cbom-scan 0.1.0__py3-none-any.whl

cbom_scan/__init__.py

@@ -0,0 +1,3 @@
+"""cbom-scan — CycloneDX 1.7 CBOM generator for post-quantum compliance."""
+
+__version__ = "0.1.0"

cbom_scan/ai/roadmap_agent.py

@@ -0,0 +1,118 @@
+from __future__ import annotations
+
+import json
+import logging
+import re
+from dataclasses import dataclass
+
+from cbom_scan.models.cyclonedx import CycloneDXBom
+
+_log = logging.getLogger("cbom_scan.roadmap")
+
+_SYSTEM = """You are a post-quantum cryptography migration expert.
+Given a CycloneDX 1.7 CBOM (Cryptography Bill of Materials) from a real codebase,
+produce a prioritized migration roadmap.
+
+Return ONLY valid JSON (no markdown):
+{
+  "executive_summary": "2-sentence CISO-level summary",
+  "tasks": [
+    {
+      "rank": 1,
+      "algorithm": "RSA",
+      "location": "src/auth/jwt.py:34",
+      "why_first": "one sentence — why this is the highest priority",
+      "effort_days": 3.0,
+      "migration_diff": "# BEFORE\\nfrom Crypto.PublicKey import RSA\\nkey = RSA.generate(2048)\\n\\n# AFTER\\nfrom oqs import KeyEncapsulation\\nkem = KeyEncapsulation('ML-KEM-768')\\npub = kem.generate_keypair()",
+      "nist_replacement": "ML-KEM-768 (FIPS 203)"
+    }
+  ],
+  "total_effort_days": 5.5
+}
+
+Rules:
+- Rank by impact: signing keys first (break auth), then encryption, then hashing
+- Show top 5 tasks only
+- migration_diff must be actual code for the detected language (infer from file extension)
+- Be specific: use the exact file path and line number from the CBOM evidence"""
+
+
+@dataclass
+class MigrationTask:
+    rank:             int
+    algorithm:        str
+    location:         str
+    why_first:        str
+    effort_days:      float
+    migration_diff:   str
+    nist_replacement: str
+
+
+@dataclass
+class RoadmapResult:
+    executive_summary: str
+    tasks:             list[MigrationTask]
+    total_effort_days: float
+
+
+class RoadmapAgent:
+    """
+    Calls Claude with the CBOM JSON and returns a prioritized migration roadmap.
+    Returns None gracefully when api_key is missing or Claude call fails.
+    """
+
+    def __init__(self, api_key: str | None = None) -> None:
+        self._api_key = api_key
+
+    @property
+    def available(self) -> bool:
+        return bool(self._api_key)
+
+    def generate(self, bom: CycloneDXBom) -> RoadmapResult | None:
+        if not self.available:
+            return None
+        try:
+            import anthropic
+        except ImportError:
+            _log.warning("anthropic package not installed. Run: pip install cbom-scan[ai]")
+            return None
+
+        cbom_json = bom.to_json(indent=2)
+        prompt    = (
+            f"Here is the CBOM for a software project:\n\n```json\n{cbom_json}\n```\n\n"
+            "Produce the migration roadmap JSON."
+        )
+
+        try:
+            client   = anthropic.Anthropic(api_key=self._api_key)
+            message  = client.messages.create(
+                model      = "claude-sonnet-4-6",
+                max_tokens = 1500,
+                system     = _SYSTEM,
+                messages   = [{"role": "user", "content": prompt}],
+            )
+            raw = message.content[0].text
+            m   = re.search(r"\{.*\}", raw, re.DOTALL)
+            if not m:
+                return None
+            data  = json.loads(m.group(0))
+            tasks = [
+                MigrationTask(
+                    rank             = t.get("rank", i + 1),
+                    algorithm        = t.get("algorithm", ""),
+                    location         = t.get("location", ""),
+                    why_first        = t.get("why_first", ""),
+                    effort_days      = float(t.get("effort_days", 1.0)),
+                    migration_diff   = t.get("migration_diff", ""),
+                    nist_replacement = t.get("nist_replacement", ""),
+                )
+                for i, t in enumerate(data.get("tasks", [])[:5])
+            ]
+            return RoadmapResult(
+                executive_summary = data.get("executive_summary", ""),
+                tasks             = tasks,
+                total_effort_days = float(data.get("total_effort_days", 0.0)),
+            )
+        except Exception as exc:
+            _log.warning(f"RoadmapAgent failed: {exc}")
+            return None

cbom_scan/classifier/risk_classifier.py

@@ -0,0 +1,58 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+from cbom_scan.classifier.rules import NIST_RULES, RuleEntry
+from cbom_scan.models.finding import CryptoFinding
+
+
+@dataclass(frozen=True)
+class RiskProfile:
+    risk_label:                  str
+    nist_quantum_security_level: int
+    primitive:                   str
+    nist_replacement:            str
+    effort_days:                 float
+    crypto_functions:            list[str]
+    certification_level:         list[str]
+    parameter_set_identifier:    str
+
+
+_UNKNOWN_RULE: RuleEntry = {
+    "primitive":                   "unknown",
+    "nist_quantum_security_level":  0,
+    "nist_replacement":            "Review manually",
+    "effort_days":                  1.0,
+    "risk_label":                  "HIGH",
+    "crypto_functions":            [],
+    "certification_level":         ["none"],
+    "parameter_set_identifier":    "unknown",
+}
+
+
+class RiskClassifier:
+    """
+    Pure function classifier. No I/O, no state.
+    Maps a CryptoFinding to a RiskProfile using the NIST_RULES table.
+    """
+
+    def classify(self, finding: CryptoFinding) -> RiskProfile:
+        rule = NIST_RULES.get(finding.algorithm.upper(), _UNKNOWN_RULE)
+        return RiskProfile(
+            risk_label                  = rule["risk_label"],
+            nist_quantum_security_level = rule["nist_quantum_security_level"],
+            primitive                   = rule["primitive"],
+            nist_replacement            = rule["nist_replacement"],
+            effort_days                 = rule["effort_days"],
+            crypto_functions            = list(rule["crypto_functions"]),
+            certification_level         = list(rule["certification_level"]),
+            parameter_set_identifier    = rule["parameter_set_identifier"],
+        )
+
+    def classify_all(self, findings: list[CryptoFinding]) -> dict[str, RiskProfile]:
+        seen: dict[str, RiskProfile] = {}
+        for f in findings:
+            algo = f.algorithm.upper()
+            if algo not in seen:
+                seen[algo] = self.classify(f)
+        return seen

cbom_scan/classifier/rules.py

@@ -0,0 +1,121 @@
+"""
+NIST PQC status database.
+Source: NIST IR 8547 (2024), FIPS 203/204/205, NSA CNSA 2.0.
+
+nistQuantumSecurityLevel meanings:
+  0 = broken by quantum (Shor's algorithm) — RSA, ECC, DH, DSA
+  0 = classically weak — MD5, SHA-1
+  1 = acceptable short-term (classical only)
+  3 = 128-bit post-quantum security (Grover halves symmetric key strength)
+  5 = 192-bit post-quantum security
+  6 = 256-bit post-quantum security (max level)
+"""
+
+from __future__ import annotations
+from typing import TypedDict
+
+
+class RuleEntry(TypedDict):
+    primitive:                  str
+    nist_quantum_security_level: int
+    nist_replacement:           str
+    effort_days:                float
+    risk_label:                 str           # "CRITICAL" | "HIGH" | "MEDIUM" | "LOW"
+    crypto_functions:           list[str]
+    certification_level:        list[str]
+    parameter_set_identifier:   str
+
+
+NIST_RULES: dict[str, RuleEntry] = {
+    "RSA": {
+        "primitive":                   "pke",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-KEM-768 (FIPS 203) for KEM, ML-DSA-65 (FIPS 204) for signing",
+        "effort_days":                  3.0,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "encrypt", "decrypt", "sign", "verify"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "2048",
+    },
+    "ECDSA": {
+        "primitive":                   "signature",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-DSA-65 (FIPS 204) for signing, ML-KEM-768 (FIPS 203) for KEM",
+        "effort_days":                  2.5,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "sign", "verify"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "P-256",
+    },
+    "DH": {
+        "primitive":                   "pke",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-KEM-768 (FIPS 203)",
+        "effort_days":                  2.0,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "keyagreement"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "2048",
+    },
+    "DSA": {
+        "primitive":                   "signature",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-DSA-65 (FIPS 204)",
+        "effort_days":                  2.0,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "sign", "verify"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "2048",
+    },
+    "MD5": {
+        "primitive":                   "hash",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "SHA-256 or SHA3-256",
+        "effort_days":                  0.5,
+        "risk_label":                  "HIGH",
+        "crypto_functions":            ["digest"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "128",
+    },
+    "SHA1": {
+        "primitive":                   "hash",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "SHA-256 or SHA3-256",
+        "effort_days":                  0.5,
+        "risk_label":                  "HIGH",
+        "crypto_functions":            ["digest"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "160",
+    },
+    # Quantum-safe references (for completeness / future detection)
+    "AES-128": {
+        "primitive":                   "ae",
+        "nist_quantum_security_level":  1,
+        "nist_replacement":            "AES-256 recommended (Grover reduces to 64-bit security)",
+        "effort_days":                  1.0,
+        "risk_label":                  "MEDIUM",
+        "crypto_functions":            ["encrypt", "decrypt"],
+        "certification_level":         ["fips140-2"],
+        "parameter_set_identifier":    "128",
+    },
+    "AES-256": {
+        "primitive":                   "ae",
+        "nist_quantum_security_level":  3,
+        "nist_replacement":            "Retain — 128-bit post-quantum security",
+        "effort_days":                  0.0,
+        "risk_label":                  "LOW",
+        "crypto_functions":            ["encrypt", "decrypt"],
+        "certification_level":         ["fips140-2"],
+        "parameter_set_identifier":    "256",
+    },
+    "SHA-256": {
+        "primitive":                   "hash",
+        "nist_quantum_security_level":  3,
+        "nist_replacement":            "Retain — 128-bit post-quantum security",
+        "effort_days":                  0.0,
+        "risk_label":                  "LOW",
+        "crypto_functions":            ["digest"],
+        "certification_level":         ["fips180-4"],
+        "parameter_set_identifier":    "256",
+    },
+}

cbom_scan/cli.py

@@ -0,0 +1,259 @@
+"""
+cbom-scan CLI — CycloneDX 1.7 CBOM generator for post-quantum compliance.
+
+Usage:
+    cbom-scan scan ./src
+    cbom-scan scan ./src --output cbom.json --format json
+    cbom-scan scan ./src --format summary
+    cbom-scan scan ./src --format html --output report.html
+    cbom-scan scan ./src --ai-roadmap --key $ANTHROPIC_KEY
+    cbom-scan validate cbom.json
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+from pathlib import Path
+
+import click
+
+from cbom_scan import __version__
+
+# Trigger scanner self-registration
+import cbom_scan.scanners  # noqa: F401
+
+from cbom_scan.ai.roadmap_agent import RoadmapAgent
+from cbom_scan.formatters.html_formatter import HtmlFormatter
+from cbom_scan.formatters.json_formatter import JsonFormatter
+from cbom_scan.formatters.sarif_formatter import SarifFormatter
+from cbom_scan.formatters.summary_formatter import SummaryFormatter
+from cbom_scan.generator.cbom_generator import CbomGenerator
+from cbom_scan.models.cyclonedx import CycloneDXBom
+from cbom_scan.models.finding import CryptoFinding
+from cbom_scan.scanners.base import ScannerRegistry
+
+_SKIP_DIRS = {
+    ".git", "node_modules", "__pycache__", ".mypy_cache",
+    ".pytest_cache", "venv", ".venv", "dist", "build", ".tox",
+}
+
+
+def _walk_files(path: Path, exclude: tuple[str, ...]) -> list[Path]:
+    files: list[Path] = []
+    if path.is_file():
+        return [path]
+    for p in path.rglob("*"):
+        if any(part in _SKIP_DIRS for part in p.parts):
+            continue
+        if any(p.match(pat) for pat in exclude):
+            continue
+        if p.is_file():
+            files.append(p)
+    return sorted(files)
+
+
+def _collect_findings(files: list[Path], source_dir: Path) -> list[CryptoFinding]:
+    all_findings: list[CryptoFinding] = []
+    registry = ScannerRegistry
+    for fp in files:
+        scanner = registry.get_scanner(str(fp))
+        if scanner is None:
+            continue
+        try:
+            source = fp.read_text(encoding="utf-8", errors="replace")
+            findings = scanner.scan(source, str(fp))
+            all_findings.extend(findings)
+        except Exception:
+            pass
+    return all_findings
+
+
+@click.group()
+@click.version_option(__version__, prog_name="cbom-scan")
+def cli() -> None:
+    """cbom-scan — Generate CycloneDX 1.7 CBOM for post-quantum compliance."""
+
+
+@cli.command("scan")
+@click.argument("path", default=".", type=click.Path(exists=True))
+@click.option("--output", "-o", default=None, help="Output file path (default: stdout)")
+@click.option(
+    "--format", "-f", "fmt",
+    type=click.Choice(["json", "html", "sarif", "summary"]),
+    default="json",
+    show_default=True,
+    help="Output format",
+)
+@click.option("--ai-roadmap", is_flag=True, default=False, help="Add Claude AI migration roadmap (paid)")
+@click.option("--key", default=None, envvar="ANTHROPIC_API_KEY", help="Anthropic API key for --ai-roadmap")
+@click.option("--exclude", multiple=True, help="Glob patterns to exclude (repeatable)")
+@click.option(
+    "--fail-on",
+    type=click.Choice(["findings", "critical", "never"]),
+    default="findings",
+    show_default=True,
+    help="Exit code policy",
+)
+@click.option("--min-confidence", default=0.5, type=float, show_default=True, help="Minimum ai_confidence (0–1)")
+def scan_cmd(
+    path: str,
+    output: str | None,
+    fmt: str,
+    ai_roadmap: bool,
+    key: str | None,
+    exclude: tuple[str, ...],
+    fail_on: str,
+    min_confidence: float,
+) -> None:
+    """Scan PATH for quantum-vulnerable cryptography and output a CycloneDX 1.7 CBOM."""
+    source_dir = Path(path).resolve()
+    files      = _walk_files(source_dir, exclude)
+
+    if not files:
+        click.echo("cbom-scan: No scannable files found.", err=True)
+        sys.exit(0)
+
+    findings = _collect_findings(files, source_dir)
+    findings = [f for f in findings if f.ai_confidence >= min_confidence]
+
+    generator = CbomGenerator()
+    bom       = generator.generate(findings, str(source_dir))
+
+    roadmap = None
+    if ai_roadmap:
+        agent   = RoadmapAgent(api_key=key or os.environ.get("ANTHROPIC_API_KEY"))
+        roadmap = agent.generate(bom)
+        if roadmap is None and ai_roadmap:
+            click.echo(
+                "cbom-scan: AI roadmap unavailable (set --key or ANTHROPIC_API_KEY, "
+                "install with pip install cbom-scan[ai]).",
+                err=True,
+            )
+
+    # Format output
+    if fmt == "json":
+        rendered = JsonFormatter().render(bom)
+        # Append roadmap as extra field if present (outside CycloneDX schema)
+        if roadmap is not None:
+            import json as _json
+            data = _json.loads(rendered)
+            data["x-cbom-scan-roadmap"] = {
+                "executive_summary": roadmap.executive_summary,
+                "total_effort_days": roadmap.total_effort_days,
+                "tasks": [
+                    {
+                        "rank":             t.rank,
+                        "algorithm":        t.algorithm,
+                        "location":         t.location,
+                        "why_first":        t.why_first,
+                        "effort_days":      t.effort_days,
+                        "nist_replacement": t.nist_replacement,
+                        "migration_diff":   t.migration_diff,
+                    }
+                    for t in roadmap.tasks
+                ],
+            }
+            rendered = _json.dumps(data, indent=2)
+    elif fmt == "html":
+        rendered = HtmlFormatter().render(bom)
+        if roadmap is not None:
+            # Inject roadmap section before </body>
+            roadmap_html = _roadmap_html(roadmap)
+            rendered = rendered.replace("</body>", f"{roadmap_html}\n</body>")
+    elif fmt == "sarif":
+        rendered = SarifFormatter().render(bom)
+    else:
+        rendered = SummaryFormatter().render(bom)
+        if roadmap is not None:
+            rendered += _roadmap_text(roadmap)
+
+    if output:
+        Path(output).write_text(rendered, encoding="utf-8")
+        click.echo(f"cbom-scan: Wrote {fmt.upper()} to {output}", err=True)
+    else:
+        click.echo(rendered)
+
+    # Exit code
+    if fail_on == "never":
+        sys.exit(0)
+    critical = bom.critical_count
+    if critical and fail_on in ("findings", "critical"):
+        sys.exit(2)
+    if bom.components and fail_on == "findings":
+        sys.exit(1)
+    sys.exit(0)
+
+
+@cli.command("validate")
+@click.argument("cbom_file", type=click.Path(exists=True))
+def validate_cmd(cbom_file: str) -> None:
+    """Validate an existing CBOM JSON file against the CycloneDX 1.7 schema."""
+    import json
+    from pydantic import ValidationError
+    try:
+        data = json.loads(Path(cbom_file).read_text(encoding="utf-8"))
+        CycloneDXBom.model_validate(data)
+        click.echo(f"VALID — {cbom_file} conforms to CycloneDX 1.7 CBOM schema.")
+        sys.exit(0)
+    except (json.JSONDecodeError, ValidationError) as exc:
+        click.echo(f"INVALID — {cbom_file}: {exc}", err=True)
+        sys.exit(1)
+
+
+@cli.command("report")
+@click.argument("cbom_file", type=click.Path(exists=True))
+@click.option(
+    "--format", "-f", "fmt",
+    type=click.Choice(["summary", "html", "sarif"]),
+    default="summary",
+)
+@click.option("--output", "-o", default=None, help="Output file path (default: stdout)")
+def report_cmd(cbom_file: str, fmt: str, output: str | None) -> None:
+    """Re-render an existing CBOM JSON in a different format."""
+    import json
+    data = json.loads(Path(cbom_file).read_text(encoding="utf-8"))
+    bom  = CycloneDXBom.model_validate(data)
+    if fmt == "html":
+        rendered = HtmlFormatter().render(bom)
+    elif fmt == "sarif":
+        rendered = SarifFormatter().render(bom)
+    else:
+        rendered = SummaryFormatter().render(bom)
+
+    if output:
+        Path(output).write_text(rendered, encoding="utf-8")
+        click.echo(f"Wrote {fmt.upper()} to {output}", err=True)
+    else:
+        click.echo(rendered)
+
+
+def _roadmap_text(roadmap) -> str:  # type: ignore[no-untyped-def]
+    lines = ["\n  AI Migration Roadmap\n  " + "─" * 40]
+    lines.append(f"\n  {roadmap.executive_summary}\n")
+    for t in roadmap.tasks:
+        lines.append(f"  [{t.rank}] {t.algorithm} @ {t.location}")
+        lines.append(f"      Why first: {t.why_first}")
+        lines.append(f"      Effort: {t.effort_days}d  →  {t.nist_replacement}")
+    lines.append(f"\n  Total migration effort: {roadmap.total_effort_days} engineer-days\n")
+    return "\n".join(lines)
+
+
+def _roadmap_html(roadmap) -> str:  # type: ignore[no-untyped-def]
+    tasks_html = ""
+    for t in roadmap.tasks:
+        diff_escaped = t.migration_diff.replace("<", "&lt;").replace(">", "&gt;")
+        tasks_html += f"""
+<div style="border:1px solid #e2e8f0;border-radius:8px;padding:14px;margin-bottom:12px">
+  <div style="font-weight:700;margin-bottom:4px">[{t.rank}] {t.algorithm} &rarr; {t.nist_replacement}</div>
+  <div style="color:#64748b;font-size:.85rem;margin-bottom:6px">{t.location} &bull; {t.effort_days}d</div>
+  <div style="font-size:.85rem;margin-bottom:8px">{t.why_first}</div>
+  <pre style="background:#f8fafc;padding:10px;border-radius:6px;font-size:.8rem;overflow-x:auto">{diff_escaped}</pre>
+</div>"""
+    return f"""
+<div class="card" style="margin-top:20px">
+  <h2 style="font-size:1.1rem;margin:0 0 8px">AI Migration Roadmap</h2>
+  <p style="color:#475569;font-size:.88rem;margin:0 0 16px">{roadmap.executive_summary}</p>
+  {tasks_html}
+  <div style="color:#64748b;font-size:.82rem">Total effort: {roadmap.total_effort_days} engineer-days</div>
+</div>"""

cbom_scan/formatters/html_formatter.py

@@ -0,0 +1,89 @@
+from __future__ import annotations
+
+from cbom_scan.models.cyclonedx import CycloneDXBom
+
+_RISK_COLOR = {0: "#dc2626", 1: "#d97706", 2: "#ca8a04", 3: "#16a34a", 5: "#059669", 6: "#059669"}
+_RISK_LABEL = {0: "CRITICAL", 1: "HIGH", 2: "MEDIUM", 3: "ACCEPTABLE", 5: "GOOD", 6: "SAFE"}
+
+_CSS = """
+body{font-family:system-ui,sans-serif;background:#f8fafc;color:#0f172a;margin:0;padding:24px}
+h1{font-size:1.4rem;font-weight:700;margin:0 0 4px}
+.meta{color:#64748b;font-size:.85rem;margin-bottom:24px}
+.card{background:#fff;border:1px solid #e2e8f0;border-radius:10px;padding:20px;margin-bottom:16px}
+.badge{display:inline-block;padding:2px 8px;border-radius:6px;font-size:.78rem;font-weight:700;color:#fff}
+table{width:100%;border-collapse:collapse;font-size:.88rem}
+th{text-align:left;padding:8px 10px;background:#f1f5f9;color:#475569;font-weight:600;border-bottom:2px solid #e2e8f0}
+td{padding:8px 10px;border-bottom:1px solid #f1f5f9;vertical-align:top}
+.algo{font-weight:700;font-family:monospace}
+.loc{font-family:monospace;font-size:.82rem;color:#64748b}
+.repl{color:#059669;font-size:.82rem}
+.summary-bar{display:flex;gap:20px;margin-bottom:20px}
+.stat{background:#fff;border:1px solid #e2e8f0;border-radius:8px;padding:12px 18px;min-width:100px}
+.stat-val{font-size:1.6rem;font-weight:800}
+.stat-lbl{font-size:.78rem;color:#64748b;text-transform:uppercase;letter-spacing:.06em}
+"""
+
+
+class HtmlFormatter:
+    """Self-contained HTML report — no CDN, no JS, no external fonts."""
+
+    def render(self, bom: CycloneDXBom) -> str:
+        total    = len(bom.components)
+        critical = bom.critical_count
+        safe     = total - critical
+
+        rows = ""
+        for comp in sorted(bom.components, key=lambda x: x.cryptoProperties.nistQuantumSecurityLevel):
+            level = comp.cryptoProperties.nistQuantumSecurityLevel
+            color = _RISK_COLOR.get(level, "#94a3b8")
+            label = _RISK_LABEL.get(level, "UNKNOWN")
+            props = comp.cryptoProperties.algorithmProperties
+            repl  = comp.cryptoProperties.algorithmProperties
+            locs  = "".join(
+                f'<div class="loc">{o.location}:{o.line}</div>'
+                for o in comp.evidence.occurrences
+            )
+            rows += f"""<tr>
+  <td class="algo">{comp.name}</td>
+  <td><span class="badge" style="background:{color}">{label}</span></td>
+  <td>{level}</td>
+  <td>{locs}</td>
+</tr>"""
+
+        return f"""<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="UTF-8"><title>CBOM Scan Report</title>
+<style>{_CSS}</style></head>
+<body>
+<h1>CBOM Scan Report</h1>
+<div class="meta">
+  CycloneDX 1.7 &nbsp;|&nbsp; {bom.metadata.timestamp} &nbsp;|&nbsp;
+  <code style="font-size:.8rem">{bom.serialNumber}</code>
+</div>
+
+<div class="summary-bar">
+  <div class="stat">
+    <div class="stat-val" style="color:#dc2626">{critical}</div>
+    <div class="stat-lbl">Quantum-Broken</div>
+  </div>
+  <div class="stat">
+    <div class="stat-val">{total}</div>
+    <div class="stat-lbl">Total Assets</div>
+  </div>
+  <div class="stat">
+    <div class="stat-val" style="color:#059669">{safe}</div>
+    <div class="stat-lbl">Acceptable</div>
+  </div>
+</div>
+
+<div class="card">
+  <table>
+    <thead><tr><th>Algorithm</th><th>Risk</th><th>NIST Level</th><th>Locations</th></tr></thead>
+    <tbody>{rows}</tbody>
+  </table>
+</div>
+
+{'<div class="card" style="border-color:#fca5a5"><strong style="color:#dc2626">ACTION REQUIRED</strong> — ' + str(critical) + ' quantum-broken cryptographic asset(s) detected. Migrate to ML-KEM-768 (FIPS 203), ML-DSA-65 (FIPS 204), or SLH-DSA (FIPS 205) before 2030 NIST mandate.</div>' if critical else ''}
+
+<div style="color:#94a3b8;font-size:.78rem;margin-top:24px">Generated by cbom-scan 0.1.0 — CycloneDX 1.7 CBOM</div>
+</body></html>"""

cbom_scan/formatters/json_formatter.py

@@ -0,0 +1,8 @@
+from __future__ import annotations
+
+from cbom_scan.models.cyclonedx import CycloneDXBom
+
+
+class JsonFormatter:
+    def render(self, bom: CycloneDXBom) -> str:
+        return bom.to_json(indent=2)