Merge pull request #27 from jfjrh2014/feat/compliance-policy-and-output

feat: add SBOM quality compliance scoring (NTIA/CISA/BSI) with policy enforcement

Author: rezmoss

cmd/sbomlyze/main.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/rezmoss/sbomlyze/internal/analysis"
 	"github.com/rezmoss/sbomlyze/internal/cli"
+	"github.com/rezmoss/sbomlyze/internal/compliance"
 	"github.com/rezmoss/sbomlyze/internal/convert"
 	"github.com/rezmoss/sbomlyze/internal/output"
 	"github.com/rezmoss/sbomlyze/internal/pager"
@@ -126,18 +127,50 @@ func main() {
 		p := pager.Start(opts.NoPager)
 		defer p.Stop()
 
+		// Load policy when given so path/parse errors surface
+		var pol policy.Policy
+		havePolicy := opts.PolicyFile != ""
+		if havePolicy {
+			policyData, err := os.ReadFile(opts.PolicyFile)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "err: read policy: %v\n", err)
+				os.Exit(1)
+			}
+			pol, err = policy.Load(policyData)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "err: parse policy: %v\n", err)
+				os.Exit(1)
+			}
+		}
+
+		// Evaluate on --compliance, or when policy has score thresholds (so
+		// they can't be skipped by omitting the flag). Shown only on --compliance.
+		var complianceReport *compliance.Report
+		var complianceViolations []policy.Violation
+		if opts.Compliance || (havePolicy && policy.HasComplianceRules(pol)) {
+			r := compliance.Evaluate(comps, sbomInfo)
+			if opts.Compliance {
+				complianceReport = &r
+			}
+			if havePolicy {
+				complianceViolations = policy.EvaluateCompliance(pol, r)
+			}
+		}
+
 		switch opts.Format {
 		case "json":
 			out := struct {
-				Info     sbom.SBOMInfo        `json:"info"`
-				Findings analysis.KeyFindings  `json:"findings"`
-				Stats    analysis.Stats        `json:"stats"`
-				Warnings []cli.ParseWarning    `json:"warnings,omitempty"`
+				Info       sbom.SBOMInfo        `json:"info"`
+				Findings   analysis.KeyFindings `json:"findings"`
+				Stats      analysis.Stats       `json:"stats"`
+				Compliance *compliance.Report   `json:"compliance,omitempty"`
+				Warnings   []cli.ParseWarning   `json:"warnings,omitempty"`
 			}{
-				Info:     sbomInfo,
-				Findings: findings,
-				Stats:    stats,
-				Warnings: parseOpts.Warnings,
+				Info:       sbomInfo,
+				Findings:   findings,
+				Stats:      stats,
+				Compliance: complianceReport,
+				Warnings:   parseOpts.Warnings,
 			}
 			enc := json.NewEncoder(os.Stdout)
 			enc.SetIndent("", "  ")
@@ -147,13 +180,30 @@ func main() {
 				os.Exit(1)
 			}
 		case "html":
-			fmt.Println(output.GenerateHTMLStats(stats, sbomInfo, findings))
+			fmt.Println(output.GenerateHTMLStatsWithCompliance(stats, sbomInfo, findings, complianceReport))
 		default:
 			output.PrintSingleScanContext(sbomInfo)
 			output.PrintKeyFindings(findings)
 			analysis.PrintStats(stats)
 			cli.PrintWarnings(parseOpts.Warnings)
+			if complianceReport != nil {
+				compliance.PrintReport(*complianceReport)
+			}
+		}
+
+		if len(complianceViolations) > 0 {
+			// Policy violations go to stderr (single-file mode). For non-text
+			// formats, printing to stdout would corrupt the JSON/HTML output.
+			w := os.Stdout
+			if opts.Format == "json" || opts.Format == "html" {
+				w = os.Stderr
+			}
+			output.PrintViolationsTo(w, complianceViolations)
+			if policy.HasErrors(complianceViolations) {
+				os.Exit(1)
+			}
 		}
+
 		return
 	}
 
@@ -189,13 +239,14 @@ func main() {
 	spin.Done("Done")
 
 	var violations []policy.Violation
+	var pol policy.Policy
 	if opts.PolicyFile != "" {
 		policyData, err := os.ReadFile(opts.PolicyFile)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "err: read policy: %v\n", err)
 			os.Exit(1)
 		}
-		pol, err := policy.Load(policyData)
+		pol, err = policy.Load(policyData)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "err: parse policy: %v\n", err)
 			os.Exit(1)
@@ -208,6 +259,19 @@ func main() {
 		sbomFile = opts.Files[1]
 	}
 
+	// Evaluate on "after" SBOM (2nd file) on --compliance, or when policy has
+	// score thresholds (can't skip via no flag). Shown only on --compliance.
+	var complianceReport *compliance.Report
+	if opts.Compliance || (opts.PolicyFile != "" && policy.HasComplianceRules(pol)) {
+		r := compliance.Evaluate(comps2, info2)
+		if opts.Compliance {
+			complianceReport = &r
+		}
+		if opts.PolicyFile != "" {
+			violations = append(violations, policy.EvaluateCompliance(pol, r)...)
+		}
+	}
+
 	p := pager.Start(opts.NoPager)
 
 	switch opts.Format {
@@ -217,12 +281,14 @@ func main() {
 			Findings   analysis.KeyFindings  `json:"findings"`
 			Diff       analysis.DiffResult   `json:"diff"`
 			Violations []policy.Violation    `json:"violations,omitempty"`
+			Compliance *compliance.Report    `json:"compliance,omitempty"`
 			Warnings   []cli.ParseWarning    `json:"warnings,omitempty"`
 		}{
 			Overview:   overview,
 			Findings:   findings,
 			Diff:       result,
 			Violations: violations,
+			Compliance: complianceReport,
 			Warnings:   parseOpts.Warnings,
 		}
 		enc := json.NewEncoder(os.Stdout)
@@ -254,10 +320,10 @@ func main() {
 		fmt.Println(xml.Header + string(out))
 
 	case "markdown", "md":
-		fmt.Println(output.GenerateMarkdownWithOverview(result, violations, overview, findings))
+		fmt.Println(output.GenerateMarkdownWithOverviewAndCompliance(result, violations, overview, findings, complianceReport))
 
 	case "html":
-		fmt.Println(output.GenerateHTML(result, violations, overview, findings))
+		fmt.Println(output.GenerateHTMLWithCompliance(result, violations, overview, findings, complianceReport))
 
 	case "patch":
 		patch := output.GenerateJSONPatch(result)
@@ -277,6 +343,9 @@ func main() {
 		output.PrintTextDiff(result)
 		output.PrintViolations(violations)
 		cli.PrintWarnings(parseOpts.Warnings)
+		if complianceReport != nil {
+			compliance.PrintReport(*complianceReport)
+		}
 	}
 
 	p.Stop()

examples/policies/compliance.json

@@ -0,0 +1,12 @@
+{
+  "max_added": 20,
+  "max_removed": 10,
+  "deny_integrity_drift": true,
+  "require_licenses": true,
+  "max_depth": 4,
+  "min_ntia_score": 85,
+  "min_cisa_score": 70,
+  "min_overall_compliance": 75,
+  "warn_new_transitive": true,
+  "warn_supplier_change": true
+}

go.mod

@@ -1,12 +1,13 @@
 module github.com/rezmoss/sbomlyze
 
-go 1.24.2
+go 1.25.0
 
 require (
 	github.com/CycloneDX/cyclonedx-go v0.10.0
 	github.com/charmbracelet/bubbles v1.0.0
 	github.com/charmbracelet/bubbletea v1.3.10
 	github.com/charmbracelet/lipgloss v1.1.0
+	github.com/github/go-spdx/v2 v2.7.0
 	github.com/mattn/go-isatty v0.0.21
 	github.com/spdx/tools-golang v0.5.7
 )
@@ -32,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/sahilm/fuzzy v0.1.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/sys v0.46.0 // indirect
 	golang.org/x/text v0.3.8 // indirect
 )

go.sum

@@ -36,6 +36,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/github/go-spdx/v2 v2.7.0 h1:GzfXx4wFdlilARxmFRXW/mgUy3A4vSqZocCMFV6XFdQ=
+github.com/github/go-spdx/v2 v2.7.0/go.mod h1:Ftc45YYG1WzpzwEPKRVm9Jv8vDqOrN4gWoCkK+bHer0=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag=
@@ -75,8 +77,8 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJu
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
+golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

internal/analysis/findings.go

@@ -27,13 +27,19 @@ type KeyFindings struct {
 func ComputeSingleFindings(stats Stats, info sbom.SBOMInfo, comps []sbom.Component) KeyFindings {
 	var findings []Finding
 
+	// pkg-quality findings exclude file/os comps
+	pkgStats := stats
+	if pkg := sbom.PackageComponents(comps); len(pkg) != len(comps) {
+		pkgStats = ComputeStats(pkg)
+	}
+
 	findings = append(findings, detectSingleOS(info)...)
-	findings = append(findings, detectDominantType(stats)...)
+	findings = append(findings, detectDominantType(pkgStats)...)
 	findings = append(findings, detectFilesystemFootprint(info)...)
 	findings = append(findings, detectRelationshipDensity(info, stats)...)
 	findings = append(findings, detectLocationHotspots(comps)...)
-	findings = append(findings, detectLicenseRiskProfile(stats)...)
-	findings = append(findings, detectDataQuality(stats)...)
+	findings = append(findings, detectLicenseRiskProfile(pkgStats)...)
+	findings = append(findings, detectDataQuality(pkgStats)...)
 	findings = append(findings, detectDuplicateWarning(stats)...)
 	findings = append(findings, detectCatalogerBreakdown(stats)...)
 

internal/analysis/findings_test.go

@@ -0,0 +1,28 @@
+package analysis
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/rezmoss/sbomlyze/internal/sbom"
+)
+
+func TestDetectDominantType_IgnoresFileComponents(t *testing.T) {
+	comps := []sbom.Component{
+		{ID: "1", Name: "a", PURL: "pkg:npm/a@1", Type: "library"},
+		{ID: "2", Name: "b", PURL: "pkg:npm/b@1", Type: "library"},
+		{ID: "3", Name: "c", PURL: "pkg:npm/c@1", Type: "library"},
+		{ID: "4", Name: "/f1", Type: "file"},
+		{ID: "5", Name: "/f2", Type: "file"},
+		{ID: "6", Name: "/f3", Type: "file"},
+		{ID: "7", Name: "/f4", Type: "file"},
+		{ID: "8", Name: "/f5", Type: "file"},
+	}
+	stats := ComputeStats(comps)
+	findings := ComputeSingleFindings(stats, sbom.SBOMInfo{}, comps)
+	for _, f := range findings.Findings {
+		if strings.Contains(f.Message, "Dominated by file") {
+			t.Errorf("dominant-type finding must ignore file components, got: %s", f.Message)
+		}
+	}
+}

internal/analysis/stats.go

@@ -56,6 +56,10 @@ func ComputeStats(comps []sbom.Component) Stats {
 		if ptype == "unknown" && c.PURL == "" {
 			ptype = ExtractPURLType(c.ID)
 		}
+		// no PURL type: fall back to component type (file, os, ...)
+		if ptype == "unknown" && c.Type != "" {
+			ptype = c.Type
+		}
 		stats.ByType[ptype]++
 
 		if c.Language != "" {

internal/analysis/stats_test.go

@@ -319,3 +319,21 @@ func TestComputeStats_CompoundLicenses(t *testing.T) {
 	}
 }
 
+
+func TestComputeStats_ByTypeFallsBackToComponentType(t *testing.T) {
+	comps := []sbom.Component{
+		{ID: "id-1", Name: "lib", Version: "1", PURL: "pkg:npm/lib@1"},
+		{ID: "id-2", Name: "/etc/motd", Type: "file"},
+		{ID: "id-3", Name: "alpine", Version: "3.22", Type: "operating-system"},
+	}
+	stats := ComputeStats(comps)
+	if stats.ByType["npm"] != 1 {
+		t.Errorf("expected ByType[npm]=1, got %d", stats.ByType["npm"])
+	}
+	if stats.ByType["file"] != 1 {
+		t.Errorf("expected ByType[file]=1 (component type fallback), got %d (unknown=%d)", stats.ByType["file"], stats.ByType["unknown"])
+	}
+	if stats.ByType["operating-system"] != 1 {
+		t.Errorf("expected ByType[operating-system]=1, got %d", stats.ByType["operating-system"])
+	}
+}

internal/cli/options.go

@@ -26,6 +26,7 @@ type Options struct {
 	WebServer    bool
 	WebPort      int
 	NoPager      bool
+	Compliance   bool // show NTIA/CISA/BSI compliance score
 	Convert      bool
 	TargetFormat string // cyclonedx, cdx, spdx, syft
 	OutputFile   string
@@ -54,7 +55,7 @@ func ParseArgs(args []string) Options {
 
 	if len(args) > 1 && args[1] == "convert" {
 		opts.Convert = true
-		args = append(args[:1], args[2:]...) // remove "convert" from args
+		args = append(args[:1], args[2:]...)
 	}
 
 	for i := 1; i < len(args); i++ {
@@ -93,6 +94,8 @@ func ParseArgs(args []string) Options {
 			opts.Interactive = true
 		case "--no-pager":
 			opts.NoPager = true
+		case "--compliance":
+			opts.Compliance = true
 		case "-web", "--web":
 			opts.WebServer = true
 		case "--port":

internal/cli/options_test.go

@@ -236,3 +236,35 @@ func TestParseArgs_NonConvertModeUnchanged(t *testing.T) {
 		t.Error("expected JSONOutput=true")
 	}
 }
+
+func TestParseArgs_ComplianceFlag(t *testing.T) {
+	t.Run("parses --compliance flag", func(t *testing.T) {
+		args := []string{"sbomlyze", "a.json", "--compliance"}
+		opts := ParseArgs(args)
+
+		if !opts.Compliance {
+			t.Error("expected Compliance=true from --compliance flag")
+		}
+	})
+
+	t.Run("default is no compliance", func(t *testing.T) {
+		args := []string{"sbomlyze", "a.json"}
+		opts := ParseArgs(args)
+
+		if opts.Compliance {
+			t.Error("expected default Compliance=false")
+		}
+	})
+
+	t.Run("compliance with policy", func(t *testing.T) {
+		args := []string{"sbomlyze", "a.json", "b.json", "--compliance", "--policy", "pol.json"}
+		opts := ParseArgs(args)
+
+		if !opts.Compliance {
+			t.Error("expected Compliance=true")
+		}
+		if opts.PolicyFile != "pol.json" {
+			t.Errorf("expected PolicyFile=pol.json, got %s", opts.PolicyFile)
+		}
+	})
+}