Release notes
Detailed notes on the features, improvements, and fixes shipped in each PQC-MAT VECTOR release. For the full list of all changes see the changelog.
v0.3.0
June 2026Web interface for scan submission, monitoring, and results review
A Flask-based web interface (tor/gui/app.py) introduces a browser-based
control panel for running VECTOR-Code and VECTOR-Network scans without touching the CLI.
The interface streams live terminal output during scanning and provides dedicated result
views for the risk report, CBOM explorer, and raw scanner output.
| View | Purpose |
|---|---|
| New scan — VECTOR-Code | Submit a source-code analysis request via local path or GitHub URL, with an optional application name. Supported and unsupported languages are listed inline. |
| New scan — VECTOR-Network | Submit a TLS or SSH network scan by selecting the protocol and entering a target hostname/IP and port. |
| Scan history | Browse past scans with status badges, scan type, target, and submission time. Navigate to any result from the list. |
| Live scan view | Real-time streaming of scanner output alongside scan metadata (ID, type, target, submitted timestamp, running status). |
GitHub URL support for VECTOR-Code
VECTOR-Code now accepts public GitHub repository URLs directly (e.g.,
https://github.com/owner/repo) in addition to local paths.
The repository is cloned automatically before analysis and the repository
name is used as the default application name when no --name
flag is provided.
Dev Container host home mount
The Dev Container now mounts the host user’s home directory at
/mnt/host-home, enabling direct scanning of source code that lives
on the host machine without copying files into the container.
Multi-language unified risk report
When VECTOR-Code detects multiple supported languages in a repository, it now generates a single consolidated risk report covering all languages, in addition to the per-language CBOM files. Source code location tracking has been added so the report includes file paths and line numbers for each detected algorithm.
Streamlined quantum risk classifications
The VECTOR-Score risk classification model has been simplified from seven to
six categories. The quantum-weakened and post-quantum
categories have been merged into a single non-hybrid category,
reflecting cleaner alignment with NIST FIPS 203/204/205 terminology.
Documentation, specifications, and tests have been updated accordingly.
Enhanced algorithm risk catalog
The data-driven YAML algorithm risk catalog has been updated with improved regular expression patterns, increasing detection accuracy and reducing false classifications for edge-case algorithm name variants.
v0.2.0
May 2026Unified vector CLI entry point
A single top-level vector command replaces the previous per-module
entry points. Three subcommands cover the full workflow:
vector code for static source analysis,
vector network for TLS/SSH network scanning, and
vector score for quantum risk classification of any CycloneDX CBOM.
The entry point is registered via [tool.poetry.scripts] in
pyproject.toml and is available immediately after poetry install.
| Subcommand | Purpose |
|---|---|
vector code <path> [--name <app>] |
Run CodeQL static analysis on a local path or GitHub URL and produce a CycloneDX CBOM. |
vector network --protocol tls|ssh --target <host> --port <port> |
Enumerate cryptographic configurations of a live TLS or SSH endpoint and produce a CBOM. |
vector score --cbom <file.json> |
Classify each component in a CycloneDX CBOM by quantum risk posture and generate an annotated CBOM plus a Markdown risk report. |
Module restructuring to Python-valid package names
The source directories have been renamed to valid Python package names:
tor/VECTOR-Code/ → tor/vector_code/,
tor/VECTOR-Network/ → tor/vector_network/, and
tor/VECTOR-Score/ → tor/vector_score/.
Implicit relative imports have been fixed to use dotted relative form throughout
all modules. __init__.py files have been added to make all packages
importable.
Documentation update — CLI throughout
All user manual pages (start.md, vector-code.md,
vector-network.md, vector-score.md,
installation.md, troubleshooting.md) have been updated
to use vector CLI commands. README.md and
tor/README.md quick-start sections reflect the new entry point.
Architecture diagrams embedded in specs
The VECTOR-Code CBOM generation pipeline diagram has been embedded in ARC-002 (VECTOR-Code processing component) and the VECTOR-Network cryptography scanning diagram in ARC-004 (external analysis tool adapters), improving traceability between design artifacts and the visual architecture overview.
Cross-platform Dev Container fix
dev.Dockerfile has been made cross-platform: CodeQL CLI installation
is skipped on ARM-based hosts (non-x64 architectures) where the CodeQL binary is
not available. VECTOR-Network and VECTOR-Score continue to work on all platforms.
v0.1.0
May 2026PQC-MAT VECTOR — first public release
The initial release of PQC-MAT delivers the VECTOR subsystem: a containerized toolchain for automated cryptographic inventory and quantum risk scoring. VECTOR combines static source code analysis, live network scanning, and a catalog-driven risk classifier into a single, unified workflow running inside a Docker Dev Container.
All tools operate on standardized CycloneDX 1.6 CBOM output, making results interoperable with any CycloneDX-compatible platform. The quantum risk catalog is aligned with NIST FIPS 203/204/205, BSI TR-02102, and ANSSI guidance.
VECTOR-Code — CodeQL static analysis for Python, C, and C++
Detects cryptographic API usage in source code via CodeQL queries from
Santandersecurityresearch.
Orchestrates language detection (cloc), database creation and
query execution (CodeQL CLI), and CBOM generation (cryptobom-forge)
into a single vector code <path> invocation.
A pre-loaded test project (pyca/cryptography)
is available at /home/vector/test-project/cryptography inside the container.
VECTOR-Network — TLS and SSH scanning with CBOM output
TLS scanning via testssl.sh enumerates protocol versions, full cipher suite offers, elliptic curves, DH groups, signature algorithms, certificate properties, and post-quantum / hybrid KEMs (ML-KEM-512/768/1024, X25519Kyber768Draft00, SecP256r1MLKEM768, X25519MLKEM768, SecP384r1MLKEM1024). SSH scanning via ZGrab2 records KEX, host key, cipher, and MAC algorithm offers, the negotiated suite, server banner, and host key fingerprint. Custom parsers convert raw scanner output to CycloneDX 1.6 CBOM format, with full cipher suite decomposition into individual algorithm components.
VECTOR-Score — quantum risk classification
Accepts any CycloneDX 1.6 CBOM JSON and classifies each component against a data-driven YAML catalog covering algorithms from NIST FIPS 203/204/205, BSI TR-02102, and ANSSI. Components are assigned one of seven initial risk categories. Output is an annotated CBOM plus a Markdown risk report suitable for inclusion in PQC migration assessments.