PyPI - cbomscanner - Versions diffs - 0.2.0__py3-none-any.whl - Mend

cbomscanner 0.2.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

cbomscanner/__init__.py +3 -0
cbomscanner/ai/__init__.py +0 -0
cbomscanner/ai/roadmap_agent.py +118 -0
cbomscanner/classifier/__init__.py +0 -0
cbomscanner/classifier/risk_classifier.py +58 -0
cbomscanner/classifier/rules.py +121 -0
cbomscanner/cli.py +259 -0
cbomscanner/formatters/__init__.py +0 -0
cbomscanner/formatters/html_formatter.py +89 -0
cbomscanner/formatters/json_formatter.py +8 -0
cbomscanner/formatters/sarif_formatter.py +57 -0
cbomscanner/formatters/summary_formatter.py +64 -0
cbomscanner/generator/__init__.py +0 -0
cbomscanner/generator/cbom_generator.py +103 -0
cbomscanner/models/__init__.py +0 -0
cbomscanner/models/cyclonedx.py +98 -0
cbomscanner/models/finding.py +40 -0
cbomscanner/scanners/__init__.py +11 -0
cbomscanner/scanners/base.py +51 -0
cbomscanner/scanners/go_scanner.py +64 -0
cbomscanner/scanners/java_scanner.py +62 -0
cbomscanner/scanners/javascript_scanner.py +165 -0
cbomscanner/scanners/manifest_scanner.py +100 -0
cbomscanner/scanners/python_scanner.py +121 -0
cbomscanner-0.2.0.dist-info/METADATA +54 -0
cbomscanner-0.2.0.dist-info/RECORD +28 -0
cbomscanner-0.2.0.dist-info/WHEEL +4 -0
cbomscanner-0.2.0.dist-info/entry_points.txt +2 -0

cbomscanner/__init__.py ADDED Viewed

@@ -0,0 +1,3 @@
+"""cbom-scan — CycloneDX 1.7 CBOM generator for post-quantum compliance."""
+__version__ = "0.1.0"

cbomscanner/ai/__init__.py ADDED Viewed

File without changes

cbomscanner/ai/roadmap_agent.py ADDED Viewed

@@ -0,0 +1,118 @@
+from __future__ import annotations
+import json
+import logging
+import re
+from dataclasses import dataclass
+from cbomscanner.models.cyclonedx import CycloneDXBom
+_log = logging.getLogger("cbomscanner.roadmap")
+_SYSTEM = """You are a post-quantum cryptography migration expert.
+Given a CycloneDX 1.7 CBOM (Cryptography Bill of Materials) from a real codebase,
+produce a prioritized migration roadmap.
+Return ONLY valid JSON (no markdown):
+{
+  "executive_summary": "2-sentence CISO-level summary",
+  "tasks": [
+    {
+      "rank": 1,
+      "algorithm": "RSA",
+      "location": "src/auth/jwt.py:34",
+      "why_first": "one sentence — why this is the highest priority",
+      "effort_days": 3.0,
+      "migration_diff": "# BEFORE\\nfrom Crypto.PublicKey import RSA\\nkey = RSA.generate(2048)\\n\\n# AFTER\\nfrom oqs import KeyEncapsulation\\nkem = KeyEncapsulation('ML-KEM-768')\\npub = kem.generate_keypair()",
+      "nist_replacement": "ML-KEM-768 (FIPS 203)"
+    }
+  ],
+  "total_effort_days": 5.5
+}
+Rules:
+- Rank by impact: signing keys first (break auth), then encryption, then hashing
+- Show top 5 tasks only
+- migration_diff must be actual code for the detected language (infer from file extension)
+- Be specific: use the exact file path and line number from the CBOM evidence"""
+@dataclass
+class MigrationTask:
+    rank:             int
+    algorithm:        str
+    location:         str
+    why_first:        str
+    effort_days:      float
+    migration_diff:   str
+    nist_replacement: str
+@dataclass
+class RoadmapResult:
+    executive_summary: str
+    tasks:             list[MigrationTask]
+    total_effort_days: float
+class RoadmapAgent:
+    """
+    Calls Claude with the CBOM JSON and returns a prioritized migration roadmap.
+    Returns None gracefully when api_key is missing or Claude call fails.
+    """
+    def __init__(self, api_key: str | None = None) -> None:
+        self._api_key = api_key
+    @property
+    def available(self) -> bool:
+        return bool(self._api_key)
+    def generate(self, bom: CycloneDXBom) -> RoadmapResult | None:
+        if not self.available:
+            return None
+        try:
+            import anthropic
+        except ImportError:
+            _log.warning("anthropic package not installed. Run: pip install cbom-scan[ai]")
+            return None
+        cbom_json = bom.to_json(indent=2)
+        prompt    = (
+            f"Here is the CBOM for a software project:\n\n```json\n{cbom_json}\n```\n\n"
+            "Produce the migration roadmap JSON."
+        )
+        try:
+            client   = anthropic.Anthropic(api_key=self._api_key)
+            message  = client.messages.create(
+                model      = "claude-sonnet-4-6",
+                max_tokens = 1500,
+                system     = _SYSTEM,
+                messages   = [{"role": "user", "content": prompt}],
+            )
+            raw = message.content[0].text
+            m   = re.search(r"\{.*\}", raw, re.DOTALL)
+            if not m:
+                return None
+            data  = json.loads(m.group(0))
+            tasks = [
+                MigrationTask(
+                    rank             = t.get("rank", i + 1),
+                    algorithm        = t.get("algorithm", ""),
+                    location         = t.get("location", ""),
+                    why_first        = t.get("why_first", ""),
+                    effort_days      = float(t.get("effort_days", 1.0)),
+                    migration_diff   = t.get("migration_diff", ""),
+                    nist_replacement = t.get("nist_replacement", ""),
+                )
+                for i, t in enumerate(data.get("tasks", [])[:5])
+            ]
+            return RoadmapResult(
+                executive_summary = data.get("executive_summary", ""),
+                tasks             = tasks,
+                total_effort_days = float(data.get("total_effort_days", 0.0)),
+            )
+        except Exception as exc:
+            _log.warning(f"RoadmapAgent failed: {exc}")
+            return None

cbomscanner/classifier/__init__.py ADDED Viewed

File without changes

cbomscanner/classifier/risk_classifier.py ADDED Viewed

@@ -0,0 +1,58 @@
+from __future__ import annotations
+from dataclasses import dataclass
+from cbomscanner.classifier.rules import NIST_RULES, RuleEntry
+from cbomscanner.models.finding import CryptoFinding
+@dataclass(frozen=True)
+class RiskProfile:
+    risk_label:                  str
+    nist_quantum_security_level: int
+    primitive:                   str
+    nist_replacement:            str
+    effort_days:                 float
+    crypto_functions:            list[str]
+    certification_level:         list[str]
+    parameter_set_identifier:    str
+_UNKNOWN_RULE: RuleEntry = {
+    "primitive":                   "unknown",
+    "nist_quantum_security_level":  0,
+    "nist_replacement":            "Review manually",
+    "effort_days":                  1.0,
+    "risk_label":                  "HIGH",
+    "crypto_functions":            [],
+    "certification_level":         ["none"],
+    "parameter_set_identifier":    "unknown",
+}
+class RiskClassifier:
+    """
+    Pure function classifier. No I/O, no state.
+    Maps a CryptoFinding to a RiskProfile using the NIST_RULES table.
+    """
+    def classify(self, finding: CryptoFinding) -> RiskProfile:
+        rule = NIST_RULES.get(finding.algorithm.upper(), _UNKNOWN_RULE)
+        return RiskProfile(
+            risk_label                  = rule["risk_label"],
+            nist_quantum_security_level = rule["nist_quantum_security_level"],
+            primitive                   = rule["primitive"],
+            nist_replacement            = rule["nist_replacement"],
+            effort_days                 = rule["effort_days"],
+            crypto_functions            = list(rule["crypto_functions"]),
+            certification_level         = list(rule["certification_level"]),
+            parameter_set_identifier    = rule["parameter_set_identifier"],
+        )
+    def classify_all(self, findings: list[CryptoFinding]) -> dict[str, RiskProfile]:
+        seen: dict[str, RiskProfile] = {}
+        for f in findings:
+            algo = f.algorithm.upper()
+            if algo not in seen:
+                seen[algo] = self.classify(f)
+        return seen

cbomscanner/classifier/rules.py ADDED Viewed

@@ -0,0 +1,121 @@
+"""
+NIST PQC status database.
+Source: NIST IR 8547 (2024), FIPS 203/204/205, NSA CNSA 2.0.
+nistQuantumSecurityLevel meanings:
+  0 = broken by quantum (Shor's algorithm) — RSA, ECC, DH, DSA
+  0 = classically weak — MD5, SHA-1
+  1 = acceptable short-term (classical only)
+  3 = 128-bit post-quantum security (Grover halves symmetric key strength)
+  5 = 192-bit post-quantum security
+  6 = 256-bit post-quantum security (max level)
+"""
+from __future__ import annotations
+from typing import TypedDict
+class RuleEntry(TypedDict):
+    primitive:                  str
+    nist_quantum_security_level: int
+    nist_replacement:           str
+    effort_days:                float
+    risk_label:                 str           # "CRITICAL" | "HIGH" | "MEDIUM" | "LOW"
+    crypto_functions:           list[str]
+    certification_level:        list[str]
+    parameter_set_identifier:   str
+NIST_RULES: dict[str, RuleEntry] = {
+    "RSA": {
+        "primitive":                   "pke",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-KEM-768 (FIPS 203) for KEM, ML-DSA-65 (FIPS 204) for signing",
+        "effort_days":                  3.0,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "encrypt", "decrypt", "sign", "verify"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "2048",
+    },
+    "ECDSA": {
+        "primitive":                   "signature",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-DSA-65 (FIPS 204) for signing, ML-KEM-768 (FIPS 203) for KEM",
+        "effort_days":                  2.5,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "sign", "verify"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "P-256",
+    },
+    "DH": {
+        "primitive":                   "pke",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-KEM-768 (FIPS 203)",
+        "effort_days":                  2.0,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "keyagreement"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "2048",
+    },
+    "DSA": {
+        "primitive":                   "signature",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "ML-DSA-65 (FIPS 204)",
+        "effort_days":                  2.0,
+        "risk_label":                  "CRITICAL",
+        "crypto_functions":            ["keygen", "sign", "verify"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "2048",
+    },
+    "MD5": {
+        "primitive":                   "hash",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "SHA-256 or SHA3-256",
+        "effort_days":                  0.5,
+        "risk_label":                  "HIGH",
+        "crypto_functions":            ["digest"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "128",
+    },
+    "SHA1": {
+        "primitive":                   "hash",
+        "nist_quantum_security_level":  0,
+        "nist_replacement":            "SHA-256 or SHA3-256",
+        "effort_days":                  0.5,
+        "risk_label":                  "HIGH",
+        "crypto_functions":            ["digest"],
+        "certification_level":         ["none"],
+        "parameter_set_identifier":    "160",
+    },
+    # Quantum-safe references (for completeness / future detection)
+    "AES-128": {
+        "primitive":                   "ae",
+        "nist_quantum_security_level":  1,
+        "nist_replacement":            "AES-256 recommended (Grover reduces to 64-bit security)",
+        "effort_days":                  1.0,
+        "risk_label":                  "MEDIUM",
+        "crypto_functions":            ["encrypt", "decrypt"],
+        "certification_level":         ["fips140-2"],
+        "parameter_set_identifier":    "128",
+    },
+    "AES-256": {
+        "primitive":                   "ae",
+        "nist_quantum_security_level":  3,
+        "nist_replacement":            "Retain — 128-bit post-quantum security",
+        "effort_days":                  0.0,
+        "risk_label":                  "LOW",
+        "crypto_functions":            ["encrypt", "decrypt"],
+        "certification_level":         ["fips140-2"],
+        "parameter_set_identifier":    "256",
+    },
+    "SHA-256": {
+        "primitive":                   "hash",
+        "nist_quantum_security_level":  3,
+        "nist_replacement":            "Retain — 128-bit post-quantum security",
+        "effort_days":                  0.0,
+        "risk_label":                  "LOW",
+        "crypto_functions":            ["digest"],
+        "certification_level":         ["fips180-4"],
+        "parameter_set_identifier":    "256",
+    },
+}

cbomscanner/cli.py ADDED Viewed

@@ -0,0 +1,259 @@
+"""
+cbom-scan CLI — CycloneDX 1.7 CBOM generator for post-quantum compliance.
+Usage:
+    cbom-scan scan ./src
+    cbom-scan scan ./src --output cbom.json --format json
+    cbom-scan scan ./src --format summary
+    cbom-scan scan ./src --format html --output report.html
+    cbom-scan scan ./src --ai-roadmap --key $ANTHROPIC_KEY
+    cbom-scan validate cbom.json
+"""
+from __future__ import annotations
+import os
+import sys
+from pathlib import Path
+import click
+from cbomscanner import __version__
+# Trigger scanner self-registration
+import cbomscanner.scanners  # noqa: F401
+from cbomscanner.ai.roadmap_agent import RoadmapAgent
+from cbomscanner.formatters.html_formatter import HtmlFormatter
+from cbomscanner.formatters.json_formatter import JsonFormatter
+from cbomscanner.formatters.sarif_formatter import SarifFormatter
+from cbomscanner.formatters.summary_formatter import SummaryFormatter
+from cbomscanner.generator.cbom_generator import CbomGenerator
+from cbomscanner.models.cyclonedx import CycloneDXBom
+from cbomscanner.models.finding import CryptoFinding
+from cbomscanner.scanners.base import ScannerRegistry
+_SKIP_DIRS = {
+    ".git", "node_modules", "__pycache__", ".mypy_cache",
+    ".pytest_cache", "venv", ".venv", "dist", "build", ".tox",
+}
+def _walk_files(path: Path, exclude: tuple[str, ...]) -> list[Path]:
+    files: list[Path] = []
+    if path.is_file():
+        return [path]
+    for p in path.rglob("*"):
+        if any(part in _SKIP_DIRS for part in p.parts):
+            continue
+        if any(p.match(pat) for pat in exclude):
+            continue
+        if p.is_file():
+            files.append(p)
+    return sorted(files)
+def _collect_findings(files: list[Path], source_dir: Path) -> list[CryptoFinding]:
+    all_findings: list[CryptoFinding] = []
+    registry = ScannerRegistry
+    for fp in files:
+        scanner = registry.get_scanner(str(fp))
+        if scanner is None:
+            continue
+        try:
+            source = fp.read_text(encoding="utf-8", errors="replace")
+            findings = scanner.scan(source, str(fp))
+            all_findings.extend(findings)
+        except Exception:
+            pass
+    return all_findings
+@click.group()
+@click.version_option(__version__, prog_name="cbom-scan")
+def cli() -> None:
+    """cbom-scan — Generate CycloneDX 1.7 CBOM for post-quantum compliance."""
+@cli.command("scan")
+@click.argument("path", default=".", type=click.Path(exists=True))
+@click.option("--output", "-o", default=None, help="Output file path (default: stdout)")
+@click.option(
+    "--format", "-f", "fmt",
+    type=click.Choice(["json", "html", "sarif", "summary"]),
+    default="json",
+    show_default=True,
+    help="Output format",
+)
+@click.option("--ai-roadmap", is_flag=True, default=False, help="Add Claude AI migration roadmap (paid)")
+@click.option("--key", default=None, envvar="ANTHROPIC_API_KEY", help="Anthropic API key for --ai-roadmap")
+@click.option("--exclude", multiple=True, help="Glob patterns to exclude (repeatable)")
+@click.option(
+    "--fail-on",
+    type=click.Choice(["findings", "critical", "never"]),
+    default="findings",
+    show_default=True,
+    help="Exit code policy",
+)
+@click.option("--min-confidence", default=0.5, type=float, show_default=True, help="Minimum ai_confidence (0–1)")
+def scan_cmd(
+    path: str,
+    output: str | None,
+    fmt: str,
+    ai_roadmap: bool,
+    key: str | None,
+    exclude: tuple[str, ...],
+    fail_on: str,
+    min_confidence: float,
+) -> None:
+    """Scan PATH for quantum-vulnerable cryptography and output a CycloneDX 1.7 CBOM."""
+    source_dir = Path(path).resolve()
+    files      = _walk_files(source_dir, exclude)
+    if not files:
+        click.echo("cbom-scan: No scannable files found.", err=True)
+        sys.exit(0)
+    findings = _collect_findings(files, source_dir)
+    findings = [f for f in findings if f.ai_confidence >= min_confidence]
+    generator = CbomGenerator()
+    bom       = generator.generate(findings, str(source_dir))
+    roadmap = None
+    if ai_roadmap:
+        agent   = RoadmapAgent(api_key=key or os.environ.get("ANTHROPIC_API_KEY"))
+        roadmap = agent.generate(bom)
+        if roadmap is None and ai_roadmap:
+            click.echo(
+                "cbom-scan: AI roadmap unavailable (set --key or ANTHROPIC_API_KEY, "
+                "install with pip install cbom-scan[ai]).",
+                err=True,
+            )
+    # Format output
+    if fmt == "json":
+        rendered = JsonFormatter().render(bom)
+        # Append roadmap as extra field if present (outside CycloneDX schema)
+        if roadmap is not None:
+            import json as _json
+            data = _json.loads(rendered)
+            data["x-cbom-scan-roadmap"] = {
+                "executive_summary": roadmap.executive_summary,
+                "total_effort_days": roadmap.total_effort_days,
+                "tasks": [
+                    {
+                        "rank":             t.rank,
+                        "algorithm":        t.algorithm,
+                        "location":         t.location,
+                        "why_first":        t.why_first,
+                        "effort_days":      t.effort_days,
+                        "nist_replacement": t.nist_replacement,
+                        "migration_diff":   t.migration_diff,
+                    }
+                    for t in roadmap.tasks
+                ],
+            }
+            rendered = _json.dumps(data, indent=2)
+    elif fmt == "html":
+        rendered = HtmlFormatter().render(bom)
+        if roadmap is not None:
+            # Inject roadmap section before </body>
+            roadmap_html = _roadmap_html(roadmap)
+            rendered = rendered.replace("</body>", f"{roadmap_html}\n</body>")
+    elif fmt == "sarif":
+        rendered = SarifFormatter().render(bom)
+    else:
+        rendered = SummaryFormatter().render(bom)
+        if roadmap is not None:
+            rendered += _roadmap_text(roadmap)
+    if output:
+        Path(output).write_text(rendered, encoding="utf-8")
+        click.echo(f"cbom-scan: Wrote {fmt.upper()} to {output}", err=True)
+    else:
+        click.echo(rendered)
+    # Exit code
+    if fail_on == "never":
+        sys.exit(0)
+    critical = bom.critical_count
+    if critical and fail_on in ("findings", "critical"):
+        sys.exit(2)
+    if bom.components and fail_on == "findings":
+        sys.exit(1)
+    sys.exit(0)
+@cli.command("validate")
+@click.argument("cbom_file", type=click.Path(exists=True))
+def validate_cmd(cbom_file: str) -> None:
+    """Validate an existing CBOM JSON file against the CycloneDX 1.7 schema."""
+    import json
+    from pydantic import ValidationError
+    try:
+        data = json.loads(Path(cbom_file).read_text(encoding="utf-8"))
+        CycloneDXBom.model_validate(data)
+        click.echo(f"VALID — {cbom_file} conforms to CycloneDX 1.7 CBOM schema.")
+        sys.exit(0)
+    except (json.JSONDecodeError, ValidationError) as exc:
+        click.echo(f"INVALID — {cbom_file}: {exc}", err=True)
+        sys.exit(1)
+@cli.command("report")
+@click.argument("cbom_file", type=click.Path(exists=True))
+@click.option(
+    "--format", "-f", "fmt",
+    type=click.Choice(["summary", "html", "sarif"]),
+    default="summary",
+)
+@click.option("--output", "-o", default=None, help="Output file path (default: stdout)")
+def report_cmd(cbom_file: str, fmt: str, output: str | None) -> None:
+    """Re-render an existing CBOM JSON in a different format."""
+    import json
+    data = json.loads(Path(cbom_file).read_text(encoding="utf-8"))
+    bom  = CycloneDXBom.model_validate(data)
+    if fmt == "html":
+        rendered = HtmlFormatter().render(bom)
+    elif fmt == "sarif":
+        rendered = SarifFormatter().render(bom)
+    else:
+        rendered = SummaryFormatter().render(bom)
+    if output:
+        Path(output).write_text(rendered, encoding="utf-8")
+        click.echo(f"Wrote {fmt.upper()} to {output}", err=True)
+    else:
+        click.echo(rendered)
+def _roadmap_text(roadmap) -> str:  # type: ignore[no-untyped-def]
+    lines = ["\n  AI Migration Roadmap\n  " + "─" * 40]
+    lines.append(f"\n  {roadmap.executive_summary}\n")
+    for t in roadmap.tasks:
+        lines.append(f"  [{t.rank}] {t.algorithm} @ {t.location}")
+        lines.append(f"      Why first: {t.why_first}")
+        lines.append(f"      Effort: {t.effort_days}d  →  {t.nist_replacement}")
+    lines.append(f"\n  Total migration effort: {roadmap.total_effort_days} engineer-days\n")
+    return "\n".join(lines)
+def _roadmap_html(roadmap) -> str:  # type: ignore[no-untyped-def]
+    tasks_html = ""
+    for t in roadmap.tasks:
+        diff_escaped = t.migration_diff.replace("<", "&lt;").replace(">", "&gt;")
+        tasks_html += f"""
+<div style="border:1px solid #e2e8f0;border-radius:8px;padding:14px;margin-bottom:12px">
+  <div style="font-weight:700;margin-bottom:4px">[{t.rank}] {t.algorithm} &rarr; {t.nist_replacement}</div>
+  <div style="color:#64748b;font-size:.85rem;margin-bottom:6px">{t.location} &bull; {t.effort_days}d</div>
+  <div style="font-size:.85rem;margin-bottom:8px">{t.why_first}</div>
+  <pre style="background:#f8fafc;padding:10px;border-radius:6px;font-size:.8rem;overflow-x:auto">{diff_escaped}</pre>
+</div>"""
+    return f"""
+<div class="card" style="margin-top:20px">
+  <h2 style="font-size:1.1rem;margin:0 0 8px">AI Migration Roadmap</h2>
+  <p style="color:#475569;font-size:.88rem;margin:0 0 16px">{roadmap.executive_summary}</p>
+  {tasks_html}
+  <div style="color:#64748b;font-size:.82rem">Total effort: {roadmap.total_effort_days} engineer-days</div>
+</div>"""

cbomscanner/formatters/__init__.py ADDED Viewed

File without changes

cbomscanner/formatters/html_formatter.py ADDED Viewed

@@ -0,0 +1,89 @@
+from __future__ import annotations
+from cbomscanner.models.cyclonedx import CycloneDXBom
+_RISK_COLOR = {0: "#dc2626", 1: "#d97706", 2: "#ca8a04", 3: "#16a34a", 5: "#059669", 6: "#059669"}
+_RISK_LABEL = {0: "CRITICAL", 1: "HIGH", 2: "MEDIUM", 3: "ACCEPTABLE", 5: "GOOD", 6: "SAFE"}
+_CSS = """
+body{font-family:system-ui,sans-serif;background:#f8fafc;color:#0f172a;margin:0;padding:24px}
+h1{font-size:1.4rem;font-weight:700;margin:0 0 4px}
+.meta{color:#64748b;font-size:.85rem;margin-bottom:24px}
+.card{background:#fff;border:1px solid #e2e8f0;border-radius:10px;padding:20px;margin-bottom:16px}
+.badge{display:inline-block;padding:2px 8px;border-radius:6px;font-size:.78rem;font-weight:700;color:#fff}
+table{width:100%;border-collapse:collapse;font-size:.88rem}
+th{text-align:left;padding:8px 10px;background:#f1f5f9;color:#475569;font-weight:600;border-bottom:2px solid #e2e8f0}
+td{padding:8px 10px;border-bottom:1px solid #f1f5f9;vertical-align:top}
+.algo{font-weight:700;font-family:monospace}
+.loc{font-family:monospace;font-size:.82rem;color:#64748b}
+.repl{color:#059669;font-size:.82rem}
+.summary-bar{display:flex;gap:20px;margin-bottom:20px}
+.stat{background:#fff;border:1px solid #e2e8f0;border-radius:8px;padding:12px 18px;min-width:100px}
+.stat-val{font-size:1.6rem;font-weight:800}
+.stat-lbl{font-size:.78rem;color:#64748b;text-transform:uppercase;letter-spacing:.06em}
+"""
+class HtmlFormatter:
+    """Self-contained HTML report — no CDN, no JS, no external fonts."""
+    def render(self, bom: CycloneDXBom) -> str:
+        total    = len(bom.components)
+        critical = bom.critical_count
+        safe     = total - critical
+        rows = ""
+        for comp in sorted(bom.components, key=lambda x: x.cryptoProperties.nistQuantumSecurityLevel):
+            level = comp.cryptoProperties.nistQuantumSecurityLevel
+            color = _RISK_COLOR.get(level, "#94a3b8")
+            label = _RISK_LABEL.get(level, "UNKNOWN")
+            props = comp.cryptoProperties.algorithmProperties
+            repl  = comp.cryptoProperties.algorithmProperties
+            locs  = "".join(
+                f'<div class="loc">{o.location}:{o.line}</div>'
+                for o in comp.evidence.occurrences
+            )
+            rows += f"""<tr>
+  <td class="algo">{comp.name}</td>
+  <td><span class="badge" style="background:{color}">{label}</span></td>
+  <td>{level}</td>
+  <td>{locs}</td>
+</tr>"""
+        return f"""<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="UTF-8"><title>CBOM Scan Report</title>
+<style>{_CSS}</style></head>
+<body>
+<h1>CBOM Scan Report</h1>
+<div class="meta">
+  CycloneDX 1.7 &nbsp;|&nbsp; {bom.metadata.timestamp} &nbsp;|&nbsp;
+  <code style="font-size:.8rem">{bom.serialNumber}</code>
+</div>
+<div class="summary-bar">
+  <div class="stat">
+    <div class="stat-val" style="color:#dc2626">{critical}</div>
+    <div class="stat-lbl">Quantum-Broken</div>
+  </div>
+  <div class="stat">
+    <div class="stat-val">{total}</div>
+    <div class="stat-lbl">Total Assets</div>
+  </div>
+  <div class="stat">
+    <div class="stat-val" style="color:#059669">{safe}</div>
+    <div class="stat-lbl">Acceptable</div>
+  </div>
+</div>
+<div class="card">
+  <table>
+    <thead><tr><th>Algorithm</th><th>Risk</th><th>NIST Level</th><th>Locations</th></tr></thead>
+    <tbody>{rows}</tbody>
+  </table>
+</div>
+{'<div class="card" style="border-color:#fca5a5"><strong style="color:#dc2626">ACTION REQUIRED</strong> — ' + str(critical) + ' quantum-broken cryptographic asset(s) detected. Migrate to ML-KEM-768 (FIPS 203), ML-DSA-65 (FIPS 204), or SLH-DSA (FIPS 205) before 2030 NIST mandate.</div>' if critical else ''}
+<div style="color:#94a3b8;font-size:.78rem;margin-top:24px">Generated by cbom-scan 0.1.0 — CycloneDX 1.7 CBOM</div>
+</body></html>"""

cbomscanner/formatters/json_formatter.py ADDED Viewed

@@ -0,0 +1,8 @@
+from __future__ import annotations
+from cbomscanner.models.cyclonedx import CycloneDXBom
+class JsonFormatter:
+    def render(self, bom: CycloneDXBom) -> str:
+        return bom.to_json(indent=2)