Is the SonarCryptography plugin intended for CBOM, and who maintains it?

I’m evaluating Cryptography Bill of Materials (CBOM) concepts (CycloneDX) for organizational use.

SonarQube has the SonarCryptography plugin, which detects cryptographic usage such as algorithms, key sizes, modes, and insecure crypto patterns.

I would like to clarify a few points:

1. Ownership / origin

   • Is the SonarCryptography plugin developed and maintained by SonarSource, or

   • Is it originated or backed by IBM research (since CBOM work is often associated with IBM and the CycloneDX CBOM initiative)?

2. Intended usage

   • Is the plugin primarily meant for code quality / security detection, or

   • Is it considered suitable as a data source for CBOM generation?

3. CBOM alignment

   • Can the findings from SonarCryptography reasonably be mapped to a CycloneDX CBOM, or

   • Is that outside the intended scope of the plugin?

Looking for clarification on the design intent and recommended usage, especially in CBOM discussion

Hi,

Welcome to the community!

No. If it were, it would be under the SonarSource GitHub organization. And it would be compatible with current versions, neither of which it is.

I can’t tell you about the scope or intent of this plugin. I can only say - based on its readme - that you should look elsewhere for your needs since the plugin ended compatibility several years ago.

Note that we offer SCA and the ability to import/export SBOMs.

 
HTH,
Ann