1 TOR SRSs SRS-TOR
System-level requirements for the TOR subsystem.
1.1 Persist output artifacts in predictable locations SRS-001
VECTOR SHALL write generated source-analysis and network-analysis artifacts to predictable output files and directories under the local workspace.
Rationale
The current implementation writes databases, SARIF results, raw scan results, and CBOM files to the filesystem for later inspection and reuse.
Acceptance criteria
- VECTOR-Code creates and uses dedicated output directories for databases, results, and CBOM files.
- VECTOR-Network writes raw scan files and generated CBOM files to named local JSON files.
- Output paths remain inspectable after process completion.
Parent links: MRS-010 Produce open, reusable output artifacts
Child links: TCS-001 Verify persisted output locations for VECTOR-Code artifacts
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | T |
1.2 Detect supported source languages from the target project SRS-002
VECTOR-Code SHALL run a language-detection step against the supplied project path and SHALL continue only when at least one supported language is detected above the configured threshold.
Rationale
The implemented source-analysis pipeline depends on a supported-language set before CodeQL databases can be created.
Acceptance criteria
- The input path is checked for existence, directory type, and read permission before analysis starts.
- Language detection is derived from
cloc --jsonoutput. - The current supported languages are Python, C, and C++.
Parent links: MRS-004 Support source-code analysis for current target languages
Child links: TCS-002 Verify supported language detection
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
1.3 Create CodeQL databases through the external CLI SRS-003
VECTOR-Code SHALL invoke the external CodeQL CLI to create one analysis database per detected CodeQL language.
Rationale
The current implementation uses external CodeQL tooling to prepare the source tree for cryptographic inventory queries.
Acceptance criteria
- Duplicate source languages that map to the same CodeQL language do not create redundant databases.
- Database creation uses
--build-mode=none. - Failed database creation for one language does not fabricate a successful result for that language.
Parent links: MRS-008 Orchestrate open-source analysis tooling
Child links: TCS-003 Verify CodeQL database creation
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | T |
1.4 Run cryptographic inventory queries on created databases SRS-004
VECTOR-Code SHALL run cryptographic inventory queries against each created CodeQL database and SHALL collect the resulting SARIF artifacts.
Rationale
Source-code inventory requires a query phase that transforms prepared databases into inspectable findings.
Acceptance criteria
- Each created CodeQL database is checked against a configured query path for its CodeQL language.
- Successful query execution produces a SARIF output file for that language.
- Missing query paths or failed query execution do not silently report successful findings.
Parent links: MRS-001 Inventory cryptography across code and network surfaces
Child links: TCS-004 Verify SARIF generation from CodeQL queries
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
1.5 Convert source-analysis findings into CBOM artifacts SRS-005
VECTOR-Code SHALL convert generated SARIF files into CBOM JSON artifacts using the configured application name.
Rationale
The implemented pipeline currently ends with SARIF-to-CBOM conversion, which makes the inventory consumable by downstream tooling.
Acceptance criteria
- Every valid SARIF file is eligible for CBOM generation.
- Failed conversion for one SARIF file does not report that file as a generated CBOM artifact.
- Generated CBOM files are named from the SARIF artifact stem.
Parent links: MRS-003 Produce standardized CBOM artifacts
Child links: TCS-005 Verify SARIF-to-CBOM conversion
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
1.6 Scan TLS-enabled services by target and port SRS-006
VECTOR-Network SHALL accept a target and port for TLS assessment and SHALL invoke the configured TLS scanner to produce a raw JSON result file.
Rationale
The implemented TLS workflow is target-and-port driven and depends on persisted raw output before conversion.
Acceptance criteria
- TLS assessment validates that the target is non-empty and the port is within the supported range.
- Existing conflicting output files are removed before a new TLS scan starts.
- A successful scan produces a non-empty JSON result file.
Parent links: MRS-005 Support TLS service assessment
Child links: TCS-006 Verify raw TLS scan output generation
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
1.7 Model TLS findings with classical, hybrid, and PQ-aware decomposition SRS-007
VECTOR-Network SHALL convert TLS scan results into a CBOM representation that preserves decomposed cryptographic algorithms, including supported hybrid or post-quantum-related entries.
Rationale
The implemented TLS conversion logic decomposes cipher suites, curves, and hybrid constructions into explicit inventory components.
Acceptance criteria
- TLS conversion reads structured JSON scan input and produces a CBOM JSON document.
- Cipher-suite decomposition captures key exchange, authentication, encryption, and hashing elements when present.
- Hybrid or PQ-related curve identifiers are represented when they are present in the mapped input data.
Parent links: MRS-002 Recognize post-quantum and hybrid algorithms
Child links: TCS-007 Verify TLS CBOM decomposition
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
1.8 Scan SSH-enabled services by target and port SRS-008
VECTOR-Network SHALL accept a target and port for SSH assessment and SHALL invoke the configured SSH scanner to produce a raw JSON result file.
Rationale
The implemented SSH workflow depends on a persisted scan result that is later parsed into inventory components.
Acceptance criteria
- SSH assessment validates that the target is non-empty and the port is within the supported range.
- A successful SSH scan produces a non-empty JSON result file.
- The generated raw SSH output is suitable for later CBOM conversion.
Parent links: MRS-006 Support SSH service assessment
Child links: TCS-008 Verify raw SSH scan output generation
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
1.9 Provide a ready-to-use Linux execution environment SRS-009
VECTOR SHALL rely on a Linux workspace that provides access to its expected local tool paths and writable output locations for both source-analysis and network-analysis workflows.
Rationale
The current implementation hard-codes several command-line tools and output locations, making runtime assumptions part of the operational contract.
Acceptance criteria
- VECTOR-Code creates its expected output directories before analysis steps start.
- VECTOR-Network checks that required converter scripts and scanner paths exist before conversion or scan processing continues.
- Runtime assumptions are explicit enough to verify in a controlled environment.
Parent links: MRS-007 Run in a reproducible Linux-based environment
Child links: TCS-009 Verify Linux runtime assumptions and tool-path checks
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | T |
1.10 Fail safely for invalid inputs, missing tools, and incomplete outputs SRS-010
VECTOR SHALL stop or constrain execution safely when required inputs are invalid, mandatory tools are unavailable, or expected result files are missing or empty.
Rationale
The implemented workflows already perform defensive checks around targets, ports, filesystem state, scanner presence, and generated outputs.
Acceptance criteria
- Invalid ports and empty targets are rejected before scanner invocation.
- Missing required tools or scripts terminate the affected workflow with an explicit error.
- Missing or empty result files do not proceed to CBOM conversion as if analysis succeeded.
Parent links: MRS-009 Preserve non-invasive assessment behavior
Child links: TCS-010 Verify safe failure behavior
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
1.11 Classify cryptographic algorithms in a CBOM by quantum risk SRS-011
VECTOR SHALL accept a CycloneDX CBOM JSON file as input and classify each algorithm component according to its quantum risk level, using a data-driven catalog that encodes normative guidance from NIST, BSI TR-02102, and ANSSI.
Rationale
The classification step decouples the scoring logic from the inventory tools, allowing any CBOM produced by VECTOR-Code or VECTOR-Network (or any third-party tool producing a compliant CycloneDX CBOM) to be scored. A data-driven catalog (YAML) ensures the classification rules can be updated as standards evolve without modifying source code.
Acceptance criteria
- Given a CBOM containing RSA, ECDH, or DH algorithm components, the scorer assigns the
quantum-vulnerableclassification to each. - Given a CBOM containing ML-KEM or ML-DSA components, the scorer assigns the
non-hybridclassification to each. - Given a CBOM containing AES-256 or SHA-256 components, the scorer assigns the
quantum-safeclassification. - Given an unrecognized algorithm name, the scorer assigns the
unknownclassification. - Only components with
cryptoProperties.assetTypeequal toalgorithmare scored; protocol, certificate, and related-crypto-material components are left unmodified.
Parent links: MRS-011 Assess quantum risk of discovered cryptographic assets
Child links: TCS-011 Verify quantum risk classification
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
1.12 Produce a CBOM annotated with quantum risk properties SRS-012
VECTOR SHALL produce an annotated copy of the input CBOM in which each scored algorithm component carries additional pqcmat:-namespaced properties recording its risk classification, risk score, rationale, recommended migration target, and normative reference.
Rationale
Embedding the risk classification directly into the CBOM document allows downstream tools and workflows to consume the scored output using standard CycloneDX tooling. The pqcmat: namespace prefix prevents collisions with other CycloneDX tool annotations. The original CBOM structure and all existing fields are preserved.
Acceptance criteria
- The annotated CBOM is valid JSON and retains all fields from the input CBOM.
- Each scored algorithm component contains a
propertiesarray entry withname: "pqcmat:risk-classification"and a non-emptyvalue. - Each scored algorithm component contains a
propertiesarray entry withname: "pqcmat:risk-score"with value one ofhigh,medium,low, ornone. - Each scored algorithm component contains a
propertiesarray entry withname: "pqcmat:recommended-migration". - The annotated CBOM
metadata.propertiesarray contains apqcmat:scored-atentry recording the scoring timestamp.
Parent links: MRS-011 Assess quantum risk of discovered cryptographic assets
Child links: TCS-012 Verify that annotated CBOM contains 'pqcmat' risk properties
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
1.13 Produce a Markdown risk report grouped by classification SRS-013
VECTOR SHALL produce a Markdown report summarizing the quantum-threat risk findings from a scored CBOM, grouping algorithm findings by risk classification and including a count summary table, per-finding details (algorithm name, primitive, key size, rationale, migration target), and a normative references section.
Rationale
While the annotated CBOM is the machine-readable output, security and engineering teams require a human-readable artefact that can be reviewed without CBOM tooling. Grouping findings by risk level allows reviewers to prioritize remediation efforts.
Acceptance criteria
- The report is a valid Markdown document with a header identifying the scored target and timestamp.
- The report contains a summary table with columns: risk classification and algorithm count.
- The report contains at least one section per non-empty risk classification present in the scored CBOM.
- Each per-classification section contains a table listing: algorithm name, primitive type, key size (if applicable), rationale, and recommended migration target.
- The report contains a normative references section listing all standards cited.
Parent links: MRS-011 Assess quantum risk of discovered cryptographic assets
Child links: TCS-014 Verify Markdown risk report structure and source locations
| Attribute | Value |
|---|---|
| release | Alpha |
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | T |
1.14 Produce a single unified CBOM for multi-language projects SRS-014
VECTOR-Code SHALL merge the per-language CBOM files generated during a single run into one unified CBOM artifact that represents the complete cryptographic inventory of the analyzed project, regardless of how many programming languages were detected.
Rationale
To provide a centralized input for risk reporting (VECTOR-Score) and a single information source for downstream consumers — CBOMkit and manual reviewers – to obtain a complete picture of the project's cryptographic posture when a project contains multiple supported languages (e.g., Python and C++).
The per-language SARIF files and CodeQL databases are retained as intermediate artifacts for traceability.
Acceptance criteria
- A single CBOM file with suffix
-cbom.jsonis written to theoutput/cbom/directory at the end of every VECTOR-Code run, regardless of the number of languages detected. - The unified CBOM contains all algorithm, certificate, related-crypto-material, and protocol components from every per-language CBOM produced during the same run.
- Each component in the unified CBOM retains its
evidence.occurrencesentries, including the source file path and line number from the original per-language CBOM. - When only one language is detected, the unified CBOM is produced in the same way; behaviour is identical to the current single-language output.
- Individual per-language CBOM files (e.g.,
crypto-python-cbom.json) are no longer written as final output; the unified file is the sole CBOM artifact.
Parent links: MRS-003 Produce standardized CBOM artifacts
Child links: TCS-013 Verify creation of unified CBOM
| Attribute | Value |
|---|---|
| release | Alpha |
| type | Functional (F) |
| importance | 3 |
| urgency | 2 |
| vm | T |
1.15 Show source locations of VECTOR-Code output in risk report SRS-015
For every cryptographic algorithm identified during a vector code scan, VECTOR-Score SHALL include the file path and line number of the source where it was found, in the Markdown risk report.
Rationale
Displaying the exact file path and line number of each cryptographic API call in the risk report provides developers with a convenient and readable index and allows them to navigate directly to the code lines without having to search in the raw CBOM file. This information is already recorded in the evidence.occurrences entries of the CBOM file generated by VECTOR-Code.
Acceptance criteria
- For each algorithm in the CBOM file that has at least one
evidence.occurrencesentry, the risk report table row includes the source file path and the first associated line number. - When multiple
evidence.occurrencesentries exist for a single component, all distinct file-path/line-number pairs are listed. - For algorithm findings that have no
evidence.occurrences(e.g., from VECTOR-Network CBOMs), the location column is left blank or marked as not applicable; no error is raised.
Parent links: MRS-011 Assess quantum risk of discovered cryptographic assets
Child links: TCS-014 Verify Markdown risk report structure and source locations
| Attribute | Value |
|---|---|
| release | Alpha |
| type | Functional (F) |
| importance | 4 |
| urgency | 3 |
| vm | T |
1.16 Accept a GitHub repository URL as a source analysis target SRS-016
VECTOR-Code SHALL accept a GitHub repository URL in place of a local directory path, clone the repository into a temporary workspace inside the container, and proceed with the standard source-analysis pipeline against the cloned content.
Rationale
Analysts frequently work from public or internally hosted GitHub repositories without maintaining a local checkout. Requiring a manual git clone before running VECTOR-Code adds friction. Supporting a URL directly makes the workflow consistent with how repository-level scanning is done in other security tooling and reduces setup steps for ad-hoc assessments.
Acceptance criteria
vector codeaccepts ahttps://github.com/<owner>/<repo>URL as thepathargument in addition to local filesystem paths.- When a GitHub URL is supplied, the tool clones the repository into a temporary directory before analysis and removes it after the pipeline completes.
- The
--nameargument, if omitted, defaults to the repository name extracted from the URL (e.g.,cryptographyfromhttps://github.com/pyca/cryptography). - Clone failures (network error, repository not found, authentication required) terminate the run with an explicit error message and exit code
1; no partial output is written. - The standard language-detection, CodeQL database creation, query execution, and CBOM generation steps run unchanged against the cloned content.
- Private repositories that require authentication are out of scope for this requirement; an attempt to clone such a repository results in an explicit authentication-failure error rather than silent failure.
Parent links: MRS-004 Support source-code analysis for current target languages
| Attribute | Value |
|---|---|
| release | Alpha |
| type | Functional (F) |
| importance | 3 |
| urgency | 3 |
| vm | T |
1.17 Provide a web-based interface for running scans and visualizing results SRS-017
VECTOR SHALL expose a web-based user interface that allows non-technical users to submit source-code analysis and network scan requests, monitor their progress, and review risk findings without using the CLI.
Rationale
The current CLI-only interaction model requires familiarity with the Dev Container environment, command-line arguments, and raw JSON or Markdown output. A web interface lowers the barrier to adoption.
Acceptance criteria
Deployment and access
- The web interface is served from within the VECTOR container and is accessible from the host browser at a documented local port without additional configuration.
- The interface does not require user authentication for the initial release; single-user local deployment is assumed.
Navigation structure
The interface is organized into four top-level sections reachable from a persistent navigation bar:
| Section | Purpose |
|---|---|
| New scan | Submit a VECTOR-Code or VECTOR-Network scan |
| Scan history | List of all past and in-progress scans with status |
| Results | Risk report and CBOM viewer for a selected scan |
Scan submission — VECTOR-Code
The New scan page presents a VECTOR-Code form with the following fields:
| Field | Type | Required | Notes |
|---|---|---|---|
| Source | File/text input | Yes | Accepts a local filesystem path (e.g. /mnt/host-home/myproject) or a https://github.com/ URL (per SRS-016) |
| Application name | Text input | No | Passed as --name; defaults to the repository name when a GitHub URL is entered |
Scan submission — VECTOR-Network
The New scan page also presents a VECTOR-Network form with the following fields:
| Field | Type | Required | Notes |
|---|---|---|---|
| Protocol | Dropdown | Yes | Options: TLS, SSH |
| Target | Text input | Yes | Domain name or IP address |
| Port | Number input | Yes | Pre-filled with 443 when TLS is selected, 22 when SSH is selected; editable |
On submission, the form validates that the target is non-empty, that the port is an integer between 1 and 65535, and that the protocol is one of the two supported values before sending the request to the API.
Scan progress monitoring
- After submission, the user is navigated automatically to a scan detail page for the new job.
- The scan detail page displays the current status and refreshes without a full page reload (polling or server-sent events are acceptable).
- The elapsed time since submission is displayed and updated in real time.
- If a scan fails, the detail page displays the error message returned by the CLI and an exit code.
Scan history
The Scan history page lists all scans that have been submitted in the current session, showing:
- Scan type (Code / Network)
- Target (path, URL, or
host:port) - Application name or scan identifier
- Submission timestamp
- Status
Each row links to the scan detail page for that job. Completed rows also link directly to the Results page for that job.
Results viewer
The Results page for a completed scan presents findings in three tabs:
Risk report tab
- The Markdown risk report produced by VECTOR-Score is rendered as HTML.
- The summary classification table (counts by risk level) is shown at the top with colour-coded risk badges: red for
HIGH, orange forMEDIUM, blue forLOW, green forNONE. - Each per-classification section is collapsible; sections for
quantum-vulnerableandclassically-deprecatedare expanded by default. - For VECTOR-Code results, each finding row that contains source location data (
detectionContext) shows the file path and line number as a non-interactive inline code label. - The report is downloadable as a
.mdfile via a Download report button.
CBOM explorer tab
- The annotated CBOM JSON (output of VECTOR-Score) is displayed as a structured, collapsible tree, not as raw JSON text.
- The explorer is filterable by classification value using a dropdown so the user can isolate, for example, all
quantum-vulnerablecomponents. - Each algorithm component node shows: variant name, primitive type, key size (if present), mode (if present), risk classification badge.
- The full annotated CBOM JSON is downloadable via a Download CBOM button.
Raw scan output tab
- For VECTOR-Network scans, the raw scanner output file (
_tls_scan.jsonor_ssh_scan.json) is displayed as collapsible JSON and is downloadable. - For VECTOR-Code scans, the CBOM results file is displayed as collapsible JSON and is downloadable.
General UI requirements
- All user-facing error messages state what went wrong and what the user can do next; raw stack traces are not shown in the interface (they are written to a server log only).
- The interface remains responsive during long-running scans; submitting a new scan while one is in progress is permitted.
Parent links: MRS-012 Provide a browser-accessible interface
| Attribute | Value |
|---|---|
| release | Alpha |
| type | Functional (F) |
| importance | 3 |
| urgency | 4 |
| vm | T |
1.18 Support standalone container deployment SRS-018
VECTOR SHALL be deployable as a standalone Docker container that can be invoked from the command line or from a CI/CD pipeline without requiring VS Code or the Dev Containers extension.
Rationale
The current deployment model is tightly coupled to VS Code Dev Containers, which requires an interactive development environment on the analyst's machine. Embedding VECTOR into automated pipelines (GitLab CI, GitHub Actions, Jenkins) is not possible under this model because pipeline runners do not run VS Code. A standalone container image that exposes the vector CLI as its entry point enables automated, unattended scanning as part of a repository's security workflow.
Acceptance criteria
- A Docker image is buildable from the project repository without the VS Code Dev Containers extension or any VS Code-specific configuration.
- The image entry point is the
vectorCLI; standarddocker runinvocations (e.g.,docker run --rm vector-image vector code /src --name my-app) execute without additional setup. - Source code to be analyzed can be mounted into the container via a Docker volume (e.g.,
-v $(pwd):/src) without requiring file copies into the image at build time. - Output artifacts are written to a mountable output directory so that results are accessible on the host after the container exits.
Parent links: MRS-007 Run in a reproducible Linux-based environment
| Attribute | Value |
|---|---|
| release | Alpha |
| type | Functional (F) |
| importance | 3 |
| urgency | 2 |
| vm | T |