npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
When to Use
- A new regulatory requirement (EO 14028, EU CRA) mandates SBOM analysis for software deliveries
- Security team needs to assess third-party risk by scanning vendor-provided SBOMs
- CI/CD pipeline requires automated vulnerability checks against generated SBOMs
- Incident response needs to determine if a newly disclosed CVE affects deployed software
- Procurement team requires supply chain risk assessment for a software acquisition
Do not use for runtime vulnerability scanning of live systems; use container scanning tools (Trivy, Grype CLI) or host-based vulnerability scanners (Nessus, Qualys) instead.
Prerequisites
- SBOM file in CycloneDX JSON (v1.4+) or SPDX JSON (v2.3+) format
- Python 3.9+ with requests, networkx, and packaging libraries installed
- NVD API key (free, from https://nvd.nist.gov/developers/request-an-api-key) for higher rate limits
- Network access to NVD API (https://services.nvd.nist.gov/rest/json/cves/2.0)
- Optionally: syft for SBOM generation, grype for cross-validation
Workflow
Step 1: Generate SBOM (if not provided)
Use syft to create an SBOM from a container image or project directory:
# Generate CycloneDX JSON from a container image
syft alpine:latest -o cyclonedx-json > sbom-cyclonedx.json
# Generate SPDX JSON from a project directory
syft dir:/path/to/project -o spdx-json > sbom-spdx.json
# Generate from a running container
syft docker:my-app-container -o cyclonedx-json > sbom.jsonSyft supports over 30 package ecosystems including npm, PyPI, Maven, Go modules, apt, apk, and RPM. The generated SBOM includes package names, versions, licenses, CPE identifiers, and PURL (Package URL) references.
Step 2: Parse SBOM and Extract Components
Parse the SBOM to extract all software components with their identifiers:
CycloneDX JSON Structure:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [
{
"type": "library",
"name": "lodash",
"version": "4.17.20",
"purl": "pkg:npm/lodash@4.17.20",
"cpe": "cpe:2.3:a:lodash:lodash:4.17.20:*:*:*:*:*:*:*",
"licenses": [{"license": {"id": "MIT"}}]
}
],
"dependencies": [
{"ref": "pkg:npm/express@4.18.2", "dependsOn": ["pkg:npm/lodash@4.17.20"]}
]
}SPDX JSON Structure:
{
"spdxVersion": "SPDX-2.3",
"packages": [
{
"name": "lodash",
"versionInfo": "4.17.20",
"externalRefs": [
{"referenceType": "purl", "referenceLocator": "pkg:npm/lodash@4.17.20"},
{"referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:lodash:lodash:4.17.20:*:*:*:*:*:*:*"}
],
"licenseConcluded": "MIT"
}
],
"relationships": [
{"spdxElementId": "SPDXRef-express", "relatedSpdxElement": "SPDXRef-lodash",
"relationshipType": "DEPENDS_ON"}
]
}Step 3: Correlate Components with NVD CVE Database
Query the NVD 2.0 API to find known vulnerabilities for each component:
import requests
NVD_API = "https://services.nvd.nist.gov/rest/json/cves/2.0"
def search_cves_by_cpe(cpe_name, api_key=None):
params = {"cpeName": cpe_name, "resultsPerPage": 50}
headers = {"apiKey": api_key} if api_key else {}
resp = requests.get(NVD_API, params=params, headers=headers, timeout=30)
resp.raise_for_status()
return resp.json().get("vulnerabilities", [])
def search_cves_by_keyword(keyword, version=None, api_key=None):
params = {"keywordSearch": keyword, "resultsPerPage": 50}
headers = {"apiKey": api_key} if api_key else {}
resp = requests.get(NVD_API, params=params, headers=headers, timeout=30)
resp.raise_for_status()
return resp.json().get("vulnerabilities", [])The NVD API supports searching by CPE name (most precise), keyword, CVE ID, and date ranges. Rate limits: 5 requests/30 seconds without API key, 50 requests/30 seconds with key.
Step 4: Build Dependency Graph and Identify Transitive Risks
Construct a directed graph of dependencies to trace vulnerability propagation:
import networkx as nx
def build_dependency_graph(sbom):
G = nx.DiGraph()
# Add nodes for each component
for comp in sbom["components"]:
G.add_node(comp["purl"], name=comp["name"], version=comp["version"])
# Add edges from dependency relationships
for dep in sbom.get("dependencies", []):
for child in dep.get("dependsOn", []):
G.add_edge(dep["ref"], child)
return GTransitive dependency analysis identifies components that are not directly included but are pulled in through dependency chains. A vulnerability in a deeply nested transitive dependency (e.g., 4 levels deep) still represents risk but may be harder to remediate.
Key graph metrics for risk assessment:
- In-degree: How many components depend on this one (high in-degree = high blast radius)
- Shortest path to root: Distance from application entry point (closer = more exploitable)
- Betweenness centrality: Components that sit on many dependency paths (bottleneck risk)
Step 5: Calculate Risk Scores
Aggregate vulnerability data into component and overall risk scores:
Risk Score Calculation:
━━━━━━━━━━━━━━━━━━━━━━
Component Risk = max(CVSS scores of all CVEs affecting the component)
Weighted Risk = Component Risk * Dependency Factor
where Dependency Factor = 1.0 + (0.1 * in_degree)
(more dependents = higher organizational impact)
Overall SBOM Risk = weighted average of all component risks
weighted by dependency centrality
Risk Levels:
CRITICAL: CVSS >= 9.0 or known exploited (CISA KEV)
HIGH: CVSS >= 7.0
MEDIUM: CVSS >= 4.0
LOW: CVSS < 4.0Step 6: Cross-Validate with Grype
Use grype to independently scan the SBOM and compare findings:
# Scan CycloneDX SBOM with grype
grype sbom:sbom-cyclonedx.json -o json > grype-results.json
# Scan SPDX SBOM
grype sbom:sbom-spdx.json -o table
# Filter by severity
grype sbom:sbom-cyclonedx.json --only-fixed --fail-on criticalGrype pulls vulnerability data from NVD, GitHub Security Advisories, Alpine SecDB, Red Hat, Debian, Ubuntu, Amazon Linux, and Oracle security databases, providing broader coverage than NVD alone.
Step 7: Generate Compliance Report
Produce a structured report suitable for regulatory compliance:
SBOM VULNERABILITY ANALYSIS REPORT
====================================
SBOM File: app-sbom-cyclonedx.json
Format: CycloneDX v1.5
Analysis Date: 2026-03-19
Total Components: 247
Total Dependencies: 1,842 (direct: 34, transitive: 213)
VULNERABILITY SUMMARY
Critical: 3 components / 5 CVEs
High: 11 components / 18 CVEs
Medium: 27 components / 41 CVEs
Low: 8 components / 12 CVEs
CRITICAL FINDINGS
1. lodash@4.17.20
CVE-2021-23337 (CVSS 7.2) - Command Injection via template
CVE-2020-28500 (CVSS 5.3) - ReDoS in trimEnd
Dependents: 14 components (high blast radius)
Fix: Upgrade to 4.17.21+
2. log4j-core@2.14.1
CVE-2021-44228 (CVSS 10.0) - Log4Shell RCE [CISA KEV]
CVE-2021-45046 (CVSS 9.0) - Incomplete fix bypass
Dependents: 8 components
Fix: Upgrade to 2.17.1+
DEPENDENCY GRAPH RISKS
Most depended-on: core-util@1.2.3 (47 dependents)
Deepest chain: app -> framework -> adapter -> codec -> zlib (5 levels)
Bottleneck components: 3 components on >50% of dependency paths
LICENSE COMPLIANCE
Copyleft licenses found: 2 (GPL-3.0 in libxml2, AGPL-3.0 in mongodb-driver)
Review required for commercial distributionKey Concepts
| Term | Definition |
|---|---|
| SBOM | Software Bill of Materials; a formal inventory of all components, libraries, and dependencies in a software product |
| CycloneDX | OWASP-maintained SBOM standard supporting JSON, XML, and protobuf formats with dependency graph and vulnerability data |
| SPDX | Linux Foundation SBOM standard focused on license compliance with support for package, file, and snippet-level detail |
| PURL | Package URL; a standardized scheme for identifying software packages across ecosystems (e.g., pkg:npm/lodash@4.17.21) |
| CPE | Common Platform Enumeration; NIST naming scheme for IT products used to correlate with NVD CVE data |
| NVD | National Vulnerability Database; US government repository of vulnerability data indexed by CVE identifiers |
| Transitive Dependency | A dependency not directly declared but pulled in through the dependency chain of direct dependencies |
| CISA KEV | CISA Known Exploited Vulnerabilities catalog; CVEs confirmed to be actively exploited in the wild |
Tools & Systems
- syft (Anchore): Open-source SBOM generator supporting 30+ package ecosystems and CycloneDX/SPDX output
- grype (Anchore): Vulnerability scanner that accepts SBOMs as input and correlates against multiple advisory databases
- cyclonedx-python-lib: Python library for creating, parsing, and validating CycloneDX SBOMs programmatically
- lib4sbom: Python library for parsing both SPDX and CycloneDX format SBOMs
- nvdlib: Python wrapper for the NVD 2.0 API supporting CVE and CPE queries with rate limit management
- OWASP Dependency-Track: Platform for continuous SBOM analysis, vulnerability tracking, and policy enforcement
Common Scenarios
Scenario: Assessing Vendor Software After Log4Shell Disclosure
Context: After the Log4Shell (CVE-2021-44228) disclosure, the security team needs to determine which vendor-supplied applications contain vulnerable versions of log4j. Several vendors have provided SBOMs per contractual requirements.
Approach:
- Collect all vendor SBOMs (CycloneDX or SPDX JSON format)
- Parse each SBOM and search for log4j-core components with versions < 2.17.1
- Query NVD API for the specific CVEs (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)
- Build dependency graphs to identify which application components depend on log4j
- Calculate blast radius: how many services and endpoints are exposed
- Generate prioritized remediation report sorted by exposure and business criticality
- Cross-validate findings with grype scan of the same SBOMs
Pitfalls:
- Vendor SBOMs may be incomplete, missing shaded/bundled JAR files that embed log4j
- SPDX and CycloneDX version differences may affect parser compatibility
- NVD API rate limits can slow analysis when scanning hundreds of components without an API key
- CPE names in SBOMs may not exactly match NVD entries, requiring fuzzy matching
- Transitive dependencies may include log4j even when it is not a direct dependency
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md5.9 KB
API Reference: SBOM Supply Chain Vulnerability Analysis
NVD API 2.0 - Vulnerability Lookup
Base URL
https://services.nvd.nist.gov/rest/json/cves/2.0Authentication
Header: apiKey: <your-api-key>
Get free key: https://nvd.nist.gov/developers/request-an-api-keyRate Limits
| Condition | Limit |
|---|---|
| Without API key | 5 requests per 30 seconds |
| With API key | 50 requests per 30 seconds |
Search by CPE Name
GET /rest/json/cves/2.0?cpeName=cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*import requests
resp = requests.get(
"https://services.nvd.nist.gov/rest/json/cves/2.0",
params={"cpeName": "cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*"},
headers={"apiKey": "YOUR_KEY"},
timeout=30
)
data = resp.json()
for vuln in data.get("vulnerabilities", []):
cve = vuln["cve"]
print(f"{cve['id']}: {cve['metrics']}")Search by Keyword
GET /rest/json/cves/2.0?keywordSearch=lodash+prototype+pollutionSearch by CVE ID
GET /rest/json/cves/2.0?cveId=CVE-2021-44228Response Structure
{
"resultsPerPage": 50,
"startIndex": 0,
"totalResults": 3,
"vulnerabilities": [
{
"cve": {
"id": "CVE-2021-44228",
"published": "2021-12-10T10:15:00.000",
"descriptions": [{"lang": "en", "value": "Apache Log4j2 ..."}],
"metrics": {
"cvssMetricV31": [{
"cvssData": {
"version": "3.1",
"baseScore": 10.0,
"baseSeverity": "CRITICAL"
}
}]
},
"references": [{"url": "https://..."}]
}
}
]
}CycloneDX JSON Format (v1.5)
Minimal Structure
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:...",
"version": 1,
"metadata": {
"timestamp": "2026-03-19T00:00:00Z",
"tools": [{"name": "syft", "version": "1.0.0"}]
},
"components": [],
"dependencies": []
}Component Object
{
"type": "library",
"name": "express",
"version": "4.18.2",
"purl": "pkg:npm/express@4.18.2",
"cpe": "cpe:2.3:a:expressjs:express:4.18.2:*:*:*:*:node.js:*:*",
"licenses": [{"license": {"id": "MIT"}}],
"supplier": {"name": "OpenJS Foundation"}
}Dependency Graph
{
"dependencies": [
{
"ref": "pkg:npm/express@4.18.2",
"dependsOn": [
"pkg:npm/body-parser@1.20.1",
"pkg:npm/cookie@0.5.0"
]
}
]
}SPDX JSON Format (v2.3)
Minimal Structure
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "my-application",
"packages": [],
"relationships": []
}Package Object
{
"SPDXID": "SPDXRef-Package-npm-express",
"name": "express",
"versionInfo": "4.18.2",
"downloadLocation": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
"licenseConcluded": "MIT",
"licenseDeclared": "MIT",
"externalRefs": [
{"referenceType": "purl", "referenceLocator": "pkg:npm/express@4.18.2"},
{"referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:expressjs:express:4.18.2:*:*:*:*:*:*:*"}
]
}Relationship Types
{
"spdxElementId": "SPDXRef-Package-npm-express",
"relatedSpdxElement": "SPDXRef-Package-npm-body-parser",
"relationshipType": "DEPENDS_ON"
}syft - SBOM Generation
Installation
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/binGenerate CycloneDX SBOM
syft <source> -o cyclonedx-json > sbom.json
# Sources: container image, directory, file archive
syft alpine:latest -o cyclonedx-json
syft dir:/app -o cyclonedx-json
syft file:archive.tar.gz -o spdx-jsonOutput Formats
| Format | Flag |
|---|---|
| CycloneDX JSON | -o cyclonedx-json |
| CycloneDX XML | -o cyclonedx-xml |
| SPDX JSON | -o spdx-json |
| SPDX Tag-Value | -o spdx-tag-value |
| Syft JSON | -o json (default) |
| Table | -o table |
grype - Vulnerability Scanning
Installation
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/binScan SBOM for Vulnerabilities
# Scan CycloneDX SBOM
grype sbom:sbom-cyclonedx.json
# JSON output
grype sbom:sbom.json -o json > grype-results.json
# Filter by severity
grype sbom:sbom.json --only-fixed --fail-on critical
# Table output with severity filter
grype sbom:sbom.json -o table --only-fixedGrype Vulnerability Sources
- NVD (National Vulnerability Database)
- GitHub Security Advisories (GHSA)
- Alpine SecDB
- Red Hat Enterprise Linux
- Debian Security Tracker
- Ubuntu CVE Tracker
- Amazon Linux ALAS
- Oracle Linux ELSA
- Wolfi SecDB
Python Libraries
nvdlib - NVD API Wrapper
import nvdlib
# Search CVEs by CPE
results = nvdlib.searchCVE(cpeName="cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*")
for cve in results:
print(f"{cve.id}: CVSS {cve.score[1]}")
# Search CVEs by keyword
results = nvdlib.searchCVE(keywordSearch="lodash prototype pollution")networkx - Dependency Graph
import networkx as nx
G = nx.DiGraph()
G.add_edge("app", "framework")
G.add_edge("framework", "vulnerable-lib")
# Find all paths to a vulnerable component
paths = nx.all_simple_paths(G, "app", "vulnerable-lib")
# Betweenness centrality (bottleneck identification)
centrality = nx.betweenness_centrality(G)
# Longest dependency chain (DAG only)
longest = nx.dag_longest_path(G)CLI Usage Examples
# Full SBOM analysis with NVD correlation
python agent.py analyze sbom-cyclonedx.json --api-key YOUR_KEY -o report.json
# Offline analysis (skip NVD queries)
python agent.py analyze sbom.json --skip-nvd -o report.json
# Compare two SBOMs
python agent.py diff old-sbom.json new-sbom.json
# Parse and list components only
python agent.py parse sbom.json -o components.json
# Check license compliance
python agent.py licenses sbom.jsonScripts 1
agent.py27.7 KB
#!/usr/bin/env python3
"""SBOM supply chain vulnerability analysis agent.
Parses CycloneDX and SPDX JSON SBOMs, correlates components against the NVD 2.0 API
for known CVEs, builds dependency graphs with networkx, calculates risk scores, and
generates compliance reports.
"""
import os
import sys
import json
import time
import argparse
from pathlib import Path
from datetime import datetime
from collections import defaultdict
try:
import requests
HAS_REQUESTS = True
except ImportError:
HAS_REQUESTS = False
try:
import networkx as nx
HAS_NETWORKX = True
except ImportError:
HAS_NETWORKX = False
try:
from packaging.version import Version, InvalidVersion
HAS_PACKAGING = True
except ImportError:
HAS_PACKAGING = False
# NVD API 2.0 configuration
NVD_CVE_API = "https://services.nvd.nist.gov/rest/json/cves/2.0"
NVD_CPE_API = "https://services.nvd.nist.gov/rest/json/cpes/2.0"
NVD_RATE_LIMIT_NO_KEY = 6.0 # seconds between requests without API key
NVD_RATE_LIMIT_WITH_KEY = 0.6 # seconds between requests with API key
NVD_RESULTS_PER_PAGE = 50
# CVSS severity thresholds
SEVERITY_THRESHOLDS = {
"CRITICAL": 9.0,
"HIGH": 7.0,
"MEDIUM": 4.0,
"LOW": 0.1,
}
class SBOMComponent:
"""Represents a single software component extracted from an SBOM."""
def __init__(self, name, version, purl=None, cpe=None, component_type="library",
licenses=None, supplier=None):
self.name = name
self.version = version
self.purl = purl
self.cpe = cpe
self.component_type = component_type
self.licenses = licenses or []
self.supplier = supplier
self.cves = []
self.max_cvss = 0.0
self.risk_level = "NONE"
def to_dict(self):
return {
"name": self.name,
"version": self.version,
"purl": self.purl,
"cpe": self.cpe,
"type": self.component_type,
"licenses": self.licenses,
"cves": self.cves,
"max_cvss": self.max_cvss,
"risk_level": self.risk_level,
}
def detect_sbom_format(sbom_data):
"""Detect whether the SBOM is CycloneDX or SPDX format."""
if isinstance(sbom_data, dict):
if sbom_data.get("bomFormat") == "CycloneDX":
return "cyclonedx"
if "spdxVersion" in sbom_data:
return "spdx"
if "components" in sbom_data and any(
"purl" in c for c in sbom_data.get("components", [])
):
return "cyclonedx"
if "packages" in sbom_data:
return "spdx"
return "unknown"
def parse_cyclonedx(sbom_data):
"""Parse CycloneDX JSON SBOM and extract components and dependencies."""
components = []
dependencies = {}
spec_version = sbom_data.get("specVersion", "unknown")
print(f" Format: CycloneDX v{spec_version}")
for comp in sbom_data.get("components", []):
name = comp.get("name", "unknown")
version = comp.get("version", "unknown")
purl = comp.get("purl")
cpe = None
# Extract CPE from multiple possible locations
if "cpe" in comp:
cpe = comp["cpe"]
for prop in comp.get("properties", []):
if prop.get("name") == "syft:cpe23" or "cpe" in prop.get("name", "").lower():
cpe = prop.get("value")
break
# Extract licenses
licenses = []
for lic_entry in comp.get("licenses", []):
lic = lic_entry.get("license", {})
if "id" in lic:
licenses.append(lic["id"])
elif "name" in lic:
licenses.append(lic["name"])
component = SBOMComponent(
name=name,
version=version,
purl=purl,
cpe=cpe,
component_type=comp.get("type", "library"),
licenses=licenses,
supplier=comp.get("supplier", {}).get("name"),
)
components.append(component)
# Parse dependency graph
for dep_entry in sbom_data.get("dependencies", []):
ref = dep_entry.get("ref", "")
depends_on = dep_entry.get("dependsOn", [])
dependencies[ref] = depends_on
return components, dependencies
def parse_spdx(sbom_data):
"""Parse SPDX JSON SBOM and extract components and dependencies."""
components = []
dependencies = {}
spdx_version = sbom_data.get("spdxVersion", "unknown")
print(f" Format: SPDX {spdx_version}")
spdx_id_to_purl = {}
for pkg in sbom_data.get("packages", []):
name = pkg.get("name", "unknown")
version = pkg.get("versionInfo", "unknown")
spdx_id = pkg.get("SPDXID", "")
purl = None
cpe = None
for ref in pkg.get("externalRefs", []):
ref_type = ref.get("referenceType", "")
locator = ref.get("referenceLocator", "")
if ref_type == "purl" or "purl" in ref_type.lower():
purl = locator
elif ref_type == "cpe23Type" or "cpe" in ref_type.lower():
cpe = locator
licenses = []
concluded = pkg.get("licenseConcluded", "NOASSERTION")
if concluded and concluded != "NOASSERTION":
licenses.append(concluded)
declared = pkg.get("licenseDeclared", "NOASSERTION")
if declared and declared != "NOASSERTION" and declared not in licenses:
licenses.append(declared)
component = SBOMComponent(
name=name,
version=version,
purl=purl,
cpe=cpe,
component_type="library",
licenses=licenses,
supplier=pkg.get("supplier"),
)
components.append(component)
spdx_id_to_purl[spdx_id] = purl or f"{name}@{version}"
# Parse relationships
for rel in sbom_data.get("relationships", []):
rel_type = rel.get("relationshipType", "")
if rel_type == "DEPENDS_ON":
parent_id = rel.get("spdxElementId", "")
child_id = rel.get("relatedSpdxElement", "")
parent_ref = spdx_id_to_purl.get(parent_id, parent_id)
child_ref = spdx_id_to_purl.get(child_id, child_id)
if parent_ref not in dependencies:
dependencies[parent_ref] = []
dependencies[parent_ref].append(child_ref)
return components, dependencies
def parse_sbom(sbom_path):
"""Load and parse an SBOM file, auto-detecting the format."""
if not os.path.isfile(sbom_path):
raise FileNotFoundError(f"SBOM file not found: {sbom_path}")
with open(sbom_path, "r", encoding="utf-8") as f:
sbom_data = json.load(f)
fmt = detect_sbom_format(sbom_data)
print(f"\n[INFO] Parsing SBOM: {sbom_path}")
if fmt == "cyclonedx":
return parse_cyclonedx(sbom_data), fmt
elif fmt == "spdx":
return parse_spdx(sbom_data), fmt
else:
raise ValueError(
f"Unrecognized SBOM format. Expected CycloneDX or SPDX JSON. "
f"Keys found: {list(sbom_data.keys())[:10]}"
)
def query_nvd_by_cpe(cpe_name, api_key=None):
"""Query NVD 2.0 API for CVEs matching a CPE name."""
if not HAS_REQUESTS:
return []
params = {"cpeName": cpe_name, "resultsPerPage": NVD_RESULTS_PER_PAGE}
headers = {}
if api_key:
headers["apiKey"] = api_key
try:
resp = requests.get(NVD_CVE_API, params=params, headers=headers, timeout=30)
if resp.status_code == 403:
print(f" [WARN] NVD API rate limited. Waiting...", file=sys.stderr)
time.sleep(NVD_RATE_LIMIT_NO_KEY * 2)
resp = requests.get(NVD_CVE_API, params=params, headers=headers, timeout=30)
resp.raise_for_status()
return resp.json().get("vulnerabilities", [])
except requests.RequestException as e:
print(f" [WARN] NVD API error for {cpe_name}: {e}", file=sys.stderr)
return []
def query_nvd_by_keyword(keyword, api_key=None):
"""Query NVD 2.0 API for CVEs matching a keyword search."""
if not HAS_REQUESTS:
return []
params = {"keywordSearch": keyword, "resultsPerPage": NVD_RESULTS_PER_PAGE}
headers = {}
if api_key:
headers["apiKey"] = api_key
try:
resp = requests.get(NVD_CVE_API, params=params, headers=headers, timeout=30)
resp.raise_for_status()
return resp.json().get("vulnerabilities", [])
except requests.RequestException as e:
print(f" [WARN] NVD keyword search error for '{keyword}': {e}", file=sys.stderr)
return []
def extract_cve_info(vuln_entry):
"""Extract structured CVE information from an NVD API response entry."""
cve_data = vuln_entry.get("cve", {})
cve_id = cve_data.get("id", "UNKNOWN")
# Extract CVSS score (prefer v3.1, fallback to v3.0, then v2.0)
cvss_score = 0.0
cvss_version = "none"
metrics = cve_data.get("metrics", {})
for version_key in ["cvssMetricV31", "cvssMetricV30", "cvssMetricV2"]:
metric_list = metrics.get(version_key, [])
if metric_list:
cvss_data = metric_list[0].get("cvssData", {})
cvss_score = cvss_data.get("baseScore", 0.0)
cvss_version = cvss_data.get("version", version_key)
break
# Extract description
descriptions = cve_data.get("descriptions", [])
description = ""
for desc in descriptions:
if desc.get("lang") == "en":
description = desc.get("value", "")
break
# Determine severity
severity = "LOW"
for level, threshold in sorted(SEVERITY_THRESHOLDS.items(),
key=lambda x: x[1], reverse=True):
if cvss_score >= threshold:
severity = level
break
# Check for known exploited (CISA KEV indicator)
is_kev = False
for ref in cve_data.get("references", []):
if "cisa.gov" in ref.get("url", "").lower():
is_kev = True
break
return {
"cve_id": cve_id,
"cvss_score": cvss_score,
"cvss_version": cvss_version,
"severity": severity,
"description": description[:300],
"is_kev": is_kev,
"published": cve_data.get("published", ""),
}
def correlate_cves(components, api_key=None, skip_nvd=False):
"""Correlate all SBOM components against NVD for known vulnerabilities."""
rate_limit = NVD_RATE_LIMIT_WITH_KEY if api_key else NVD_RATE_LIMIT_NO_KEY
total = len(components)
vuln_count = 0
print(f"\n[INFO] Correlating {total} components against NVD CVE database...")
if not api_key:
print(f" [NOTE] No NVD API key. Rate limited to 1 request per {rate_limit}s.")
print(f" Get a free key at: https://nvd.nist.gov/developers/request-an-api-key")
if skip_nvd:
print(f" [NOTE] NVD queries skipped (--skip-nvd flag). Using offline mode.")
return components
for idx, comp in enumerate(components):
print(f" [{idx+1}/{total}] {comp.name}@{comp.version}...", end="", flush=True)
vulns = []
# Try CPE-based search first (most precise)
if comp.cpe:
vulns = query_nvd_by_cpe(comp.cpe, api_key)
# Fallback to keyword search if no CPE or no results
if not vulns:
keyword = f"{comp.name} {comp.version}"
vulns = query_nvd_by_keyword(keyword, api_key)
# Process results
for v in vulns:
cve_info = extract_cve_info(v)
if cve_info["cvss_score"] > 0:
comp.cves.append(cve_info)
if cve_info["cvss_score"] > comp.max_cvss:
comp.max_cvss = cve_info["cvss_score"]
# Assign risk level
if comp.max_cvss >= SEVERITY_THRESHOLDS["CRITICAL"]:
comp.risk_level = "CRITICAL"
elif comp.max_cvss >= SEVERITY_THRESHOLDS["HIGH"]:
comp.risk_level = "HIGH"
elif comp.max_cvss >= SEVERITY_THRESHOLDS["MEDIUM"]:
comp.risk_level = "MEDIUM"
elif comp.max_cvss > 0:
comp.risk_level = "LOW"
cve_count = len(comp.cves)
vuln_count += cve_count
status = f" {cve_count} CVEs (max CVSS: {comp.max_cvss})" if cve_count else " clean"
print(status)
# Rate limiting
if idx < total - 1:
time.sleep(rate_limit)
print(f"\n[INFO] Correlation complete. Found {vuln_count} total CVEs across all components.")
return components
def build_dependency_graph(components, dependencies):
"""Build a directed dependency graph using networkx."""
if not HAS_NETWORKX:
print("[WARN] networkx not installed. Dependency graph analysis skipped.", file=sys.stderr)
return None
G = nx.DiGraph()
# Build lookup for components by purl or name@version
comp_lookup = {}
for comp in components:
ref = comp.purl or f"{comp.name}@{comp.version}"
G.add_node(ref, name=comp.name, version=comp.version,
max_cvss=comp.max_cvss, risk_level=comp.risk_level,
cve_count=len(comp.cves))
comp_lookup[ref] = comp
# Add edges from dependency relationships
for parent_ref, children in dependencies.items():
if parent_ref not in G:
G.add_node(parent_ref)
for child_ref in children:
if child_ref not in G:
G.add_node(child_ref)
G.add_edge(parent_ref, child_ref)
return G
def analyze_dependency_graph(G):
"""Analyze the dependency graph for risk metrics."""
if G is None or len(G.nodes) == 0:
return {}
analysis = {
"total_nodes": G.number_of_nodes(),
"total_edges": G.number_of_edges(),
"is_dag": nx.is_directed_acyclic_graph(G),
}
# Find most depended-on components (highest in-degree)
in_degrees = sorted(G.in_degree(), key=lambda x: x[1], reverse=True)
analysis["most_depended_on"] = [
{"ref": node, "dependents": deg, **G.nodes[node]}
for node, deg in in_degrees[:10] if deg > 0
]
# Find root nodes (no incoming edges - likely the application itself)
roots = [n for n, d in G.in_degree() if d == 0]
analysis["root_components"] = len(roots)
# Find leaf nodes (no outgoing edges - no dependencies)
leaves = [n for n, d in G.out_degree() if d == 0]
analysis["leaf_components"] = len(leaves)
# Calculate longest dependency chain
if analysis["is_dag"] and len(G.nodes) > 0:
try:
longest_path = nx.dag_longest_path(G)
analysis["deepest_chain_length"] = len(longest_path)
analysis["deepest_chain"] = longest_path
except nx.NetworkXError:
analysis["deepest_chain_length"] = 0
# Identify vulnerable components with high in-degree (blast radius)
high_risk_hubs = []
for node, deg in in_degrees:
node_data = G.nodes.get(node, {})
if node_data.get("max_cvss", 0) >= SEVERITY_THRESHOLDS["HIGH"] and deg > 0:
high_risk_hubs.append({
"ref": node,
"dependents": deg,
"max_cvss": node_data.get("max_cvss", 0),
"risk_level": node_data.get("risk_level", "UNKNOWN"),
})
analysis["high_risk_hubs"] = high_risk_hubs
# Betweenness centrality for bottleneck identification
if len(G.nodes) > 1:
centrality = nx.betweenness_centrality(G)
top_central = sorted(centrality.items(), key=lambda x: x[1], reverse=True)[:5]
analysis["bottleneck_components"] = [
{"ref": node, "centrality": round(cent, 4)} for node, cent in top_central if cent > 0
]
return analysis
def check_license_compliance(components):
"""Check for potentially problematic licenses in SBOM components."""
copyleft_licenses = {
"GPL-2.0", "GPL-2.0-only", "GPL-2.0-or-later",
"GPL-3.0", "GPL-3.0-only", "GPL-3.0-or-later",
"AGPL-3.0", "AGPL-3.0-only", "AGPL-3.0-or-later",
"LGPL-2.1", "LGPL-2.1-only", "LGPL-2.1-or-later",
"LGPL-3.0", "LGPL-3.0-only", "LGPL-3.0-or-later",
"MPL-2.0", "EUPL-1.2", "CPAL-1.0", "OSL-3.0",
}
findings = {
"copyleft_components": [],
"unknown_license_components": [],
"license_distribution": defaultdict(int),
}
for comp in components:
if not comp.licenses or comp.licenses == ["NOASSERTION"]:
findings["unknown_license_components"].append(
{"name": comp.name, "version": comp.version}
)
for lic in comp.licenses:
findings["license_distribution"][lic] += 1
if lic in copyleft_licenses:
findings["copyleft_components"].append({
"name": comp.name,
"version": comp.version,
"license": lic,
})
findings["license_distribution"] = dict(findings["license_distribution"])
return findings
def generate_report(components, dependencies, graph_analysis, license_info,
sbom_path, sbom_format, output_path=None):
"""Generate a comprehensive vulnerability analysis report."""
# Aggregate statistics
vuln_components = [c for c in components if c.cves]
total_cves = sum(len(c.cves) for c in components)
severity_counts = defaultdict(lambda: {"components": 0, "cves": 0})
for comp in components:
if comp.risk_level != "NONE":
severity_counts[comp.risk_level]["components"] += 1
severity_counts[comp.risk_level]["cves"] += len(comp.cves)
report_lines = []
report_lines.append("=" * 60)
report_lines.append("SBOM VULNERABILITY ANALYSIS REPORT")
report_lines.append("=" * 60)
report_lines.append(f"SBOM File: {sbom_path}")
report_lines.append(f"Format: {sbom_format}")
report_lines.append(f"Analysis Date: {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S UTC')}")
report_lines.append(f"Total Components: {len(components)}")
direct_deps = len(dependencies)
transitive = len(components) - direct_deps if direct_deps < len(components) else 0
report_lines.append(f"Dependencies: {len(dependencies)} direct, ~{transitive} transitive")
report_lines.append("")
report_lines.append("VULNERABILITY SUMMARY")
report_lines.append("-" * 40)
for level in ["CRITICAL", "HIGH", "MEDIUM", "LOW"]:
counts = severity_counts.get(level, {"components": 0, "cves": 0})
report_lines.append(
f" {level:10s}: {counts['components']:3d} components / {counts['cves']:3d} CVEs"
)
report_lines.append(f" {'TOTAL':10s}: {len(vuln_components):3d} components / {total_cves:3d} CVEs")
report_lines.append("")
# Critical and high findings detail
critical_high = sorted(
[c for c in components if c.risk_level in ("CRITICAL", "HIGH")],
key=lambda c: c.max_cvss, reverse=True
)
if critical_high:
report_lines.append("CRITICAL & HIGH FINDINGS")
report_lines.append("-" * 40)
for i, comp in enumerate(critical_high[:20], 1):
report_lines.append(f"\n {i}. {comp.name}@{comp.version} [{comp.risk_level}]")
for cve in sorted(comp.cves, key=lambda c: c["cvss_score"], reverse=True)[:5]:
kev_flag = " [CISA KEV]" if cve.get("is_kev") else ""
report_lines.append(
f" {cve['cve_id']} (CVSS {cve['cvss_score']:.1f}){kev_flag}"
)
if cve["description"]:
desc_short = cve["description"][:120]
report_lines.append(f" {desc_short}...")
# Dependency graph analysis
if graph_analysis:
report_lines.append("")
report_lines.append("DEPENDENCY GRAPH ANALYSIS")
report_lines.append("-" * 40)
report_lines.append(f" Nodes: {graph_analysis.get('total_nodes', 0)}")
report_lines.append(f" Edges: {graph_analysis.get('total_edges', 0)}")
report_lines.append(f" DAG: {graph_analysis.get('is_dag', 'N/A')}")
chain_len = graph_analysis.get("deepest_chain_length", 0)
if chain_len:
report_lines.append(f" Deepest dependency chain: {chain_len} levels")
hubs = graph_analysis.get("high_risk_hubs", [])
if hubs:
report_lines.append(f"\n HIGH-RISK HUBS (vulnerable + many dependents):")
for hub in hubs[:5]:
report_lines.append(
f" {hub['ref']}: {hub['dependents']} dependents, "
f"CVSS {hub['max_cvss']:.1f} [{hub['risk_level']}]"
)
# License compliance
if license_info:
report_lines.append("")
report_lines.append("LICENSE COMPLIANCE")
report_lines.append("-" * 40)
copyleft = license_info.get("copyleft_components", [])
unknown = license_info.get("unknown_license_components", [])
report_lines.append(f" Copyleft licenses found: {len(copyleft)}")
for cl in copyleft[:10]:
report_lines.append(f" {cl['name']}@{cl['version']}: {cl['license']}")
report_lines.append(f" Unknown/missing licenses: {len(unknown)}")
report_text = "\n".join(report_lines)
print(f"\n{report_text}")
# Build JSON result
result = {
"sbom_file": sbom_path,
"sbom_format": sbom_format,
"analysis_timestamp": datetime.utcnow().isoformat(),
"summary": {
"total_components": len(components),
"vulnerable_components": len(vuln_components),
"total_cves": total_cves,
"severity_counts": dict(severity_counts),
},
"components": [c.to_dict() for c in components],
"dependency_graph": graph_analysis or {},
"license_compliance": license_info or {},
}
if output_path:
with open(output_path, "w", encoding="utf-8") as f:
json.dump(result, f, indent=2, default=str)
print(f"\n[OK] Full report saved to {output_path}")
return result
def analyze_sbom(sbom_path, api_key=None, output_path=None, skip_nvd=False):
"""Full SBOM analysis pipeline: parse, correlate CVEs, graph analysis, report."""
(components, dependencies), sbom_format = parse_sbom(sbom_path)
print(f" Components: {len(components)}")
print(f" Dependency entries: {len(dependencies)}")
# Correlate with NVD
components = correlate_cves(components, api_key=api_key, skip_nvd=skip_nvd)
# Build and analyze dependency graph
G = build_dependency_graph(components, dependencies)
graph_analysis = analyze_dependency_graph(G)
# License compliance check
license_info = check_license_compliance(components)
# Generate report
result = generate_report(
components, dependencies, graph_analysis, license_info,
sbom_path, sbom_format, output_path
)
return result
def compare_sboms(sbom_path_old, sbom_path_new, api_key=None):
"""Compare two SBOMs to identify added, removed, and changed components."""
(comps_old, _), _ = parse_sbom(sbom_path_old)
(comps_new, _), _ = parse_sbom(sbom_path_new)
old_set = {f"{c.name}@{c.version}" for c in comps_old}
new_set = {f"{c.name}@{c.version}" for c in comps_new}
old_names = {c.name for c in comps_old}
new_names = {c.name for c in comps_new}
added = new_set - old_set
removed = old_set - new_set
# Version changes: same name, different version
old_versions = {c.name: c.version for c in comps_old}
new_versions = {c.name: c.version for c in comps_new}
version_changes = []
for name in old_names & new_names:
if old_versions[name] != new_versions[name]:
version_changes.append({
"name": name,
"old_version": old_versions[name],
"new_version": new_versions[name],
})
print(f"\n{'='*60}")
print(f"SBOM DIFF REPORT")
print(f"{'='*60}")
print(f"Old: {sbom_path_old} ({len(comps_old)} components)")
print(f"New: {sbom_path_new} ({len(comps_new)} components)")
print(f"\nAdded: {len(added)} components")
for a in sorted(added):
print(f" + {a}")
print(f"\nRemoved: {len(removed)} components")
for r in sorted(removed):
print(f" - {r}")
print(f"\nVersion Changes: {len(version_changes)}")
for vc in version_changes:
print(f" ~ {vc['name']}: {vc['old_version']} -> {vc['new_version']}")
return {"added": sorted(added), "removed": sorted(removed),
"version_changes": version_changes}
def main():
parser = argparse.ArgumentParser(
description="SBOM Supply Chain Vulnerability Analysis Agent"
)
subparsers = parser.add_subparsers(dest="command", help="Available commands")
# Analyze SBOM
analyze_parser = subparsers.add_parser("analyze", help="Analyze an SBOM for vulnerabilities")
analyze_parser.add_argument("sbom_path", help="Path to SBOM file (CycloneDX or SPDX JSON)")
analyze_parser.add_argument("--api-key", help="NVD API key for higher rate limits")
analyze_parser.add_argument("--output", "-o", help="Save full report to JSON file")
analyze_parser.add_argument("--skip-nvd", action="store_true",
help="Skip NVD API queries (offline mode)")
# Compare two SBOMs
diff_parser = subparsers.add_parser("diff", help="Compare two SBOMs for changes")
diff_parser.add_argument("old_sbom", help="Path to old/baseline SBOM")
diff_parser.add_argument("new_sbom", help="Path to new/current SBOM")
diff_parser.add_argument("--api-key", help="NVD API key")
# Parse only (no NVD queries)
parse_parser = subparsers.add_parser("parse", help="Parse SBOM and list components")
parse_parser.add_argument("sbom_path", help="Path to SBOM file")
parse_parser.add_argument("--output", "-o", help="Save component list to JSON")
# License check
license_parser = subparsers.add_parser("licenses", help="Check license compliance")
license_parser.add_argument("sbom_path", help="Path to SBOM file")
args = parser.parse_args()
if args.command == "analyze":
if not HAS_REQUESTS:
print("[ERROR] requests library required. Install: pip install requests",
file=sys.stderr)
sys.exit(1)
api_key = args.api_key or os.environ.get("NVD_API_KEY")
analyze_sbom(args.sbom_path, api_key=api_key, output_path=args.output,
skip_nvd=args.skip_nvd)
elif args.command == "diff":
compare_sboms(args.old_sbom, args.new_sbom, api_key=args.api_key)
elif args.command == "parse":
(components, dependencies), fmt = parse_sbom(args.sbom_path)
print(f"\n Total components: {len(components)}")
for comp in components:
print(f" {comp.name}@{comp.version} [{comp.component_type}] "
f"licenses={comp.licenses}")
if args.output:
data = {"format": fmt, "component_count": len(components),
"components": [c.to_dict() for c in components]}
with open(args.output, "w") as f:
json.dump(data, f, indent=2)
print(f"\n[OK] Component list saved to {args.output}")
elif args.command == "licenses":
(components, _), _ = parse_sbom(args.sbom_path)
info = check_license_compliance(components)
print(f"\nLicense Distribution:")
for lic, count in sorted(info["license_distribution"].items(),
key=lambda x: x[1], reverse=True):
print(f" {lic}: {count}")
if info["copyleft_components"]:
print(f"\nCopyleft Components ({len(info['copyleft_components'])}):")
for cl in info["copyleft_components"]:
print(f" {cl['name']}@{cl['version']}: {cl['license']}")
if info["unknown_license_components"]:
print(f"\nUnknown License ({len(info['unknown_license_components'])}):")
for ul in info["unknown_license_components"]:
print(f" {ul['name']}@{ul['version']}")
else:
parser.print_help()
if __name__ == "__main__":
main()