|
| 1 | +package compliance |
| 2 | + |
| 3 | +import ( |
| 4 | + "encoding/json" |
| 5 | + "fmt" |
| 6 | + "os" |
| 7 | + "path/filepath" |
| 8 | + |
| 9 | + "github.com/go-nv/goenv/internal/sbom" |
| 10 | + "github.com/spf13/cobra" |
| 11 | +) |
| 12 | + |
| 13 | +var ( |
| 14 | + complianceFramework string |
| 15 | + complianceFormat string |
| 16 | + complianceOutput string |
| 17 | +) |
| 18 | + |
| 19 | +// sbomComplianceCmd represents the compliance command |
| 20 | +var sbomComplianceCmd = &cobra.Command{ |
| 21 | + Use: "compliance", |
| 22 | + Short: "Generate compliance reports for SBOM", |
| 23 | + Long: `Generate compliance reports for various standards and frameworks. |
| 24 | +
|
| 25 | +Supported frameworks: |
| 26 | + - soc2: SOC 2 compliance checks |
| 27 | + - iso27001: ISO 27001 requirements |
| 28 | + - slsa: SLSA (Supply-chain Levels for Software Artifacts) |
| 29 | + - ssdf-v1.1: NIST Secure Software Development Framework |
| 30 | + - cisa: CISA SBOM requirements |
| 31 | + - all: Check against all frameworks |
| 32 | +
|
| 33 | +Output formats: |
| 34 | + - json: Machine-readable JSON format |
| 35 | + - html: Human-readable HTML report |
| 36 | + - text: Plain text summary (default) |
| 37 | +
|
| 38 | +Examples: |
| 39 | + # Generate SOC 2 compliance report |
| 40 | + goenv sbom compliance report sbom.json --framework soc2 |
| 41 | +
|
| 42 | + # Generate HTML report for ISO 27001 |
| 43 | + goenv sbom compliance report sbom.json --framework iso27001 --format html --output report.html |
| 44 | +
|
| 45 | + # Check all frameworks and save as JSON |
| 46 | + goenv sbom compliance report sbom.json --framework all --format json --output compliance.json |
| 47 | +
|
| 48 | + # List available frameworks |
| 49 | + goenv sbom compliance frameworks`, |
| 50 | +} |
| 51 | + |
| 52 | +// sbomComplianceReportCmd generates compliance reports |
| 53 | +var sbomComplianceReportCmd = &cobra.Command{ |
| 54 | + Use: "report <sbom-file>", |
| 55 | + Short: "Generate compliance report for SBOM", |
| 56 | + Args: cobra.ExactArgs(1), |
| 57 | + RunE: runComplianceReport, |
| 58 | +} |
| 59 | + |
| 60 | +// sbomComplianceFrameworksCmd lists available frameworks |
| 61 | +var sbomComplianceFrameworksCmd = &cobra.Command{ |
| 62 | + Use: "frameworks", |
| 63 | + Short: "List available compliance frameworks", |
| 64 | + Run: runComplianceFrameworks, |
| 65 | +} |
| 66 | + |
| 67 | +func init() { |
| 68 | + sbomCmd.AddCommand(sbomComplianceCmd) |
| 69 | + sbomComplianceCmd.AddCommand(sbomComplianceReportCmd) |
| 70 | + sbomComplianceCmd.AddCommand(sbomComplianceFrameworksCmd) |
| 71 | + |
| 72 | + sbomComplianceReportCmd.Flags().StringVarP(&complianceFramework, "framework", "f", "soc2", "Compliance framework (soc2, iso27001, slsa, ssdf-v1.1, cisa, all)") |
| 73 | + sbomComplianceReportCmd.Flags().StringVar(&complianceFormat, "format", "text", "Output format (json, html, text)") |
| 74 | + sbomComplianceReportCmd.Flags().StringVarP(&complianceOutput, "output", "o", "", "Output file (default: stdout)") |
| 75 | +} |
| 76 | + |
| 77 | +func runComplianceReport(cmd *cobra.Command, args []string) error { |
| 78 | + sbomPath := args[0] |
| 79 | + |
| 80 | + // Check if SBOM file exists |
| 81 | + if _, err := os.Stat(sbomPath); os.IsNotExist(err) { |
| 82 | + return fmt.Errorf("SBOM file not found: %s", sbomPath) |
| 83 | + } |
| 84 | + |
| 85 | + // Convert to absolute path |
| 86 | + absPath, err := filepath.Abs(sbomPath) |
| 87 | + if err != nil { |
| 88 | + return fmt.Errorf("failed to resolve path: %w", err) |
| 89 | + } |
| 90 | + |
| 91 | + // Validate framework |
| 92 | + framework := sbom.ComplianceFramework(complianceFramework) |
| 93 | + validFrameworks := []string{"soc2", "iso27001", "slsa", "ssdf-v1.1", "cisa", "all"} |
| 94 | + isValid := false |
| 95 | + for _, f := range validFrameworks { |
| 96 | + if complianceFramework == f { |
| 97 | + isValid = true |
| 98 | + break |
| 99 | + } |
| 100 | + } |
| 101 | + if !isValid { |
| 102 | + return fmt.Errorf("invalid framework: %s (valid: %v)", complianceFramework, validFrameworks) |
| 103 | + } |
| 104 | + |
| 105 | + // Generate report |
| 106 | + reporter := sbom.NewComplianceReporter() |
| 107 | + report, err := reporter.GenerateReport(absPath, framework) |
| 108 | + if err != nil { |
| 109 | + return fmt.Errorf("failed to generate report: %w", err) |
| 110 | + } |
| 111 | + |
| 112 | + // Format output |
| 113 | + var output string |
| 114 | + switch complianceFormat { |
| 115 | + case "json": |
| 116 | + jsonData, err := json.MarshalIndent(report, "", " ") |
| 117 | + if err != nil { |
| 118 | + return fmt.Errorf("failed to marshal JSON: %w", err) |
| 119 | + } |
| 120 | + output = string(jsonData) |
| 121 | + |
| 122 | + case "html": |
| 123 | + output = reporter.FormatReportAsHTML(report) |
| 124 | + |
| 125 | + case "text": |
| 126 | + output = formatTextReport(report) |
| 127 | + |
| 128 | + default: |
| 129 | + return fmt.Errorf("invalid format: %s (valid: json, html, text)", complianceFormat) |
| 130 | + } |
| 131 | + |
| 132 | + // Write output |
| 133 | + if complianceOutput != "" { |
| 134 | + if err := os.WriteFile(complianceOutput, []byte(output), 0644); err != nil { |
| 135 | + return fmt.Errorf("failed to write output file: %w", err) |
| 136 | + } |
| 137 | + fmt.Printf("✓ Compliance report written to %s\n", complianceOutput) |
| 138 | + } else { |
| 139 | + fmt.Println(output) |
| 140 | + } |
| 141 | + |
| 142 | + // Exit with non-zero if non-compliant |
| 143 | + if report.OverallStatus == "non-compliant" { |
| 144 | + os.Exit(1) |
| 145 | + } |
| 146 | + |
| 147 | + return nil |
| 148 | +} |
| 149 | + |
| 150 | +func runComplianceFrameworks(cmd *cobra.Command, args []string) { |
| 151 | + frameworks := []struct { |
| 152 | + id string |
| 153 | + name string |
| 154 | + desc string |
| 155 | + }{ |
| 156 | + {"soc2", "SOC 2", "Service Organization Control 2 compliance"}, |
| 157 | + {"iso27001", "ISO 27001", "Information security management standard"}, |
| 158 | + {"slsa", "SLSA", "Supply-chain Levels for Software Artifacts"}, |
| 159 | + {"ssdf-v1.1", "SSDF v1.1", "NIST Secure Software Development Framework"}, |
| 160 | + {"cisa", "CISA", "CISA SBOM requirements and guidance"}, |
| 161 | + {"all", "All Frameworks", "Check against all supported frameworks"}, |
| 162 | + } |
| 163 | + |
| 164 | + fmt.Println("Available Compliance Frameworks:") |
| 165 | + for _, f := range frameworks { |
| 166 | + fmt.Printf(" %-12s %-15s %s\n", f.id, f.name, f.desc) |
| 167 | + } |
| 168 | + fmt.Println("\nUse --framework <id> to select a framework") |
| 169 | +} |
| 170 | + |
| 171 | +func formatTextReport(report *sbom.ComplianceReport) string { |
| 172 | + output := "═══════════════════════════════════════════════════════════════\n" |
| 173 | + output += fmt.Sprintf(" COMPLIANCE REPORT: %s\n", report.Framework) |
| 174 | + output += "═══════════════════════════════════════════════════════════════\n\n" |
| 175 | + output += fmt.Sprintf("Generated: %s\n", report.GeneratedAt.Format("2006-01-02 15:04:05")) |
| 176 | + output += fmt.Sprintf("SBOM File: %s\n\n", report.SBOMPath) |
| 177 | + |
| 178 | + // Overall status |
| 179 | + statusSymbol := "✓" |
| 180 | + if report.OverallStatus == "non-compliant" { |
| 181 | + statusSymbol = "✗" |
| 182 | + } else if report.OverallStatus == "partially-compliant" { |
| 183 | + statusSymbol = "⚠" |
| 184 | + } |
| 185 | + output += fmt.Sprintf("Overall Status: %s %s\n\n", statusSymbol, report.OverallStatus) |
| 186 | + |
| 187 | + // Statistics |
| 188 | + output += "Requirements Summary:\n" |
| 189 | + output += fmt.Sprintf(" Total: %d\n", report.PassedCount+report.FailedCount+report.PartialCount+report.NotApplicable) |
| 190 | + output += fmt.Sprintf(" Passed: %d ✓\n", report.PassedCount) |
| 191 | + if report.FailedCount > 0 { |
| 192 | + output += fmt.Sprintf(" Failed: %d ✗\n", report.FailedCount) |
| 193 | + } |
| 194 | + if report.PartialCount > 0 { |
| 195 | + output += fmt.Sprintf(" Partial: %d ⚠\n", report.PartialCount) |
| 196 | + } |
| 197 | + if report.NotApplicable > 0 { |
| 198 | + output += fmt.Sprintf(" N/A: %d\n", report.NotApplicable) |
| 199 | + } |
| 200 | + output += "\n" |
| 201 | + |
| 202 | + // Requirements details |
| 203 | + output += "Requirements Details:\n" |
| 204 | + output += "───────────────────────────────────────────────────────────────\n\n" |
| 205 | + |
| 206 | + for i, req := range report.Requirements { |
| 207 | + check := report.Checks[i] |
| 208 | + |
| 209 | + // Status symbol |
| 210 | + symbol := "✓" |
| 211 | + if check.Status == "fail" { |
| 212 | + symbol = "✗" |
| 213 | + } else if check.Status == "partial" { |
| 214 | + symbol = "⚠" |
| 215 | + } else if check.Status == "not-applicable" { |
| 216 | + symbol = "-" |
| 217 | + } |
| 218 | + |
| 219 | + output += fmt.Sprintf("%s [%s] %s - %s\n", symbol, req.ID, req.Name, check.Status) |
| 220 | + output += fmt.Sprintf(" Category: %s | Severity: %s\n", req.Category, req.Severity) |
| 221 | + output += fmt.Sprintf(" %s\n", req.Description) |
| 222 | + |
| 223 | + if len(check.Evidence) > 0 { |
| 224 | + output += " Evidence:\n" |
| 225 | + for _, ev := range check.Evidence { |
| 226 | + output += fmt.Sprintf(" • %s\n", ev) |
| 227 | + } |
| 228 | + } |
| 229 | + |
| 230 | + if len(check.Issues) > 0 { |
| 231 | + output += " Issues:\n" |
| 232 | + for _, issue := range check.Issues { |
| 233 | + output += fmt.Sprintf(" ! %s\n", issue) |
| 234 | + } |
| 235 | + } |
| 236 | + |
| 237 | + if len(check.Recommendations) > 0 { |
| 238 | + output += " Recommendations:\n" |
| 239 | + for _, rec := range check.Recommendations { |
| 240 | + output += fmt.Sprintf(" → %s\n", rec) |
| 241 | + } |
| 242 | + } |
| 243 | + |
| 244 | + output += "\n" |
| 245 | + } |
| 246 | + |
| 247 | + output += "═══════════════════════════════════════════════════════════════\n" |
| 248 | + output += report.Summary + "\n" |
| 249 | + output += "═══════════════════════════════════════════════════════════════\n" |
| 250 | + |
| 251 | + return output |
| 252 | +} |
0 commit comments