PQCA Project
CBOMkit
GitHub Repo
Description
This mentorship project combines both hands-on development and exploratory research.
CBOMKit currently supports cryptographic detection and analysis for Java, Python, and Go ecosystems. However, a significant portion of production systems relies on other programming languages like C/C++ (used especially in systems programming, embedded environments, and high-performance applications) and widely rely on crypto libraries like OpenSSL.
On the development side, the mentee will extend CBOMKit to support C/C++, with a primary focus on detecting usage of OpenSSL APIs, and cryptographic primitives. This includes adding C/C++ language support, designing detection logic in sonar-cryptography, integrating it into CBOMKit’s architecture, developing test cases and validating against real-world C/C++ projects, ensuring practical applicability and robustness.
Additionally, mentee will also test some other policies through existing Open Policy Agent (OPA) integration feature of CBOMkit.
On the research side, the mentee will analyze additional cryptographic libraries in the C/C++ ecosystem such as wolfSSL, libsodium, BoringSSL, and Botan, along with exploring language support for Rust and its associated cryptographic libraries. The goal is to evaluate their feasibility for future integration into CBOMKit.
Learning Objectives
- Understand analysis techniques for detecting cryptographic usage
- Gain hands-on experience with cryptographic libraries such as OpenSSL in C/C++
- Learn how to extend and contribute to a production-grade open-source security tool
- Develop skills in designing test cases and validating tools on real-world codebases
- Learn how policy-based security analysis works using Open Policy Agent (OPA)
- Conduct technical research and evaluate cryptographic libraries and programming language for integration
Expected Outcome and Deliverables
- C/C++ language support integrated into sonar-cryptography
- OpenSSL detection module with meaningful coverage
- integration with CBOMkit
- Test suite for validating detection accuracy
- Validation report using real-world C/C++ projects
- Research document comparing additional libraries (wolfSSL, libsodium, BoringSSL, Botan) and language(Rust with its library) for integration feasibility
- Blog post(s) or technical documentation describing implementation and findings
- Evaluation with other policy through OPA
Recommended Skills
- Proficiency in java with good understanding of C/C++
- Experience with OpenSSL and general cryptographic APIs
- Good understanding of cryptographic concepts (encryption, hashing, key exchange)
- Experience with static analysis or code parsing (preferred but not mandatory)
- Familiarity with Open Policy Agent
- Familiarity with Git and open-source contribution workflows
Mentor(s) Names and Contact Info
Name: Aditya Koranga
Email: adityakoranga2004@gmail.com
Github: @AdityaKoranga
Additional Information
PQCA Project
CBOMkit
GitHub Repo
Description
This mentorship project combines both hands-on development and exploratory research.
CBOMKit currently supports cryptographic detection and analysis for Java, Python, and Go ecosystems. However, a significant portion of production systems relies on other programming languages like C/C++ (used especially in systems programming, embedded environments, and high-performance applications) and widely rely on crypto libraries like OpenSSL.
On the development side, the mentee will extend CBOMKit to support C/C++, with a primary focus on detecting usage of OpenSSL APIs, and cryptographic primitives. This includes adding C/C++ language support, designing detection logic in sonar-cryptography, integrating it into CBOMKit’s architecture, developing test cases and validating against real-world C/C++ projects, ensuring practical applicability and robustness.
Additionally, mentee will also test some other policies through existing Open Policy Agent (OPA) integration feature of CBOMkit.
On the research side, the mentee will analyze additional cryptographic libraries in the C/C++ ecosystem such as wolfSSL, libsodium, BoringSSL, and Botan, along with exploring language support for Rust and its associated cryptographic libraries. The goal is to evaluate their feasibility for future integration into CBOMKit.
Learning Objectives
Expected Outcome and Deliverables
Recommended Skills
Mentor(s) Names and Contact Info
Name: Aditya Koranga
Email: adityakoranga2004@gmail.com
Github: @AdityaKoranga
Additional Information