Contribute in GitHub:
Edit online
IBM Quantum Safe Explorer overview
IBM Quantum Safe™ Explorer simplifies the discovery and management of cryptographic vulnerabilities by performing source code scanning to identify cryptographically relevant artifacts that may be vulnerable to quantum attacks. IBM Quantum Safe Explorer also generates a cryptographic inventory in a variety of formats, including a Cryptography Bill of Materials (CBOM), an extension to the software supply chain that provides a standard way of detailing the cryptographic components used within a software system, including the algorithms, libraries, key sizes, and their dependencies on other components.
Visit the IBM Quantum Safe website for more details on IBM Quantum Safe technology.
Prerequisites
Prerequisites for Explorer scan
| Components | Requirements |
|---|---|
| Operating system | • macOS Sonoma (Ventura on Intel, M1, or higher) • Windows 11 |
| System requirement | A minimum of 16GB RAM. Recommended 32GB RAM. |
| Browser compatibility | • Firefox • Chrome • Safari • Windows Edge (all versions) |
| Oracle JDK | Minimum Oracle JDK 17.0.0 or Open JDK 17.0.0 or higher. If the java application to be scanned is compiled on a higher version of JDK, then, it is recommended to use the same version for Quantum Safe Explorer. |
| JAVA | JAVA_HOME environment variable must be set to the installation directory of the required JDK version, and your PATH environment variable must include $JAVA_HOME/bin For example, Installing the JDK software and setting JAVA_HOME for Windows only, or Set JAVA_HOME variable for windows and Mac. |
| Visual Studio Code | Visual Studio Code 1.77 or higher |
Note: Before you install the latest version of IBM Quantum safe Explorer, if you have IBM Quantum safe Explorer 1.x.x installed, then uninstall it and delete the qs-explorer folder that is in your home directory (Macintosh HD/Users/<username> on Mac and C:\Users\<username> on Windows). If this folder is not deleted, the installation of the latest version of IBM Quantum Safe Explorer will fail.
Prerequisites for Portfolio View
| Components | Requirements |
|---|---|
| Operating system | • Windows Server 2022 Standard • Red Hat Enterprises Linux (RHEL) 9 |
| System memory and CPU | 64 GB RAM, 16 vCPU |
| Software | • Node.js v16 • PostgreSQL 16.0 or higher • IBM Cognos Analytics 12.0.4 |
Enable disk-level encryption
Encryption protects your data by restricting access to only authorized users in your organization. To protect the data generated by IBM Quantum Safe Explorer, you can enable disk-level encryption.
For more information about disk-level encryption for Windows devices, refer the Microsoft support website.
For more
information about disk-level encryption for macOS devices, refer the Apple support website.
Languages and cryptography libraries supported
IBM Quantum Safe Explorer supports scanning of source code written in Java, C++, Python, Dart, and Go. The supported cryptographic libraries for each language are shown in the following table:
| Language | Supported libraries | Supported scans |
|---|---|---|
| C and C++ |
• Crypto++ • GSKit-crypto • liboqs • OpenSSL |
API discovery |
| C# |
• .NET Cryptography |
API discovery |
| Dart |
• Cryptography |
API discovery |
| Go |
• crypto (standard and supplementary) • hash |
API discovery |
| Java |
• Bouncy Castle 1.77 • Java Cryptography Architecture (JCA) • Nimbus JOSE + JWT 10.2 • Apache Commons Codec 1.18.0 |
API discovery and Cryptography analysis |
| Python |
• Crypto (PyCryptodome distribution) • cryptography • hashlib |
API discovery |
Click the links below for more information on the HashiCorp Vault APIs of the following Java libraries for the secret engines Key Value, PKI and Transit:
Click the link below for more information on the java.security.KeyStore APIs which represent the storage facility for cryptographic keys and certificates.
Note: All the functions of the supported libraries are discovered other than the following modules which do not relate to the use of cryptographic algorithm:
Crypto (PyCryptodome distribution):
- https://www.pycryptodome.org/src/util/util
- https://www.pycryptodome.org/src/random/random
- https://www.pycryptodome.org/src/io/pem
Cryptography:
- https://cryptography.io/en/latest/x509/
- https://cryptography.io/en/latest/hazmat/primitives/constant-time/
- https://cryptography.io/en/latest/hazmat/primitives/asymmetric/utils/
- https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/
- https://cryptography.io/en/latest/hazmat/primitives/twofactor/
- https://cryptography.io/en/latest/random-numbers
Features
IBM Quantum Safe Explorer offers a number of features that are available to all supported languages. The scanning of Java code offers several additional features. The available features are shown in the following table:
| Feature | API discovery | Cryptography analysis |
|---|---|---|
| Can be scanned to rapidly locate cryptographic artifacts. | ✓ | ✓ |
| Applications written in commonly used development languages and cryptography libraries can be scanned. | ✓ | ✓ |
| Cryptographic APIs - libraries, methods, and functions are discovered during scanning. | ✓ | ✓ |
| Can be scanned using an interactive user interface delivered as an IDE plug-in. | ✓ | ✓ |
| Can be scanned using a stand-alone CLI. | ✓ | ✓ |
| Can be scanned using the API. | ✓ | ✓ |
Scanning generates cryptographic inventory reports in a variety of formats, including a Cryptography Bill of Materials (CBOM), .CSV files, and Findings.JSON. |
✓ | ✓ |
| At-risk cryptography can be remediated, and code enhancements can be verified by rescanning. | ✓ | ✓ |
Cryptographic patterns of use can be identified; for example, JCA’s getInstance(), init(), and doFinal() methods. |
✓ | |
| Cryptographic parameters that are passed as variables, such as algorithm, key, mode, and padding, can be traced. | ✓ | |
| Hardcoded cryptographic parameters can be identified; for example, hardcoded passwords and keys. | ✓ | |
| Over twenty different vulnerabilities can be identified, including quantum vulnerabilities. | ✓ | |
| Opportunities to improve crypto-agility can be identified. | ✓ |
Specifications for IBM Quantum Safe Explorer
Java code import statements with wildcards are now supported by Explorer in Mac, Windows, and CLI. However, for accurate results it is recommended to use codes without wildcard.
Known issues
- Scanning of large
.jarfiles in Mac, Windows, and CLI requires a fast CPU and high RAM capacity, as resource consumption is high for scanning.jarfiles. - If there are unsupported languages in the codebase, errors or exceptions may be thrown during scanning. In most cases these files will be skipped, and the scan will continue for the remaining files.