cra-scanner 0.1.0__tar.gz

cra_scanner-0.1.0/PKG-INFO

@@ -0,0 +1,63 @@
+Metadata-Version: 2.4
+Name: cra-scanner
+Version: 0.1.0
+Summary: Open-source CRA Readiness Scanner CLI for assessing EU Cyber Resilience Act readiness from SBOMs and project signals.
+Author-email: CyberCert <info@cybercert.example>
+License: MIT
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: click>=8.1
+Requires-Dist: rich>=13.0
+Requires-Dist: cyclonedx-python-lib>=7.6
+Requires-Dist: spdx-tools>=0.8
+
+# CRA Readiness Scanner (MVP)
+
+The CRA Readiness Scanner is an open-source CLI tool that helps engineering teams quickly assess their readiness for the EU Cyber Resilience Act (CRA) from a single SBOM or project directory.
+
+It focuses on three things:
+
+- SBOM presence and basic quality
+- Basic vulnerability exposure (stubbed for MVP)
+- Signals of good vulnerability-handling practices
+
+## Installation
+
+Once published to PyPI:
+
+```bash
+pip install cra-scanner
+```
+
+For local development from this repository:
+
+```bash
+cd cli
+pip install -e .
+cra-scanner --help
+```
+
+## Quick start
+
+Scan a project directory (auto-discover SBOMs and signals):
+
+```bash
+cra-scanner scan .
+```
+
+Scan using an explicit SBOM and emit JSON to a file:
+
+```bash
+cra-scanner scan . --sbom path/to/bom.json --format json --output report.json
+```
+
+## What the CRA Readiness Score means
+
+The scanner returns a score from 0–100 based on:
+
+- **SBOM (40 pts)** – existence, coverage, presence of versions.
+- **Vulnerabilities (30 pts)** – placeholder in MVP.
+- **Practices (30 pts)** – presence of `SECURITY.md`, Dependabot, and basic documentation signals.
+
+The score is a directional indicator, not legal advice. It is intended to highlight gaps and next steps, not certify compliance.
+

cra_scanner-0.1.0/README.md

@@ -0,0 +1,50 @@
+# CRA Readiness Scanner (MVP)
+
+The CRA Readiness Scanner is an open-source CLI tool that helps engineering teams quickly assess their readiness for the EU Cyber Resilience Act (CRA) from a single SBOM or project directory.
+
+It focuses on three things:
+
+- SBOM presence and basic quality
+- Basic vulnerability exposure (stubbed for MVP)
+- Signals of good vulnerability-handling practices
+
+## Installation
+
+Once published to PyPI:
+
+```bash
+pip install cra-scanner
+```
+
+For local development from this repository:
+
+```bash
+cd cli
+pip install -e .
+cra-scanner --help
+```
+
+## Quick start
+
+Scan a project directory (auto-discover SBOMs and signals):
+
+```bash
+cra-scanner scan .
+```
+
+Scan using an explicit SBOM and emit JSON to a file:
+
+```bash
+cra-scanner scan . --sbom path/to/bom.json --format json --output report.json
+```
+
+## What the CRA Readiness Score means
+
+The scanner returns a score from 0–100 based on:
+
+- **SBOM (40 pts)** – existence, coverage, presence of versions.
+- **Vulnerabilities (30 pts)** – placeholder in MVP.
+- **Practices (30 pts)** – presence of `SECURITY.md`, Dependabot, and basic documentation signals.
+
+The score is a directional indicator, not legal advice. It is intended to highlight gaps and next steps, not certify compliance.
+

cra_scanner-0.1.0/cra_scanner/__init__.py

@@ -0,0 +1,4 @@
+__all__ = ["__version__"]
+
+__version__ = "0.1.0"
+

cra_scanner-0.1.0/cra_scanner/__main__.py

@@ -0,0 +1,5 @@
+from .cli import main
+
+if __name__ == "__main__":
+    main()
+

cra_scanner-0.1.0/cra_scanner/cli.py

@@ -0,0 +1,52 @@
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Optional
+
+import click
+
+from .scanner import ScanConfig, perform_scan
+
+
+@click.group()
+@click.version_option()
+def cli() -> None:
+    """CRA Readiness Scanner CLI."""
+
+
+@cli.command("scan")
+@click.argument("project_root", type=click.Path(path_type=Path), default=Path("."))
+@click.option("--sbom", "sbom_path", type=click.Path(path_type=Path), help="Path to an SBOM file.")
+@click.option(
+    "--format",
+    "output_format",
+    type=click.Choice(["text", "json"], case_sensitive=False),
+    default="text",
+    show_default=True,
+    help="Output format.",
+)
+@click.option(
+    "--output",
+    "output_path",
+    type=click.Path(path_type=Path),
+    help="Optional path to write JSON report.",
+)
+def scan_command(
+    project_root: Path,
+    sbom_path: Optional[Path],
+    output_format: str,
+    output_path: Optional[Path],
+) -> None:
+    """Run CRA readiness scan on a project."""
+    config = ScanConfig(
+        project_root=project_root,
+        sbom_path=sbom_path,
+        output_format=output_format,
+        output_path=output_path,
+    )
+    perform_scan(config)
+
+
+def main() -> None:
+    cli(prog_name="cra-scanner")
+

cra_scanner-0.1.0/cra_scanner/discovery.py

@@ -0,0 +1,60 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from pathlib import Path
+from typing import List, Optional
+
+from .sbom import ParsedSbomFile, parse_sbom_file
+
+
+@dataclass
+class DiscoveryResult:
+    project_root: Path
+    sbom_found: bool
+    sbom_files: List[ParsedSbomFile]
+    has_security_md: bool
+    has_docs_security_section: bool
+    has_dependabot: bool
+
+
+def discover_project(project_root: Path, explicit_sbom: Optional[Path] = None) -> DiscoveryResult:
+    root = project_root.resolve()
+
+    sbom_files: list[ParsedSbomFile] = []
+    if explicit_sbom:
+        parsed = parse_sbom_file(explicit_sbom)
+        if parsed:
+            sbom_files.append(parsed)
+    else:
+        for path in root.rglob("*"):
+            if not path.is_file():
+                continue
+            if path.suffix.lower() in {".json", ".xml", ".spdx"} and any(
+                token in path.name.lower() for token in ("sbom", "bom", "cyclonedx", "spdx")
+            ):
+                parsed = parse_sbom_file(path)
+                if parsed:
+                    sbom_files.append(parsed)
+
+    # Simple signals for practices
+    has_security_md = (root / "SECURITY.md").is_file()
+    has_dependabot = (root / ".github" / "dependabot.yml").is_file()
+
+    has_docs_security_section = False
+    docs_root = root / "docs"
+    if docs_root.is_dir():
+        for md in docs_root.rglob("*.md"):
+            text = md.read_text(encoding="utf-8", errors="ignore").lower()
+            if "security" in text or "vulnerability" in text:
+                has_docs_security_section = True
+                break
+
+    return DiscoveryResult(
+        project_root=root,
+        sbom_found=len(sbom_files) > 0,
+        sbom_files=sbom_files,
+        has_security_md=has_security_md,
+        has_docs_security_section=has_docs_security_section,
+        has_dependabot=has_dependabot,
+    )
+

cra_scanner-0.1.0/cra_scanner/reporters/__init__.py

@@ -0,0 +1 @@
+

cra_scanner-0.1.0/cra_scanner/reporters/json.py

@@ -0,0 +1,9 @@
+from __future__ import annotations
+
+import json
+from typing import Any, Dict
+
+
+def render_json_report(report: Dict[str, Any]) -> str:
+    return json.dumps(report, indent=2, sort_keys=True)
+

cra_scanner-0.1.0/cra_scanner/reporters/text.py

@@ -0,0 +1,53 @@
+from __future__ import annotations
+
+from typing import Any, Dict
+
+from rich.console import Console
+from rich.table import Table
+
+from ..discovery import DiscoveryResult
+from ..scoring import ScoreBreakdown
+
+
+def render_text_report(report: Dict[str, Any], discovery: DiscoveryResult, scores: ScoreBreakdown) -> str:
+    console = Console(record=True)
+
+    console.rule(f"CRA Readiness Scanner v{report['meta']['scannerVersion']}")
+
+    console.print(f"[bold]Project:[/bold] {report['meta']['projectPath']}")
+
+    # SBOM section
+    console.print("\n[bold]SBOM Readiness[/bold]")
+    if not discovery.sbom_found:
+        console.print("No SBOM detected.")
+    else:
+        table = Table(show_header=True, header_style="bold")
+        table.add_column("Path")
+        table.add_column("Format")
+        table.add_column("Components", justify="right")
+        for f in discovery.sbom_files:
+            table.add_row(str(f.path), f.format, str(f.component_count))
+        console.print(table)
+
+    # Practices section
+    console.print("\n[bold]Vulnerability Handling Practices[/bold]")
+    console.print(f"SECURITY.md present: {'yes' if discovery.has_security_md else 'no'}")
+    console.print(f"Dependabot configured: {'yes' if discovery.has_dependabot else 'no'}")
+    console.print(f"Docs include security section: {'yes' if discovery.has_docs_security_section else 'no'}")
+
+    # Scores
+    console.print("\n[bold]CRA Readiness Score[/bold]")
+    console.print(f"Overall: [bold]{scores.overall}/100[/bold]")
+    console.print(f"SBOM: {scores.sbom_score}/40")
+    console.print(f"Vulnerabilities: {scores.vuln_score}/30")
+    console.print(f"Practices: {scores.practices_score}/30")
+
+    if scores.recommendations:
+        console.print("\n[bold]Top Recommendations[/bold]")
+        for rec in scores.recommendations:
+            console.print(f"- [bold]{rec['title']}[/bold]: {rec['description']} ({rec['craReference']})")
+
+    console.rule()
+
+    return console.export_text()
+

cra_scanner-0.1.0/cra_scanner/sbom.py

@@ -0,0 +1,74 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from pathlib import Path
+from typing import List, Optional
+
+import json
+
+from cyclonedx.model.bom import Bom
+
+
+@dataclass
+class ParsedSbomFile:
+    path: Path
+    format: str
+    component_count: int
+
+
+def _parse_cyclonedx_json(path: Path) -> Optional[ParsedSbomFile]:
+    data = json.loads(path.read_text(encoding="utf-8"))
+    if data.get("bomFormat") != "CycloneDX":
+        return None
+    bom = Bom.from_json(data=data)
+    count = len(bom.components or [])
+    return ParsedSbomFile(path=path, format="cyclonedx_json", component_count=count)
+
+
+def _parse_cyclonedx_xml(path: Path) -> Optional[ParsedSbomFile]:
+    text = path.read_text(encoding="utf-8")
+    if "<bom" not in text:
+        return None
+    bom = Bom.from_xml(data=text)
+    count = len(bom.components or [])
+    return ParsedSbomFile(path=path, format="cyclonedx_xml", component_count=count)
+
+
+def _parse_spdx_json(path: Path) -> Optional[ParsedSbomFile]:
+    data = json.loads(path.read_text(encoding="utf-8"))
+    if not data.get("spdxVersion"):
+        return None
+    packages = data.get("packages") or []
+    return ParsedSbomFile(path=path, format="spdx_json", component_count=len(packages))
+
+
+def _parse_spdx_tag_value(path: Path) -> Optional[ParsedSbomFile]:
+    text = path.read_text(encoding="utf-8", errors="ignore")
+    count = 0
+    for raw_line in text.splitlines():
+        line = raw_line.strip()
+        if line.startswith("PackageName:"):
+            count += 1
+    if count == 0:
+        return None
+    return ParsedSbomFile(path=path, format="spdx_tag_value", component_count=count)
+
+
+def parse_sbom_file(path: Path) -> Optional[ParsedSbomFile]:
+    suffix = path.suffix.lower()
+    try:
+        if suffix == ".json":
+            # Try CycloneDX then SPDX JSON
+            parsed = _parse_cyclonedx_json(path)
+            if parsed:
+                return parsed
+            return _parse_spdx_json(path)
+        if suffix == ".xml":
+            return _parse_cyclonedx_xml(path)
+        if suffix == ".spdx":
+            # Tag-value format
+            return _parse_spdx_tag_value(path)
+    except Exception:
+        return None
+    return None
+

cra_scanner-0.1.0/cra_scanner/scanner.py

@@ -0,0 +1,67 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Optional
+
+from . import __version__
+from .discovery import DiscoveryResult, discover_project
+from .reporters.json import render_json_report
+from .reporters.text import render_text_report
+from .scoring import ScoreBreakdown, compute_scores
+
+
+@dataclass
+class ScanConfig:
+    project_root: Path
+    sbom_path: Optional[Path]
+    output_format: str
+    output_path: Optional[Path]
+
+
+def perform_scan(config: ScanConfig) -> None:
+    discovery: DiscoveryResult = discover_project(config.project_root, config.sbom_path)
+    scores: ScoreBreakdown = compute_scores(discovery)
+
+    report = {
+        "meta": {
+            "scannerVersion": __version__,
+            "projectPath": str(config.project_root),
+            "timestamp": datetime.now(timezone.utc).isoformat(),
+        },
+        "scores": {
+            "overall": scores.overall,
+            "sbom": scores.sbom_score,
+            "vulnerabilities": scores.vuln_score,
+            "practices": scores.practices_score,
+        },
+        "sbom": {
+            "found": discovery.sbom_found,
+            "files": [
+                {
+                    "path": str(f.path),
+                    "format": f.format,
+                    "componentCount": f.component_count,
+                }
+                for f in discovery.sbom_files
+            ],
+        },
+        "signals": {
+            "hasSecurityMd": discovery.has_security_md,
+            "hasDocsSecuritySection": discovery.has_docs_security_section,
+            "hasDependabot": discovery.has_dependabot,
+        },
+        "recommendations": scores.recommendations,
+    }
+
+    if config.output_format == "json":
+        output = render_json_report(report)
+        if config.output_path:
+            config.output_path.write_text(output, encoding="utf-8")
+        else:
+            print(output)
+    else:
+        text = render_text_report(report, discovery, scores)
+        print(text)
+

cra_scanner-0.1.0/cra_scanner/scoring.py

@@ -0,0 +1,93 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any, Dict, List
+
+from .discovery import DiscoveryResult
+
+
+@dataclass
+class ScoreBreakdown:
+    overall: int
+    sbom_score: int
+    vuln_score: int
+    practices_score: int
+    recommendations: List[Dict[str, Any]]
+
+
+def compute_scores(discovery: DiscoveryResult) -> ScoreBreakdown:
+    recommendations: list[dict[str, Any]] = []
+
+    # SBOM score (40)
+    sbom_score = 0
+    if discovery.sbom_found:
+        sbom_score += 20
+        total_components = sum(f.component_count for f in discovery.sbom_files)
+        if total_components > 0:
+            sbom_score += 10  # placeholder for coverage
+            sbom_score += 10  # placeholder for version completeness
+    else:
+        recommendations.append(
+            {
+                "id": "sbom_missing",
+                "title": "Generate an SBOM for your product",
+                "description": "No SBOM was detected. Generate a CycloneDX or SPDX SBOM from your build pipeline.",
+                "category": "sbom",
+                "craReference": "Annex I, Section 2 – Vulnerability handling requirements",
+            }
+        )
+
+    # Vulnerability hygiene score (30) – placeholder mid-score for now
+    vuln_score = 15
+
+    # Practices score (30)
+    practices_score = 0
+    if discovery.has_security_md:
+        practices_score += 10
+    else:
+        recommendations.append(
+            {
+                "id": "security_md_missing",
+                "title": "Add a SECURITY.md file",
+                "description": "Document how users and researchers should report vulnerabilities.",
+                "category": "practices",
+                "craReference": "Annex I, Section 2 – Vulnerability handling and disclosure",
+            }
+        )
+
+    if discovery.has_dependabot:
+        practices_score += 10
+    else:
+        recommendations.append(
+            {
+                "id": "dependabot_missing",
+                "title": "Enable automated dependency updates",
+                "description": "Configure Dependabot or a similar tool to keep dependencies up to date.",
+                "category": "practices",
+                "craReference": "Annex I, Section 1 – Secure development and maintenance",
+            }
+        )
+
+    if discovery.has_docs_security_section:
+        practices_score += 10
+    else:
+        recommendations.append(
+            {
+                "id": "docs_security_section_missing",
+                "title": "Document security and vulnerability handling in your docs",
+                "description": "Add a section describing how you monitor, remediate, and communicate vulnerabilities.",
+                "category": "practices",
+                "craReference": "Annex I, Section 2 – Vulnerability handling requirements",
+            }
+        )
+
+    overall = sbom_score + vuln_score + practices_score
+
+    return ScoreBreakdown(
+        overall=overall,
+        sbom_score=sbom_score,
+        vuln_score=vuln_score,
+        practices_score=practices_score,
+        recommendations=recommendations,
+    )
+

cra_scanner-0.1.0/cra_scanner.egg-info/PKG-INFO

@@ -0,0 +1,63 @@
+Metadata-Version: 2.4
+Name: cra-scanner
+Version: 0.1.0
+Summary: Open-source CRA Readiness Scanner CLI for assessing EU Cyber Resilience Act readiness from SBOMs and project signals.
+Author-email: CyberCert <info@cybercert.example>
+License: MIT
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: click>=8.1
+Requires-Dist: rich>=13.0
+Requires-Dist: cyclonedx-python-lib>=7.6
+Requires-Dist: spdx-tools>=0.8
+
+# CRA Readiness Scanner (MVP)
+
+The CRA Readiness Scanner is an open-source CLI tool that helps engineering teams quickly assess their readiness for the EU Cyber Resilience Act (CRA) from a single SBOM or project directory.
+
+It focuses on three things:
+
+- SBOM presence and basic quality
+- Basic vulnerability exposure (stubbed for MVP)
+- Signals of good vulnerability-handling practices
+
+## Installation
+
+Once published to PyPI:
+
+```bash
+pip install cra-scanner
+```
+
+For local development from this repository:
+
+```bash
+cd cli
+pip install -e .
+cra-scanner --help
+```
+
+## Quick start
+
+Scan a project directory (auto-discover SBOMs and signals):
+
+```bash
+cra-scanner scan .
+```
+
+Scan using an explicit SBOM and emit JSON to a file:
+
+```bash
+cra-scanner scan . --sbom path/to/bom.json --format json --output report.json
+```
+
+## What the CRA Readiness Score means
+
+The scanner returns a score from 0–100 based on:
+
+- **SBOM (40 pts)** – existence, coverage, presence of versions.
+- **Vulnerabilities (30 pts)** – placeholder in MVP.
+- **Practices (30 pts)** – presence of `SECURITY.md`, Dependabot, and basic documentation signals.
+
+The score is a directional indicator, not legal advice. It is intended to highlight gaps and next steps, not certify compliance.
+

cra_scanner-0.1.0/cra_scanner.egg-info/SOURCES.txt

@@ -0,0 +1,18 @@
+README.md
+pyproject.toml
+cra_scanner/__init__.py
+cra_scanner/__main__.py
+cra_scanner/cli.py
+cra_scanner/discovery.py
+cra_scanner/sbom.py
+cra_scanner/scanner.py
+cra_scanner/scoring.py
+cra_scanner.egg-info/PKG-INFO
+cra_scanner.egg-info/SOURCES.txt
+cra_scanner.egg-info/dependency_links.txt
+cra_scanner.egg-info/entry_points.txt
+cra_scanner.egg-info/requires.txt
+cra_scanner.egg-info/top_level.txt
+cra_scanner/reporters/__init__.py
+cra_scanner/reporters/json.py
+cra_scanner/reporters/text.py

cra_scanner-0.1.0/cra_scanner.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

cra_scanner-0.1.0/cra_scanner.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+cra-scanner = cra_scanner.cli:main

cra_scanner-0.1.0/cra_scanner.egg-info/requires.txt

@@ -0,0 +1,4 @@
+click>=8.1
+rich>=13.0
+cyclonedx-python-lib>=7.6
+spdx-tools>=0.8

cra_scanner-0.1.0/cra_scanner.egg-info/top_level.txt

@@ -0,0 +1 @@
+cra_scanner

cra_scanner-0.1.0/pyproject.toml

@@ -0,0 +1,26 @@
+[project]
+name = "cra-scanner"
+version = "0.1.0"
+description = "Open-source CRA Readiness Scanner CLI for assessing EU Cyber Resilience Act readiness from SBOMs and project signals."
+readme = "README.md"
+requires-python = ">=3.9"
+license = { text = "MIT" }
+authors = [{ name = "CyberCert", email = "info@cybercert.example" }]
+dependencies = [
+    "click>=8.1",
+    "rich>=13.0",
+    "cyclonedx-python-lib>=7.6",
+    "spdx-tools>=0.8",
+]
+
+[project.scripts]
+cra-scanner = "cra_scanner.cli:main"
+
+[build-system]
+requires = ["setuptools>=61.0"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["cra_scanner*"]
+

cra_scanner-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+