{
  "metadata": {
    "title": "CryptoServe Census - March 2026 Scan Summary",
    "version": "2026-03",
    "collectedAt": "2026-03-18T00:00:00.000Z",
    "methodology": "Automated analysis of 11 package ecosystem dependency manifests for cryptographic library usage, classification into weak/modern/PQC tiers, and cross-referencing with NVD CVE and GitHub Advisory databases.",
    "contact": "https://github.com/ecolibria/crypto-serve/issues",
    "license": "CC-BY-4.0",
    "citation": "CryptoServe Census, March 2026. https://census.cryptoserve.dev"
  },
  "scanScope": {
    "totalPackagesAnalyzed": 2809479,
    "packagesWithCrypto": 108145,
    "ecosystems": [
      "npm", "pypi", "go", "maven", "crates.io",
      "packagist", "nuget", "rubygems", "hex", "pub.dev", "cocoapods"
    ],
    "ecosystemCount": 11,
    "catalogSize": 357,
    "catalogDescription": "357 cryptographic libraries manually classified into weak/modern/PQC tiers with algorithm mappings, CVE references, and recommended replacements.",
    "scanMethod": "Dependency manifest analysis (package.json, requirements.txt, go.mod, pom.xml, Cargo.toml, etc.). Does NOT scan source code. Direct dependencies only, not transitive."
  },
  "results": {
    "totalMonthlyDownloads": 5109511121,
    "weakDownloads": 1011798698,
    "modernDownloads": 4095187364,
    "pqcDownloads": 2525059,
    "weakPercentage": 19.8,
    "modernPercentage": 80.1,
    "pqcPercentage": 0.05,
    "weakToPqcRatio": 401,
    "packageLevelBreakdown": {
      "weakPackages": 21332,
      "weakPercentageOfCrypto": 19.7,
      "modernPackages": 86625,
      "modernPercentageOfCrypto": 80.1,
      "pqcPackages": 188,
      "pqcPercentageOfCrypto": 0.17,
      "pqcByEcosystem": {
        "npm": 43,
        "pypi": 18,
        "go": 17,
        "crates.io": 109,
        "nuget": 1
      }
    }
  },
  "vulnerabilities": {
    "source": "NIST NVD REST API v2.0 (CWE queries), GitHub Advisory Database REST API",
    "totalCryptoCves": 761,
    "cveBreakdown": {
      "CWE-327": { "description": "Use of a Broken or Risky Cryptographic Algorithm", "count": 419 },
      "CWE-326": { "description": "Inadequate Encryption Strength", "count": 339 },
      "CWE-328": { "description": "Use of Weak Hash", "count": 3 }
    },
    "totalAdvisories": 87,
    "advisorySeverity": {
      "critical": 12,
      "high": 31,
      "medium": 28,
      "low": 16
    },
    "advisoryNote": "Advisory count from GitHub Advisory Database filtered for crypto-related CWEs (CWE-310 hierarchy). Limited to 20 pages of results; older advisories may be excluded."
  },
  "tierClassification": {
    "weak": "Deprecated, broken, or unmaintained cryptographic implementations. Includes MD5, SHA-1, DES, RC4, Blowfish, and libraries with known CVEs in cryptographic operations.",
    "modern": "Current-generation, maintained implementations using algorithms approved by NIST SP 800-131A Rev 2. Includes AES-GCM, ChaCha20-Poly1305, Ed25519, X25519, SHA-256+, bcrypt, Argon2.",
    "pqc": "Post-quantum cryptographic implementations based on NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA)."
  },
  "reproducibility": {
    "dataCollectionMethod": "CryptoServe scanner queries each ecosystem registry API for download counts of 357 cataloged packages. Package-level analysis fetches dependency manifests from registry APIs and cross-references against the catalog.",
    "registryAPIs": {
      "npm": "https://api.npmjs.org/downloads/point/last-month/{package}",
      "pypi": "https://pypistats.org/api/packages/{package}/recent",
      "crates.io": "https://crates.io/api/v1/crates/{crate}",
      "nuget": "https://api.nuget.org/v3-flatcontainer/{package}/index.json",
      "rubygems": "https://rubygems.org/api/v1/gems/{gem}.json",
      "hex": "https://hex.pm/api/packages/{package}",
      "pub.dev": "https://pub.dev/api/packages/{package}/score",
      "go": "Estimated from GitHub stars (no download API available)",
      "maven": "Estimated from version count (no public download API available)",
      "cocoapods": "No public download statistics available"
    },
    "cveSource": "https://services.nvd.nist.gov/rest/json/cves/2.0?cweId={CWE-ID}",
    "advisorySource": "https://api.github.com/advisories?per_page=100",
    "nistReferences": {
      "IR-8547": "https://csrc.nist.gov/pubs/ir/8547/ipd",
      "FIPS-203": "https://csrc.nist.gov/pubs/fips/203/final",
      "FIPS-204": "https://csrc.nist.gov/pubs/fips/204/final",
      "FIPS-205": "https://csrc.nist.gov/pubs/fips/205/final"
    },
    "scanDate": "2026-03-18",
    "nextScanPlanned": "2026-04-18"
  },
  "limitations": [
    "Package analysis checks dependency manifests only, not source code. Direct dependencies only, not transitive.",
    "Download counts include CI/CD pipelines and transitive dependency resolution; they overstate direct application usage.",
    "Go and Maven download counts are estimates (no public download APIs exist for these ecosystems).",
    "CocoaPods has no public download statistics; counts reflect lifetime totals converted to monthly rates.",
    "Package-level analysis identifies packages that depend on cryptographic libraries, not whether applications use the weak functionality.",
    "The 357-library catalog is manually curated and may not cover all cryptographic packages in each ecosystem.",
    "This is the first census measurement. Historical trend data shown on the dashboard is estimated from a single data point, not measured over time.",
    "GitHub Advisory data is limited to 20 pages (2,000 advisories); older crypto advisories may be excluded from the count."
  ]
}