cbom-scan 0.1.0__tar.gz

cbom_scan-0.1.0/.gitignore

@@ -0,0 +1,16 @@
+__pycache__/
+*.pyc
+*.pyo
+.coverage
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+dist/
+build/
+*.egg-info/
+.venv/
+venv/
+htmlcov/
+*.log
+cbom.json
+report.html

cbom_scan-0.1.0/PKG-INFO

@@ -0,0 +1,54 @@
+Metadata-Version: 2.4
+Name: cbom-scan
+Version: 0.1.0
+Summary: CycloneDX 1.7 Cryptography Bill of Materials (CBOM) scanner for post-quantum compliance
+Project-URL: Homepage, https://github.com/cbom-scan/cbom-scan
+Project-URL: Issues, https://github.com/cbom-scan/cbom-scan/issues
+Author-email: Ganesh Netha <ganeshchilupuri99@gmail.com>
+License: Apache-2.0
+Keywords: cbom,compliance,cryptography,cyclonedx,nist,post-quantum,pqc,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.11
+Requires-Dist: click>=8.1
+Requires-Dist: pydantic>=2.7
+Provides-Extra: ai
+Requires-Dist: anthropic>=0.40; extra == 'ai'
+Provides-Extra: dev
+Requires-Dist: anthropic>=0.40; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.4; extra == 'dev'
+Requires-Dist: tree-sitter-javascript>=0.23; extra == 'dev'
+Requires-Dist: tree-sitter-typescript>=0.23; extra == 'dev'
+Requires-Dist: tree-sitter>=0.23; extra == 'dev'
+Provides-Extra: full
+Requires-Dist: anthropic>=0.40; extra == 'full'
+Requires-Dist: tree-sitter-javascript>=0.23; extra == 'full'
+Requires-Dist: tree-sitter-typescript>=0.23; extra == 'full'
+Requires-Dist: tree-sitter>=0.23; extra == 'full'
+Provides-Extra: js
+Requires-Dist: tree-sitter-javascript>=0.23; extra == 'js'
+Requires-Dist: tree-sitter-typescript>=0.23; extra == 'js'
+Requires-Dist: tree-sitter>=0.23; extra == 'js'
+Description-Content-Type: text/markdown
+
+# cbom-scan
+
+Generate a CycloneDX 1.7 Cryptography Bill of Materials (CBOM) for post-quantum compliance.
+
+```bash
+pip install cbom-scan
+cbom-scan scan ./src
+cbom-scan scan ./src --format summary
+cbom-scan scan ./src --ai-roadmap --key $ANTHROPIC_API_KEY
+```
+
+Detects quantum-vulnerable cryptography (RSA, ECDSA, DH, DSA, MD5, SHA-1) across Python, JavaScript, TypeScript, Java, Go, and dependency manifests. Outputs valid CycloneDX 1.7 CBOM JSON — the compliance artifact required by EU CRA, DORA, and NIST guidance.

cbom_scan-0.1.0/README.md

@@ -0,0 +1,12 @@
+# cbom-scan
+
+Generate a CycloneDX 1.7 Cryptography Bill of Materials (CBOM) for post-quantum compliance.
+
+```bash
+pip install cbom-scan
+cbom-scan scan ./src
+cbom-scan scan ./src --format summary
+cbom-scan scan ./src --ai-roadmap --key $ANTHROPIC_API_KEY
+```
+
+Detects quantum-vulnerable cryptography (RSA, ECDSA, DH, DSA, MD5, SHA-1) across Python, JavaScript, TypeScript, Java, Go, and dependency manifests. Outputs valid CycloneDX 1.7 CBOM JSON — the compliance artifact required by EU CRA, DORA, and NIST guidance.

cbom_scan-0.1.0/pyproject.toml

@@ -0,0 +1,66 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "cbom-scan"
+version = "0.1.0"
+description = "CycloneDX 1.7 Cryptography Bill of Materials (CBOM) scanner for post-quantum compliance"
+readme = "README.md"
+license = { text = "Apache-2.0" }
+requires-python = ">=3.11"
+authors = [{ name = "Ganesh Netha", email = "ganeshchilupuri99@gmail.com" }]
+keywords = ["security", "cryptography", "post-quantum", "cyclonedx", "cbom", "nist", "pqc", "compliance"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "Topic :: Security",
+    "Topic :: Software Development :: Quality Assurance",
+    "License :: OSI Approved :: Apache Software License",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+]
+dependencies = [
+    "click>=8.1",
+    "pydantic>=2.7",
+]
+
+[project.optional-dependencies]
+js = [
+    "tree-sitter>=0.23",
+    "tree-sitter-javascript>=0.23",
+    "tree-sitter-typescript>=0.23",
+]
+ai = [
+    "anthropic>=0.40",
+]
+full = ["cbom-scan[js,ai]"]
+dev = [
+    "cbom-scan[full]",
+    "pytest>=8.0",
+    "pytest-cov>=5.0",
+    "ruff>=0.4",
+]
+
+[project.scripts]
+cbom-scan = "cbom_scan.cli:cli"
+
+[project.urls]
+Homepage = "https://github.com/cbom-scan/cbom-scan"
+Issues = "https://github.com/cbom-scan/cbom-scan/issues"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/cbom_scan"]
+
+[tool.ruff]
+target-version = "py311"
+line-length = 100
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP", "B"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+addopts = "--cov=cbom_scan --cov-report=term-missing -q"

cbom_scan-0.1.0/src/cbom_scan/__init__.py

@@ -0,0 +1,3 @@
+"""cbom-scan — CycloneDX 1.7 CBOM generator for post-quantum compliance."""
+
+__version__ = "0.1.0"

cbom_scan-0.1.0/src/cbom_scan/ai/roadmap_agent.py

@@ -0,0 +1,118 @@
+from __future__ import annotations
+
+import json
+import logging
+import re
+from dataclasses import dataclass
+
+from cbom_scan.models.cyclonedx import CycloneDXBom
+
+_log = logging.getLogger("cbom_scan.roadmap")
+
+_SYSTEM = """You are a post-quantum cryptography migration expert.
+Given a CycloneDX 1.7 CBOM (Cryptography Bill of Materials) from a real codebase,
+produce a prioritized migration roadmap.
+
+Return ONLY valid JSON (no markdown):
+{
+  "executive_summary": "2-sentence CISO-level summary",
+  "tasks": [
+    {
+      "rank": 1,
+      "algorithm": "RSA",
+      "location": "src/auth/jwt.py:34",
+      "why_first": "one sentence — why this is the highest priority",
+      "effort_days": 3.0,
+      "migration_diff": "# BEFORE\\nfrom Crypto.PublicKey import RSA\\nkey = RSA.generate(2048)\\n\\n# AFTER\\nfrom oqs import KeyEncapsulation\\nkem = KeyEncapsulation('ML-KEM-768')\\npub = kem.generate_keypair()",
+      "nist_replacement": "ML-KEM-768 (FIPS 203)"
+    }
+  ],
+  "total_effort_days": 5.5
+}
+
+Rules:
+- Rank by impact: signing keys first (break auth), then encryption, then hashing
+- Show top 5 tasks only
+- migration_diff must be actual code for the detected language (infer from file extension)
+- Be specific: use the exact file path and line number from the CBOM evidence"""
+
+
+@dataclass
+class MigrationTask:
+    rank:             int
+    algorithm:        str
+    location:         str
+    why_first:        str
+    effort_days:      float
+    migration_diff:   str
+    nist_replacement: str
+
+
+@dataclass
+class RoadmapResult:
+    executive_summary: str
+    tasks:             list[MigrationTask]
+    total_effort_days: float
+
+
+class RoadmapAgent:
+    """
+    Calls Claude with the CBOM JSON and returns a prioritized migration roadmap.
+    Returns None gracefully when api_key is missing or Claude call fails.
+    """
+
+    def __init__(self, api_key: str | None = None) -> None:
+        self._api_key = api_key
+
+    @property
+    def available(self) -> bool:
+        return bool(self._api_key)
+
+    def generate(self, bom: CycloneDXBom) -> RoadmapResult | None:
+        if not self.available:
+            return None
+        try:
+            import anthropic
+        except ImportError:
+            _log.warning("anthropic package not installed. Run: pip install cbom-scan[ai]")
+            return None
+
+        cbom_json = bom.to_json(indent=2)
+        prompt    = (
+            f"Here is the CBOM for a software project:\n\n```json\n{cbom_json}\n```\n\n"
+            "Produce the migration roadmap JSON."
+        )
+
+        try:
+            client   = anthropic.Anthropic(api_key=self._api_key)
+            message  = client.messages.create(
+                model      = "claude-sonnet-4-6",
+                max_tokens = 1500,
+                system     = _SYSTEM,
+                messages   = [{"role": "user", "content": prompt}],
+            )
+            raw = message.content[0].text
+            m   = re.search(r"\{.*\}", raw, re.DOTALL)
+            if not m:
+                return None
+            data  = json.loads(m.group(0))
+            tasks = [
+                MigrationTask(
+                    rank             = t.get("rank", i + 1),
+                    algorithm        = t.get("algorithm", ""),
+                    location         = t.get("location", ""),
+                    why_first        = t.get("why_first", ""),
+                    effort_days      = float(t.get("effort_days", 1.0)),
+                    migration_diff   = t.get("migration_diff", ""),
+                    nist_replacement = t.get("nist_replacement", ""),
+                )
+                for i, t in enumerate(data.get("tasks", [])[:5])
+            ]
+            return RoadmapResult(
+                executive_summary = data.get("executive_summary", ""),
+                tasks             = tasks,
+                total_effort_days = float(data.get("total_effort_days", 0.0)),
+            )
+        except Exception as exc:
+            _log.warning(f"RoadmapAgent failed: {exc}")
+            return None

cbom_scan-0.1.0/src/cbom_scan/classifier/risk_classifier.py

@@ -0,0 +1,58 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+from cbom_scan.classifier.rules import NIST_RULES, RuleEntry
+from cbom_scan.models.finding import CryptoFinding
+
+
+@dataclass(frozen=True)
+class RiskProfile:
+    risk_label:                  str
+    nist_quantum_security_level: int
+    primitive:                   str
+    nist_replacement:            str
+    effort_days:                 float
+    crypto_functions:            list[str]
+    certification_level:         list[str]
+    parameter_set_identifier:    str
+
+
+_UNKNOWN_RULE: RuleEntry = {
+    "primitive":                   "unknown",
+    "nist_quantum_security_level":  0,
+    "nist_replacement":            "Review manually",
+    "effort_days":                  1.0,
+    "risk_label":                  "HIGH",
+    "crypto_functions":            [],
+    "certification_level":         ["none"],
+    "parameter_set_identifier":    "unknown",
+}
+
+
+class RiskClassifier:
+    """
+    Pure function classifier. No I/O, no state.
+    Maps a CryptoFinding to a RiskProfile using the NIST_RULES table.
+    """
+
+    def classify(self, finding: CryptoFinding) -> RiskProfile:
+        rule = NIST_RULES.get(finding.algorithm.upper(), _UNKNOWN_RULE)
+        return RiskProfile(
+            risk_label                  = rule["risk_label"],
+            nist_quantum_security_level = rule["nist_quantum_security_level"],
+            primitive                   = rule["primitive"],
+            nist_replacement            = rule["nist_replacement"],
+            effort_days                 = rule["effort_days"],
+            crypto_functions            = list(rule["crypto_functions"]),
+            certification_level         = list(rule["certification_level"]),
+            parameter_set_identifier    = rule["parameter_set_identifier"],
+        )
+
+    def classify_all(self, findings: list[CryptoFinding]) -> dict[str, RiskProfile]:
+        seen: dict[str, RiskProfile] = {}
+        for f in findings:
+            algo = f.algorithm.upper()
+            if algo not in seen:
+                seen[algo] = self.classify(f)
+        return seen

cbom_scan-0.1.0/src/cbom_scan/classifier/rules.py

@@ -0,0 +1,121 @@
+"""
+NIST PQC status database.
+Source: NIST IR 8547 (2024), FIPS 203/204/205, NSA CNSA 2.0.
+
+nistQuantumSecurityLevel meanings:
+  0 = broken by quantum (Shor's algorithm) — RSA, ECC, DH, DSA
+  0 = classically weak — MD5, SHA-1
+  1 = acceptable short-term (classical only)
+  3 = 128-bit post-quantum security (Grover halves symmetric key strength)
+  5 = 192-bit post-quantum security
+  6 = 256-bit post-quantum security (max level)
+"""
+
+from __future__ import annotations
+from typing import TypedDict
+
+
+class RuleEntry(TypedDict):
+    primitive:                  str
+    nist_quantum_security_level: int
+    nist_replacement:           str
+    effort_days:                float
+    risk_label:                 str           # "CRITICAL" | "HIGH" | "MEDIUM" | "LOW"
+    crypto_functions:           list[str]
+    certification_level:        list[str]
+    parameter_set_identifier:   str
+
+
+NIST_RULES: dict[str, RuleEntry] = {
+    "RSA": {
+        "primitive":                   "pke",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-KEM-768 (FIPS 203) for KEM, ML-DSA-65 (FIPS 204) for signing",
+        "effort_days":                  3.0,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "encrypt", "decrypt", "sign", "verify"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "2048",
+    },
+    "ECDSA": {
+        "primitive":                   "signature",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-DSA-65 (FIPS 204) for signing, ML-KEM-768 (FIPS 203) for KEM",
+        "effort_days":                  2.5,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "sign", "verify"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "P-256",
+    },
+    "DH": {
+        "primitive":                   "pke",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-KEM-768 (FIPS 203)",
+        "effort_days":                  2.0,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "keyagreement"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "2048",
+    },
+    "DSA": {
+        "primitive":                   "signature",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-DSA-65 (FIPS 204)",
+        "effort_days":                  2.0,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "sign", "verify"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "2048",
+    },
+    "MD5": {
+        "primitive":                   "hash",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "SHA-256 or SHA3-256",
+        "effort_days":                  0.5,
+        "risk_label":                  "HIGH",
+        "crypto_functions":            ["digest"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "128",
+    },
+    "SHA1": {
+        "primitive":                   "hash",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "SHA-256 or SHA3-256",
+        "effort_days":                  0.5,
+        "risk_label":                  "HIGH",
+        "crypto_functions":            ["digest"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "160",
+    },
+    # Quantum-safe references (for completeness / future detection)
+    "AES-128": {
+        "primitive":                   "ae",
+        "nist_quantum_security_level":  1,
+        "nist_replacement":            "AES-256 recommended (Grover reduces to 64-bit security)",
+        "effort_days":                  1.0,
+        "risk_label":                  "MEDIUM",
+        "crypto_functions":            ["encrypt", "decrypt"],
+        "certification_level":         ["fips140-2"],
+        "parameter_set_identifier":    "128",
+    },
+    "AES-256": {
+        "primitive":                   "ae",
+        "nist_quantum_security_level":  3,
+        "nist_replacement":            "Retain — 128-bit post-quantum security",
+        "effort_days":                  0.0,
+        "risk_label":                  "LOW",
+        "crypto_functions":            ["encrypt", "decrypt"],
+        "certification_level":         ["fips140-2"],
+        "parameter_set_identifier":    "256",
+    },
+    "SHA-256": {
+        "primitive":                   "hash",
+        "nist_quantum_security_level":  3,
+        "nist_replacement":            "Retain — 128-bit post-quantum security",
+        "effort_days":                  0.0,
+        "risk_label":                  "LOW",
+        "crypto_functions":            ["digest"],
+        "certification_level":         ["fips180-4"],
+        "parameter_set_identifier":    "256",
+    },
+}