Moonshot
With dependencies stored in GitLab (as part of &7886), GitLab could decorate these packages with metadata on crypto modules.