Assess and Manage Cryptographic Algorithms

TrustSource has several ways to assess components or sources for cryptographic assets:

1. Assess source code using ts-deepscan - this will identify algorithms using code assessments and compile the findings in a DeepScan result. These results may be added to your module or to the TrustSource component database.
2. Request SCANOSS API for the crypto algorithms known to be part of the open source components identified by either ts-scan or SCANOSS workbench. 
   PLEASE NOTE: This will require an additional SCANOSS subscription.
3. Assess a component using our DeepScan service. This will require to have a component manager role to initiate the scan. This can also be applied to all infrastructure components. This knowledge is shared across all TrustSource users. Thus, if user A assessed keycloak, user B does not need to assess it again. 
4. As a Corporate or Enterprise customer, you may Use the BulkScan feature to scan complete SBOMs for algorithms within any of their components. This will add data to the component information. This can be used for public components as well as private code. 
   PLEASE NOTE: To assess private code repos, it may be require that you configure TrustSource to use access keys for repository access.

However,  given you added algorithms assessment to your scanning, your will find the results in the SETTINGS > CRYPTO MANAGEMENT section of your module's details view. 

In the screen above you will see the two sections:

• as detected
• as managed

TrustSource will present the list of algorithms identified in the as detected section. This section will hold the algorithms as they have been discovered during code scans. This section is populated by the scans that have been uploaded to TrustSource and can't be modified. It shall help you to indicate, what will have to be managed. 

In the as managed section you may add additional information about the algorithms and their application. For example you may indicate, whether a particular algorithm is used or not. This is a key setting to prevent alerts for algorithms that are not is use. But you also may specify all the data that goes into the CBOM.

PLEASE NOTE: As long as no usage information is given for a particular algorithm, but the algorithm has been identified by TrustSource, it will always assume that the algorithm is in use.