This repository contains a fully functional Proof-of-Concept (PoC) static analysis pipeline developed for the LFX Mentorship: CBOMkit (Post-Quantum Cryptography Alliance).
The engine parses C/C++ source code into an Abstract Syntax Tree (AST) using Eclipse CDT, isolates cryptographic primitives, extracts metadata to generate a standardized Cryptographic Bill of Materials (CBOM) in CycloneDX format, and evaluates the output against an Open Policy Agent (OPA) policy to enforce Post-Quantum Cryptography (PQC) readiness.
Parsing C++ accurately for static analysis requires far more than a context-free grammar parser like ANTLR4.
Because C++ code heavily relies on:
- Macro expansions (
#define) - Conditional compilation directives (
#ifdef) - Header inclusions (
#include) - Complex type resolution schemas
A standard ANTLR4 grammar typically fails without implementing a custom preprocessor.
This engine leverages Eclipse CDT running in headless workspace mode.
Eclipse CDT acts as a native C++ compiler frontend:
- expands macros
- resolves type identifiers
- disambiguates grammar
Using CDT's IASTTranslationUnit with a structured ASTVisitor, the engine reliably flags cryptographic signatures such as:
EVP_EncryptInit_exregardless of macro obfuscation or spacing variations.
This mirrors enterprise compliance engines such as SonarCFamily.
[test.cpp]
│
▼
[CppCryptoScanner.java]
│
▼
[cbom_output.json]
│
▼
[OPA]
│
▼
[Policy Violation]
Pipeline:
Target C++ fixture simulating an application initializing an OpenSSL AES-256-CBC encryption context using:
EVP_EncryptInit_exCore Java scanner using Eclipse CDT to:
-
parse C++ fixtures
-
register AST visitors
-
extract:
- line number
- file path
- API signatures
Declarative Sonar-style signature mapping file targeting OpenSSL components.
OPA validation script that analyzes emitted CBOM and triggers alerts whenever non-quantum-resistant primitives appear.
Required tools:
- Java Development Kit (JDK) 11+
- Apache Maven 3.6+
- Open Policy Agent (OPA)
Install OPA quickly:
curl -L -o opa https://openpolicyagent.org/downloads/v0.64.1/opa_linux_amd64_static
chmod +x opa
sudo mv opa /usr/local/bin/chmod +x run_demo.sh./run_demo.shPipeline will:
- compile scanner
- parse C++ source
- generate CBOM
- execute OPA evaluation
Example terminal output showing:
- Maven build execution
- AST scan
- CycloneDX CBOM generation
- detected OpenSSL and Botan cryptographic APIs
Generated CBOM artifacts are validated against OPA policies enforcing PQC readiness and cryptographic compliance.
Example evaluation output:
Example successful response:
{
"allow": true,
"violation": []
}This indicates no policy violations were triggered under current policy rules.
{
"result": [
{
"expressions": [
{
"value": {
"allow": false,
"violation": [
"PQC AUDIT REQUIRED: Legacy cryptographic API 'EVP_EncryptInit_ex' detected in test.cpp at line 21."
]
}
}
]
}
]
}To confirm structural AST analysis rather than string matching:
Open:
test.cppChange:
EVP_EncryptInit_exto:
EVP_FakeFunction_exThen run:
./run_demo.shExpected result:
- generated CBOM becomes empty
- OPA policy passes
- compliance succeeds
This confirms true AST semantic analysis.
Charan Sai
Developed as a project-specific Proof-of-Concept demonstrating AST extraction capabilities for the:
Post-Quantum Cryptography Alliance (PQCA)