CBOM Explorer

A lightweight, web-based visualizer for inspecting and navigating Cryptographic Bills of Materials (CBOMs) generated by the cbom-generator tool.

Overview

CBOM Explorer transforms raw JSON or CycloneDX-format CBOMs into an intuitive graphical interface that helps security engineers, compliance teams, and auditors understand the cryptographic posture of a system at a glance.

Whether you’re assessing PQC readiness, tracking the usage of deprecated algorithms, or validating cryptographic dependencies across embedded devices and cloud workloads, cbom-explorer provides a clear, interactive view of your cryptographic asset graph.

Full CipherIQ Documentation

Read the full CipherIQ documentation website.

License

This project is dual-licensed:

Open Source License (GPL-3.0-or-later)

cbom-generator is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

See LICENSE for the full license text.

Commercial License

For organizations that cannot comply with the GPL-3.0 license terms (for example, if you want to integrate cbom-generator into proprietary software without releasing your source code), we offer commercial licenses.

Commercial licenses include:

• Freedom from GPL copyleft requirements
• Priority support
• Custom feature development (optional)

For pricing and terms, contact: sales@cipheriq.io

Features

• Interactive Graph Visualization: Explore cryptographic assets, libraries, certificates, keys, protocols, and applications with dependency mapping.

• PQC-Readiness Overlay: View assets by PQC status (e.g., DEPRECATED, TRANSITIONAL, SAFE) based on NIST IR 8413 categories.

• Certificate & Key Inspector: Click on certificates to reveal OIDs, key sizes, signature algorithms, expiration dates, and trust paths.

• Algorithm Breakdown: Quickly identify where weak or legacy cryptography (SHA-1, 3DES, RSA-1024, etc.) exists in a system.

• Full CycloneDX 1.6/1.7 CBOM Support: Load and explore CBOMs generated in standard CycloneDX JSON formats.

• Search & Filtering: Find components by name, type, algorithm, PQC status, or cryptographic purpose.

• Supports Large CBOMs: Efficient rendering for complex systems with hundreds or thousands of cryptographic components.

Quick Start

1. Generate a CBOM:

   cbom-generator /etc/ssl/certs -o cbom.json --format cyclonedx \
         --cyclonedx-spec 1.7

2. Open the visualizer:

   xdg-open tools/visualizer/cbom-viz.html  # Linux
   open tools/visualizer/cbom-viz.html       # macOS

3. Upload your CBOM file using the "Choose File" button

Features

Six Dashboard Views

1. Dashboard - PQC readiness score, risk level, break year timeline
2. Certificates - Expiration heatmap, expiring soon list
3. Algorithms - Distribution by type, RSA key sizes, top algorithms
4. Timeline - PQC migration milestones and waves
5. Explorer - Search, filter, paginate, and export components
6. Summary - Executive overview with actionable recommendations

Key Capabilities

• Zero external dependencies - Single HTML file, works offline
• Privacy-first - All processing in browser, no data sent externally
• Export functionality - Filter and export subsets as JSON
• Executive summary export - Generate text reports for stakeholders
• Responsive design - Works on desktop, tablet, and mobile

Supported CBOM Formats

• CycloneDX 1.6
• CycloneDX 1.7

Browser Compatibility

• Chrome/Edge 90+
• Firefox 88+
• Safari 14+

Test Files

Test files are provided in samples/:

• ubuntu-cbom.json - Large realistic Ubuntu CBOM

Usage Tips

Filtering Components

1. Use the search box to find by name or bom-ref
2. Use the type dropdown to filter by asset type
3. Export filtered results as a new CBOM

Understanding PQC Status

• SAFE (green) - Resistant to quantum attacks (e.g., ML-KEM, ML-DSA, SLH-DSA)

• TRANSITIONAL (yellow) - Hybrid approach combining classical + quantum-safe algorithms

• UNSAFE (red) - Vulnerable to quantum attacks, needs migration (e.g., RSA, ECDSA, DH)

• DEPRECATED (red) - Weak by classical standards, should be replaced immediately (e.g., MD5, SHA-1, DES) 00

• UNKNOWN (red) - Algorithm not recognized or assessment not possible |

• **

Break Year Estimates

Based on NIST IR 8413 and NSA CNSA 2.0 guidance:

• 2030 - RSA-1024, small ECC curves
• 2035 - RSA-2048, standard ECC
• 2040 - RSA-3072
• 2045 - RSA-4096

Troubleshooting

"Invalid JSON" Error

Ensure the file is a valid CycloneDX CBOM:

cat your-cbom.json | jq .

Check that bomFormat is "CycloneDX".

Charts Not Rendering

1. Open browser console (F12)
2. Check for JavaScript errors
3. Ensure the CBOM has the expected data (components, properties)

Slow Performance

For CBOMs with 1000+ components:

• Use filters to reduce the displayed set
• The Explorer uses pagination (20 items per page)

Certificates Show "Expiry: N/A"

This indicates the asset is a CSR or key file, not a certificate with an expiration date. The label shows:

• N/A (CSR) - Certificate Signing Request
• N/A (Key) - Private key file

Architecture

The visualizer uses vanilla JavaScript with ES6 classes:

• CBOMParser - Parse and query CBOM data
• SVGChart - Render pie and bar charts
• PQCDashboard - Main dashboard view
• CertificateHeatmap - Certificate expiration tracking
• AlgorithmAnalysis - Algorithm distribution charts
• MigrationTimeline - PQC migration planning
• CBOMExplorer - Component search and export
• ExecutiveSummary - Stakeholder summary

---

Copyright (c) 2025 Graziano Labs Corp.