Cryptography Bills of Materials (CBOM)
A CBOM is a CycloneDX document that inventories the cryptographic assets — algorithms, key sizes, and primitives — discovered in a survey, classified by post-quantum readiness.
Every survey produces a per-survey CBOM. The most valuable view, though, is a combined CBOM that correlates an inventory survey and a runtime survey of the same artifact — showing not just what cryptography is present, but what actually runs.
Anchoring a runtime survey
An inventory survey records every jar, war, and ear it indexes, so it already knows which artifacts it covers. A runtime survey does not — instrumentation alone cannot tell which build artifact it is exercising. To make a runtime survey correlatable, anchor it to the artifact under test with --anchor, which hashes that artifact:
spice survey runtime my-app --anchor ./build/output/app.jar --jfr -- java -jar ./build/output/app.jar
The anchored artifact only needs to be one that an inventory survey has indexed (see below). Without --anchor, a runtime survey still produces its own CBOM, but it cannot be combined with an inventory survey.
Combined CBOMs
When a runtime survey is anchored to an artifact that an inventory survey also indexed, Spice Labs correlates the two by the artifact’s content hash and produces a combined CBOM. The combined view classifies each cryptographic asset by where it was seen:
- Present — found in the artifact by the inventory survey.
- Confirmed — present in the artifact and observed executing at runtime.
- Runtime-only — observed at runtime but not found by the inventory survey.
Producing a combined CBOM
Run both surveys into the same project. The inventory survey indexes every jar, war, and ear in your build; anchor the runtime survey to one of them:
# 1. Inventory survey of the build (indexes every archive inside it)
spice survey inventory my-app ./build/output
# 2. Runtime survey anchored to one of those artifacts
spice survey runtime my-app --anchor ./build/output/app.jar --jfr -- java -jar ./build/output/app.jar
Correlation is by content hash, not by the <subject> label: the --anchor artifact only needs to be one the inventory survey indexed — the top-level artifact, or any jar, war, or ear nested inside it. The combined CBOM appears in the dashboard alongside the per-survey reports.
Point --anchor at the specific artifact you are running. As long as that same artifact appears
in an inventory survey of the project, the two surveys correlate into a combined CBOM.