{ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.7", "version": 1, "metadata": { "timestamp": "2026-06-19T00:00:00Z", "component": { "type": "application", "name": "Webhook Lab", "version": "0.1.0", "description": "Open-source Stripe webhook testing tool (lab.sutyr.com). This CBOM documents the cryptographic posture of the application: the application-level webhook signing it performs, plus the platform-managed transport layer.", "licenses": [{ "license": { "id": "Apache-2.0" } }], "externalReferences": [ { "type": "website", "url": "https://lab.sutyr.com" }, { "type": "vcs", "url": "https://github.com/sutyr/webhook-lab" } ] }, "authors": [{ "name": "Sutyr Inc." }] }, "components": [ { "type": "cryptographic-asset", "name": "HMAC-SHA256", "bom-ref": "crypto/algorithm/hmac-sha256", "description": "Application-level webhook signing. Produces the Stripe-compatible Stripe-Signature header (t=,v1=) over `${timestamp}.${payload}` using the signing secret verbatim, matching stripe.webhooks.constructEvent. Verification uses a constant-time comparison (Node crypto timingSafeEqual).", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "mac", "parameterSetIdentifier": "256", "executionEnvironment": "software-plain-ram", "implementationPlatform": "generic", "cryptoFunctions": ["tag", "verify"], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.113549.2.9" } }, { "type": "cryptographic-asset", "name": "SHA-256", "bom-ref": "crypto/algorithm/sha-256", "description": "Hash function underlying the HMAC webhook signature.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "hash", "parameterSetIdentifier": "256", "executionEnvironment": "software-plain-ram", "implementationPlatform": "generic", "cryptoFunctions": ["digest"], "nistQuantumSecurityLevel": 0 }, "oid": "2.16.840.1.101.3.4.2.1" } }, { "type": "cryptographic-asset", "name": "TLS 1.3", "bom-ref": "crypto/protocol/tls-1.3", "description": "Transport encryption for lab.sutyr.com, provided by the platform edge (Vercel / Cloudflare). Not implemented by the application.", "cryptoProperties": { "assetType": "protocol", "protocolProperties": { "type": "tls", "version": "1.3", "cipherSuites": [ { "name": "TLS_AES_128_GCM_SHA256" } ] } } }, { "type": "cryptographic-asset", "name": "X25519MLKEM768", "bom-ref": "crypto/algorithm/x25519mlkem768", "description": "Hybrid post-quantum key agreement (classical X25519 + ML-KEM-768) negotiated at the platform edge for TLS 1.3. Inherited from the hosting platform, not implemented by the application.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "kem", "executionEnvironment": "software-plain-ram", "implementationPlatform": "generic", "cryptoFunctions": ["keygen", "encapsulate", "decapsulate"], "nistQuantumSecurityLevel": 3 } } }, { "type": "cryptographic-asset", "name": "AES-128-GCM", "bom-ref": "crypto/algorithm/aes-128-gcm", "description": "AEAD cipher for the negotiated TLS 1.3 cipher suite at the platform edge.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "ae", "parameterSetIdentifier": "128", "executionEnvironment": "software-plain-ram", "implementationPlatform": "generic", "cryptoFunctions": ["encrypt", "decrypt"], "nistQuantumSecurityLevel": 1 }, "oid": "2.16.840.1.101.3.4.1.6" } } ] }