Cryptography Bills of Materials (CBOM)

A CBOM is a CycloneDX document that inventories the cryptographic assets — algorithms, key sizes, and primitives — discovered in a survey, classified by post-quantum readiness.

Every survey produces a per-survey CBOM. The most valuable view, though, is a combined CBOM that correlates an inventory survey and a runtime survey of the same artifact — showing not just what cryptography is present, but what actually runs.

Anchoring a runtime survey

An inventory survey records every jar, war, and ear it indexes, so it already knows which artifacts it covers. A runtime survey does not — instrumentation alone cannot tell which build artifact it is exercising. To make a runtime survey correlatable, anchor it to the artifact under test with --anchor, which hashes that artifact:

spice survey runtime my-app --anchor ./build/output/app.jar --jfr -- java -jar ./build/output/app.jar

The anchored artifact only needs to be one that an inventory survey has indexed (see below). Without --anchor, a runtime survey still produces its own CBOM, but it cannot be combined with an inventory survey.

Combined CBOMs

When a runtime survey is anchored to an artifact that an inventory survey also indexed, Spice Labs correlates the two by the artifact’s content hash and produces a combined CBOM. The combined view classifies each cryptographic asset by where it was seen:

  • Present — found in the artifact by the inventory survey.
  • Confirmed — present in the artifact and observed executing at runtime.
  • Runtime-only — observed at runtime but not found by the inventory survey.

Producing a combined CBOM

Run both surveys into the same project. The inventory survey indexes every jar, war, and ear in your build; anchor the runtime survey to one of them:

# 1. Inventory survey of the build (indexes every archive inside it)
spice survey inventory my-app ./build/output

# 2. Runtime survey anchored to one of those artifacts
spice survey runtime my-app --anchor ./build/output/app.jar --jfr -- java -jar ./build/output/app.jar

Correlation is by content hash, not by the <subject> label: the --anchor artifact only needs to be one the inventory survey indexed — the top-level artifact, or any jar, war, or ear nested inside it. The combined CBOM appears in the dashboard alongside the per-survey reports.

💡 What to anchor

Point --anchor at the specific artifact you are running. As long as that same artifact appears in an inventory survey of the project, the two surveys correlate into a combined CBOM.