<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: oleg-vdv</title>
    <description>The latest articles on DEV Community by oleg-vdv (@olegvdv).</description>
    <link>https://dev.to/olegvdv</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4032907%2Fed5d89d5-8281-416d-9a0e-654571c8c30c.png</url>
      <title>DEV Community: oleg-vdv</title>
      <link>https://dev.to/olegvdv</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/olegvdv"/>
    <language>en</language>
    <item>
      <title>The post-quantum deadlines are closer than your roadmap thinks — so I built a CBOM scanner</title>
      <dc:creator>oleg-vdv</dc:creator>
      <pubDate>Fri, 17 Jul 2026 00:55:53 +0000</pubDate>
      <link>https://dev.to/olegvdv/the-post-quantum-deadlines-are-closer-than-your-roadmap-thinks-so-i-built-a-cbom-scanner-55l9</link>
      <guid>https://dev.to/olegvdv/the-post-quantum-deadlines-are-closer-than-your-roadmap-thinks-so-i-built-a-cbom-scanner-55l9</guid>
      <description>&lt;p&gt;Three regulatory clocks are already ticking:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;US:&lt;/strong&gt; EO 14412 / CNSA 2.0 requires post-quantum cryptography for new national-security acquisitions &lt;strong&gt;from 2027&lt;/strong&gt; — and explicitly names the "cryptographic bill of materials" (CBOM).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;UK:&lt;/strong&gt; NCSC wants full cryptographic discovery and a migration plan &lt;strong&gt;by 2028&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;EU:&lt;/strong&gt; member states start transitioning &lt;strong&gt;from the end of 2026&lt;/strong&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Yet when an auditor asks the first, most basic question — &lt;em&gt;"where exactly does your codebase use RSA?"&lt;/em&gt; — almost nobody can answer. Not because it's hard conceptually, but because nobody ever had a reason to keep an inventory of their cryptography. Now there's a reason.&lt;/p&gt;

&lt;h2&gt;
  
  
  What "harvest now, decrypt later" actually means
&lt;/h2&gt;

&lt;p&gt;Even if a cryptographically relevant quantum computer is a decade away, traffic recorded &lt;strong&gt;today&lt;/strong&gt; can be decrypted &lt;strong&gt;then&lt;/strong&gt;. If your secrets have a shelf life of more than a few years (medical records, financial data, government contracts), classical key exchange is already a liability. That's the logic behind the deadlines — they don't wait for the quantum computer to exist.&lt;/p&gt;

&lt;h2&gt;
  
  
  One command, three artifacts
&lt;/h2&gt;

&lt;p&gt;I wanted the discovery step to cost one command instead of one consulting engagement:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx @proofbyte/pqc-radar scan &lt;span class="nb"&gt;.&lt;/span&gt; &lt;span class="nt"&gt;--cbom&lt;/span&gt; cbom.json &lt;span class="nt"&gt;--report&lt;/span&gt; report.md &lt;span class="nt"&gt;--sarif&lt;/span&gt; findings.sarif
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This walks the repository and flags quantum-vulnerable cryptography — RSA, ECC/ECDH, DH, DSA, Curve25519, legacy hashes, weak TLS configs — across Java, Python, JavaScript/TypeScript, Go, C#, Rust, Ruby, PHP, C/C++ and nginx/Apache configs. Out come three artifacts:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;&lt;code&gt;cbom.json&lt;/code&gt;&lt;/strong&gt; — a &lt;a href="https://cyclonedx.org/capabilities/cbom/" rel="noopener noreferrer"&gt;CycloneDX 1.6 CBOM&lt;/a&gt;: the machine-readable inventory the mandates ask for;&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;&lt;code&gt;report.md&lt;/code&gt;&lt;/strong&gt; — a human-readable report: every finding with file:line and its ML-KEM (FIPS 203) / ML-DSA (FIPS 204) migration target;&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;&lt;code&gt;findings.sarif&lt;/code&gt;&lt;/strong&gt; — SARIF 2.1.0, so findings land straight in GitHub code scanning.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;It's fast enough to live in CI: hashicorp/vault (4,827 files) scans in about 9 seconds; a weekly &lt;a href="https://github.com/oleg-vdv/proofbyte/blob/main/docs/CORPUS.md" rel="noopener noreferrer"&gt;corpus workflow&lt;/a&gt; re-scans five well-known OSS projects to catch regressions.&lt;/p&gt;

&lt;h2&gt;
  
  
  Checking live endpoints, not just code
&lt;/h2&gt;

&lt;p&gt;Code is half the story — the other half is what your servers actually negotiate:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx @proofbyte/pqc-radar scan-tls your-api.example.com github.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One TLS handshake per host (no payload sent) reports the protocol, cipher, key-exchange group and certificate key — and whether the endpoint already speaks &lt;strong&gt;hybrid post-quantum key exchange&lt;/strong&gt; (X25519+ML-KEM-768). One honesty detail I'm proud of: when the local TLS stack can't &lt;em&gt;name&lt;/em&gt; the negotiated group (older OpenSSL builds can't name hybrid groups), the result is reported as &lt;strong&gt;inconclusive&lt;/strong&gt;, not as a finding. Unknown ≠ vulnerable.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the v0 honestly can't do
&lt;/h2&gt;

&lt;p&gt;Detection is line-pattern based. That makes it fast, broad and dependency-free, but:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;it will miss dynamically constructed crypto calls;&lt;/li&gt;
&lt;li&gt;unusual code can false-positive;&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;absence of findings is not proof of absence&lt;/strong&gt; — the report says so explicitly.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A deep AST engine (integrating &lt;a href="https://pqca.org/projects/cbomkit/" rel="noopener noreferrer"&gt;PQCA CBOMkit&lt;/a&gt;, which covers Java and Python) is the next milestone. There's also a fun war story: the very first regression test caught the scanner's regexes matching &lt;em&gt;their own source code&lt;/em&gt; — the fix was masking pattern literals with character-class tricks (&lt;code&gt;RSA_generate_ke[y]&lt;/code&gt;), and a permanent guard test asserting the repo only ever flags its own fixtures.&lt;/p&gt;

&lt;h2&gt;
  
  
  Security posture
&lt;/h2&gt;

&lt;p&gt;This is a tool you're supposed to run on code you can't share, so: fully offline (the &lt;code&gt;scan&lt;/code&gt; command makes zero network calls), zero runtime dependencies, read-only, symlinks not followed. &lt;code&gt;scan-tls&lt;/code&gt; is the single network feature and touches only endpoints you name. It's MIT-licensed — &lt;a href="https://github.com/oleg-vdv/proofbyte" rel="noopener noreferrer"&gt;read the source&lt;/a&gt; rather than trusting this paragraph.&lt;/p&gt;

&lt;h2&gt;
  
  
  Try it
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx @proofbyte/pqc-radar scan &lt;span class="nb"&gt;.&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;GitHub: &lt;a href="https://github.com/oleg-vdv/proofbyte" rel="noopener noreferrer"&gt;https://github.com/oleg-vdv/proofbyte&lt;/a&gt; (issues and PRs welcome — especially new language patterns with fixtures)&lt;/li&gt;
&lt;li&gt;CI one-liner: &lt;code&gt;uses: oleg-vdv/proofbyte@v1&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;I'd genuinely like to hear from anyone whose org has already been asked for a CBOM — by whom, and what format they accepted.&lt;/p&gt;

</description>
      <category>security</category>
      <category>opensource</category>
      <category>node</category>
      <category>cryptography</category>
    </item>
  </channel>
</rss>
