supply chain security

Analyzing SBOM for Supply Chain Vulnerabilities

Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.

cvecyclonedxdependency-analysisgrypenvdsbomspdxsupply-chain
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • A new regulatory requirement (EO 14028, EU CRA) mandates SBOM analysis for software deliveries
  • Security team needs to assess third-party risk by scanning vendor-provided SBOMs
  • CI/CD pipeline requires automated vulnerability checks against generated SBOMs
  • Incident response needs to determine if a newly disclosed CVE affects deployed software
  • Procurement team requires supply chain risk assessment for a software acquisition

Do not use for runtime vulnerability scanning of live systems; use container scanning tools (Trivy, Grype CLI) or host-based vulnerability scanners (Nessus, Qualys) instead.

Prerequisites

Workflow

Step 1: Generate SBOM (if not provided)

Use syft to create an SBOM from a container image or project directory:

# Generate CycloneDX JSON from a container image
syft alpine:latest -o cyclonedx-json > sbom-cyclonedx.json
 
# Generate SPDX JSON from a project directory
syft dir:/path/to/project -o spdx-json > sbom-spdx.json
 
# Generate from a running container
syft docker:my-app-container -o cyclonedx-json > sbom.json

Syft supports over 30 package ecosystems including npm, PyPI, Maven, Go modules, apt, apk, and RPM. The generated SBOM includes package names, versions, licenses, CPE identifiers, and PURL (Package URL) references.

Step 2: Parse SBOM and Extract Components

Parse the SBOM to extract all software components with their identifiers:

CycloneDX JSON Structure:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "components": [
    {
      "type": "library",
      "name": "lodash",
      "version": "4.17.20",
      "purl": "pkg:npm/lodash@4.17.20",
      "cpe": "cpe:2.3:a:lodash:lodash:4.17.20:*:*:*:*:*:*:*",
      "licenses": [{"license": {"id": "MIT"}}]
    }
  ],
  "dependencies": [
    {"ref": "pkg:npm/express@4.18.2", "dependsOn": ["pkg:npm/lodash@4.17.20"]}
  ]
}

SPDX JSON Structure:

{
  "spdxVersion": "SPDX-2.3",
  "packages": [
    {
      "name": "lodash",
      "versionInfo": "4.17.20",
      "externalRefs": [
        {"referenceType": "purl", "referenceLocator": "pkg:npm/lodash@4.17.20"},
        {"referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:lodash:lodash:4.17.20:*:*:*:*:*:*:*"}
      ],
      "licenseConcluded": "MIT"
    }
  ],
  "relationships": [
    {"spdxElementId": "SPDXRef-express", "relatedSpdxElement": "SPDXRef-lodash",
     "relationshipType": "DEPENDS_ON"}
  ]
}

Step 3: Correlate Components with NVD CVE Database

Query the NVD 2.0 API to find known vulnerabilities for each component:

import requests
 
NVD_API = "https://services.nvd.nist.gov/rest/json/cves/2.0"
 
def search_cves_by_cpe(cpe_name, api_key=None):
    params = {"cpeName": cpe_name, "resultsPerPage": 50}
    headers = {"apiKey": api_key} if api_key else {}
    resp = requests.get(NVD_API, params=params, headers=headers, timeout=30)
    resp.raise_for_status()
    return resp.json().get("vulnerabilities", [])
 
def search_cves_by_keyword(keyword, version=None, api_key=None):
    params = {"keywordSearch": keyword, "resultsPerPage": 50}
    headers = {"apiKey": api_key} if api_key else {}
    resp = requests.get(NVD_API, params=params, headers=headers, timeout=30)
    resp.raise_for_status()
    return resp.json().get("vulnerabilities", [])

The NVD API supports searching by CPE name (most precise), keyword, CVE ID, and date ranges. Rate limits: 5 requests/30 seconds without API key, 50 requests/30 seconds with key.

Step 4: Build Dependency Graph and Identify Transitive Risks

Construct a directed graph of dependencies to trace vulnerability propagation:

import networkx as nx
 
def build_dependency_graph(sbom):
    G = nx.DiGraph()
    # Add nodes for each component
    for comp in sbom["components"]:
        G.add_node(comp["purl"], name=comp["name"], version=comp["version"])
    # Add edges from dependency relationships
    for dep in sbom.get("dependencies", []):
        for child in dep.get("dependsOn", []):
            G.add_edge(dep["ref"], child)
    return G

Transitive dependency analysis identifies components that are not directly included but are pulled in through dependency chains. A vulnerability in a deeply nested transitive dependency (e.g., 4 levels deep) still represents risk but may be harder to remediate.

Key graph metrics for risk assessment:

  • In-degree: How many components depend on this one (high in-degree = high blast radius)
  • Shortest path to root: Distance from application entry point (closer = more exploitable)
  • Betweenness centrality: Components that sit on many dependency paths (bottleneck risk)

Step 5: Calculate Risk Scores

Aggregate vulnerability data into component and overall risk scores:

Risk Score Calculation:
━━━━━━━━━━━━━━━━━━━━━━
Component Risk = max(CVSS scores of all CVEs affecting the component)
 
Weighted Risk = Component Risk * Dependency Factor
  where Dependency Factor = 1.0 + (0.1 * in_degree)
  (more dependents = higher organizational impact)
 
Overall SBOM Risk = weighted average of all component risks
  weighted by dependency centrality
 
Risk Levels:
  CRITICAL: CVSS >= 9.0 or known exploited (CISA KEV)
  HIGH:     CVSS >= 7.0
  MEDIUM:   CVSS >= 4.0
  LOW:      CVSS < 4.0

Step 6: Cross-Validate with Grype

Use grype to independently scan the SBOM and compare findings:

# Scan CycloneDX SBOM with grype
grype sbom:sbom-cyclonedx.json -o json > grype-results.json
 
# Scan SPDX SBOM
grype sbom:sbom-spdx.json -o table
 
# Filter by severity
grype sbom:sbom-cyclonedx.json --only-fixed --fail-on critical

Grype pulls vulnerability data from NVD, GitHub Security Advisories, Alpine SecDB, Red Hat, Debian, Ubuntu, Amazon Linux, and Oracle security databases, providing broader coverage than NVD alone.

Step 7: Generate Compliance Report

Produce a structured report suitable for regulatory compliance:

SBOM VULNERABILITY ANALYSIS REPORT
====================================
SBOM File:         app-sbom-cyclonedx.json
Format:            CycloneDX v1.5
Analysis Date:     2026-03-19
Total Components:  247
Total Dependencies: 1,842 (direct: 34, transitive: 213)
 
VULNERABILITY SUMMARY
  Critical:  3 components / 5 CVEs
  High:      11 components / 18 CVEs
  Medium:    27 components / 41 CVEs
  Low:       8 components / 12 CVEs
 
CRITICAL FINDINGS
1. lodash@4.17.20
   CVE-2021-23337 (CVSS 7.2) - Command Injection via template
   CVE-2020-28500 (CVSS 5.3) - ReDoS in trimEnd
   Dependents: 14 components (high blast radius)
   Fix: Upgrade to 4.17.21+
 
2. log4j-core@2.14.1
   CVE-2021-44228 (CVSS 10.0) - Log4Shell RCE [CISA KEV]
   CVE-2021-45046 (CVSS 9.0) - Incomplete fix bypass
   Dependents: 8 components
   Fix: Upgrade to 2.17.1+
 
DEPENDENCY GRAPH RISKS
  Most depended-on: core-util@1.2.3 (47 dependents)
  Deepest chain: app -> framework -> adapter -> codec -> zlib (5 levels)
  Bottleneck components: 3 components on >50% of dependency paths
 
LICENSE COMPLIANCE
  Copyleft licenses found: 2 (GPL-3.0 in libxml2, AGPL-3.0 in mongodb-driver)
  Review required for commercial distribution

Key Concepts

Term Definition
SBOM Software Bill of Materials; a formal inventory of all components, libraries, and dependencies in a software product
CycloneDX OWASP-maintained SBOM standard supporting JSON, XML, and protobuf formats with dependency graph and vulnerability data
SPDX Linux Foundation SBOM standard focused on license compliance with support for package, file, and snippet-level detail
PURL Package URL; a standardized scheme for identifying software packages across ecosystems (e.g., pkg:npm/lodash@4.17.21)
CPE Common Platform Enumeration; NIST naming scheme for IT products used to correlate with NVD CVE data
NVD National Vulnerability Database; US government repository of vulnerability data indexed by CVE identifiers
Transitive Dependency A dependency not directly declared but pulled in through the dependency chain of direct dependencies
CISA KEV CISA Known Exploited Vulnerabilities catalog; CVEs confirmed to be actively exploited in the wild

Tools & Systems

  • syft (Anchore): Open-source SBOM generator supporting 30+ package ecosystems and CycloneDX/SPDX output
  • grype (Anchore): Vulnerability scanner that accepts SBOMs as input and correlates against multiple advisory databases
  • cyclonedx-python-lib: Python library for creating, parsing, and validating CycloneDX SBOMs programmatically
  • lib4sbom: Python library for parsing both SPDX and CycloneDX format SBOMs
  • nvdlib: Python wrapper for the NVD 2.0 API supporting CVE and CPE queries with rate limit management
  • OWASP Dependency-Track: Platform for continuous SBOM analysis, vulnerability tracking, and policy enforcement

Common Scenarios

Scenario: Assessing Vendor Software After Log4Shell Disclosure

Context: After the Log4Shell (CVE-2021-44228) disclosure, the security team needs to determine which vendor-supplied applications contain vulnerable versions of log4j. Several vendors have provided SBOMs per contractual requirements.

Approach:

  1. Collect all vendor SBOMs (CycloneDX or SPDX JSON format)
  2. Parse each SBOM and search for log4j-core components with versions < 2.17.1
  3. Query NVD API for the specific CVEs (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)
  4. Build dependency graphs to identify which application components depend on log4j
  5. Calculate blast radius: how many services and endpoints are exposed
  6. Generate prioritized remediation report sorted by exposure and business criticality
  7. Cross-validate findings with grype scan of the same SBOMs

Pitfalls:

  • Vendor SBOMs may be incomplete, missing shaded/bundled JAR files that embed log4j
  • SPDX and CycloneDX version differences may affect parser compatibility
  • NVD API rate limits can slow analysis when scanning hundreds of components without an API key
  • CPE names in SBOMs may not exactly match NVD entries, requiring fuzzy matching
  • Transitive dependencies may include log4j even when it is not a direct dependency
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md5.9 KB

API Reference: SBOM Supply Chain Vulnerability Analysis

NVD API 2.0 - Vulnerability Lookup

Base URL

https://services.nvd.nist.gov/rest/json/cves/2.0

Authentication

Header: apiKey: <your-api-key>
Get free key: https://nvd.nist.gov/developers/request-an-api-key

Rate Limits

Condition Limit
Without API key 5 requests per 30 seconds
With API key 50 requests per 30 seconds

Search by CPE Name

GET /rest/json/cves/2.0?cpeName=cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*
import requests
 
resp = requests.get(
    "https://services.nvd.nist.gov/rest/json/cves/2.0",
    params={"cpeName": "cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*"},
    headers={"apiKey": "YOUR_KEY"},
    timeout=30
)
data = resp.json()
for vuln in data.get("vulnerabilities", []):
    cve = vuln["cve"]
    print(f"{cve['id']}: {cve['metrics']}")

Search by Keyword

GET /rest/json/cves/2.0?keywordSearch=lodash+prototype+pollution

Search by CVE ID

GET /rest/json/cves/2.0?cveId=CVE-2021-44228

Response Structure

{
  "resultsPerPage": 50,
  "startIndex": 0,
  "totalResults": 3,
  "vulnerabilities": [
    {
      "cve": {
        "id": "CVE-2021-44228",
        "published": "2021-12-10T10:15:00.000",
        "descriptions": [{"lang": "en", "value": "Apache Log4j2 ..."}],
        "metrics": {
          "cvssMetricV31": [{
            "cvssData": {
              "version": "3.1",
              "baseScore": 10.0,
              "baseSeverity": "CRITICAL"
            }
          }]
        },
        "references": [{"url": "https://..."}]
      }
    }
  ]
}

CycloneDX JSON Format (v1.5)

Minimal Structure

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:...",
  "version": 1,
  "metadata": {
    "timestamp": "2026-03-19T00:00:00Z",
    "tools": [{"name": "syft", "version": "1.0.0"}]
  },
  "components": [],
  "dependencies": []
}

Component Object

{
  "type": "library",
  "name": "express",
  "version": "4.18.2",
  "purl": "pkg:npm/express@4.18.2",
  "cpe": "cpe:2.3:a:expressjs:express:4.18.2:*:*:*:*:node.js:*:*",
  "licenses": [{"license": {"id": "MIT"}}],
  "supplier": {"name": "OpenJS Foundation"}
}

Dependency Graph

{
  "dependencies": [
    {
      "ref": "pkg:npm/express@4.18.2",
      "dependsOn": [
        "pkg:npm/body-parser@1.20.1",
        "pkg:npm/cookie@0.5.0"
      ]
    }
  ]
}

SPDX JSON Format (v2.3)

Minimal Structure

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "my-application",
  "packages": [],
  "relationships": []
}

Package Object

{
  "SPDXID": "SPDXRef-Package-npm-express",
  "name": "express",
  "versionInfo": "4.18.2",
  "downloadLocation": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
  "licenseConcluded": "MIT",
  "licenseDeclared": "MIT",
  "externalRefs": [
    {"referenceType": "purl", "referenceLocator": "pkg:npm/express@4.18.2"},
    {"referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:expressjs:express:4.18.2:*:*:*:*:*:*:*"}
  ]
}

Relationship Types

{
  "spdxElementId": "SPDXRef-Package-npm-express",
  "relatedSpdxElement": "SPDXRef-Package-npm-body-parser",
  "relationshipType": "DEPENDS_ON"
}

syft - SBOM Generation

Installation

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Generate CycloneDX SBOM

syft <source> -o cyclonedx-json > sbom.json
 
# Sources: container image, directory, file archive
syft alpine:latest -o cyclonedx-json
syft dir:/app -o cyclonedx-json
syft file:archive.tar.gz -o spdx-json

Output Formats

Format Flag
CycloneDX JSON -o cyclonedx-json
CycloneDX XML -o cyclonedx-xml
SPDX JSON -o spdx-json
SPDX Tag-Value -o spdx-tag-value
Syft JSON -o json (default)
Table -o table

grype - Vulnerability Scanning

Installation

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

Scan SBOM for Vulnerabilities

# Scan CycloneDX SBOM
grype sbom:sbom-cyclonedx.json
 
# JSON output
grype sbom:sbom.json -o json > grype-results.json
 
# Filter by severity
grype sbom:sbom.json --only-fixed --fail-on critical
 
# Table output with severity filter
grype sbom:sbom.json -o table --only-fixed

Grype Vulnerability Sources

  • NVD (National Vulnerability Database)
  • GitHub Security Advisories (GHSA)
  • Alpine SecDB
  • Red Hat Enterprise Linux
  • Debian Security Tracker
  • Ubuntu CVE Tracker
  • Amazon Linux ALAS
  • Oracle Linux ELSA
  • Wolfi SecDB

Python Libraries

nvdlib - NVD API Wrapper

import nvdlib
 
# Search CVEs by CPE
results = nvdlib.searchCVE(cpeName="cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*")
for cve in results:
    print(f"{cve.id}: CVSS {cve.score[1]}")
 
# Search CVEs by keyword
results = nvdlib.searchCVE(keywordSearch="lodash prototype pollution")

networkx - Dependency Graph

import networkx as nx
 
G = nx.DiGraph()
G.add_edge("app", "framework")
G.add_edge("framework", "vulnerable-lib")
 
# Find all paths to a vulnerable component
paths = nx.all_simple_paths(G, "app", "vulnerable-lib")
 
# Betweenness centrality (bottleneck identification)
centrality = nx.betweenness_centrality(G)
 
# Longest dependency chain (DAG only)
longest = nx.dag_longest_path(G)

CLI Usage Examples

# Full SBOM analysis with NVD correlation
python agent.py analyze sbom-cyclonedx.json --api-key YOUR_KEY -o report.json
 
# Offline analysis (skip NVD queries)
python agent.py analyze sbom.json --skip-nvd -o report.json
 
# Compare two SBOMs
python agent.py diff old-sbom.json new-sbom.json
 
# Parse and list components only
python agent.py parse sbom.json -o components.json
 
# Check license compliance
python agent.py licenses sbom.json

Scripts 1

agent.py27.7 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""SBOM supply chain vulnerability analysis agent.

Parses CycloneDX and SPDX JSON SBOMs, correlates components against the NVD 2.0 API
for known CVEs, builds dependency graphs with networkx, calculates risk scores, and
generates compliance reports.
"""

import os
import sys
import json
import time
import argparse
from pathlib import Path
from datetime import datetime
from collections import defaultdict

try:
    import requests
    HAS_REQUESTS = True
except ImportError:
    HAS_REQUESTS = False

try:
    import networkx as nx
    HAS_NETWORKX = True
except ImportError:
    HAS_NETWORKX = False

try:
    from packaging.version import Version, InvalidVersion
    HAS_PACKAGING = True
except ImportError:
    HAS_PACKAGING = False

# NVD API 2.0 configuration
NVD_CVE_API = "https://services.nvd.nist.gov/rest/json/cves/2.0"
NVD_CPE_API = "https://services.nvd.nist.gov/rest/json/cpes/2.0"
NVD_RATE_LIMIT_NO_KEY = 6.0   # seconds between requests without API key
NVD_RATE_LIMIT_WITH_KEY = 0.6  # seconds between requests with API key
NVD_RESULTS_PER_PAGE = 50

# CVSS severity thresholds
SEVERITY_THRESHOLDS = {
    "CRITICAL": 9.0,
    "HIGH": 7.0,
    "MEDIUM": 4.0,
    "LOW": 0.1,
}


class SBOMComponent:
    """Represents a single software component extracted from an SBOM."""

    def __init__(self, name, version, purl=None, cpe=None, component_type="library",
                 licenses=None, supplier=None):
        self.name = name
        self.version = version
        self.purl = purl
        self.cpe = cpe
        self.component_type = component_type
        self.licenses = licenses or []
        self.supplier = supplier
        self.cves = []
        self.max_cvss = 0.0
        self.risk_level = "NONE"

    def to_dict(self):
        return {
            "name": self.name,
            "version": self.version,
            "purl": self.purl,
            "cpe": self.cpe,
            "type": self.component_type,
            "licenses": self.licenses,
            "cves": self.cves,
            "max_cvss": self.max_cvss,
            "risk_level": self.risk_level,
        }


def detect_sbom_format(sbom_data):
    """Detect whether the SBOM is CycloneDX or SPDX format."""
    if isinstance(sbom_data, dict):
        if sbom_data.get("bomFormat") == "CycloneDX":
            return "cyclonedx"
        if "spdxVersion" in sbom_data:
            return "spdx"
        if "components" in sbom_data and any(
            "purl" in c for c in sbom_data.get("components", [])
        ):
            return "cyclonedx"
        if "packages" in sbom_data:
            return "spdx"
    return "unknown"


def parse_cyclonedx(sbom_data):
    """Parse CycloneDX JSON SBOM and extract components and dependencies."""
    components = []
    dependencies = {}

    spec_version = sbom_data.get("specVersion", "unknown")
    print(f"  Format: CycloneDX v{spec_version}")

    for comp in sbom_data.get("components", []):
        name = comp.get("name", "unknown")
        version = comp.get("version", "unknown")
        purl = comp.get("purl")
        cpe = None

        # Extract CPE from multiple possible locations
        if "cpe" in comp:
            cpe = comp["cpe"]
        for prop in comp.get("properties", []):
            if prop.get("name") == "syft:cpe23" or "cpe" in prop.get("name", "").lower():
                cpe = prop.get("value")
                break

        # Extract licenses
        licenses = []
        for lic_entry in comp.get("licenses", []):
            lic = lic_entry.get("license", {})
            if "id" in lic:
                licenses.append(lic["id"])
            elif "name" in lic:
                licenses.append(lic["name"])

        component = SBOMComponent(
            name=name,
            version=version,
            purl=purl,
            cpe=cpe,
            component_type=comp.get("type", "library"),
            licenses=licenses,
            supplier=comp.get("supplier", {}).get("name"),
        )
        components.append(component)

    # Parse dependency graph
    for dep_entry in sbom_data.get("dependencies", []):
        ref = dep_entry.get("ref", "")
        depends_on = dep_entry.get("dependsOn", [])
        dependencies[ref] = depends_on

    return components, dependencies


def parse_spdx(sbom_data):
    """Parse SPDX JSON SBOM and extract components and dependencies."""
    components = []
    dependencies = {}

    spdx_version = sbom_data.get("spdxVersion", "unknown")
    print(f"  Format: SPDX {spdx_version}")

    spdx_id_to_purl = {}

    for pkg in sbom_data.get("packages", []):
        name = pkg.get("name", "unknown")
        version = pkg.get("versionInfo", "unknown")
        spdx_id = pkg.get("SPDXID", "")
        purl = None
        cpe = None

        for ref in pkg.get("externalRefs", []):
            ref_type = ref.get("referenceType", "")
            locator = ref.get("referenceLocator", "")
            if ref_type == "purl" or "purl" in ref_type.lower():
                purl = locator
            elif ref_type == "cpe23Type" or "cpe" in ref_type.lower():
                cpe = locator

        licenses = []
        concluded = pkg.get("licenseConcluded", "NOASSERTION")
        if concluded and concluded != "NOASSERTION":
            licenses.append(concluded)
        declared = pkg.get("licenseDeclared", "NOASSERTION")
        if declared and declared != "NOASSERTION" and declared not in licenses:
            licenses.append(declared)

        component = SBOMComponent(
            name=name,
            version=version,
            purl=purl,
            cpe=cpe,
            component_type="library",
            licenses=licenses,
            supplier=pkg.get("supplier"),
        )
        components.append(component)
        spdx_id_to_purl[spdx_id] = purl or f"{name}@{version}"

    # Parse relationships
    for rel in sbom_data.get("relationships", []):
        rel_type = rel.get("relationshipType", "")
        if rel_type == "DEPENDS_ON":
            parent_id = rel.get("spdxElementId", "")
            child_id = rel.get("relatedSpdxElement", "")
            parent_ref = spdx_id_to_purl.get(parent_id, parent_id)
            child_ref = spdx_id_to_purl.get(child_id, child_id)
            if parent_ref not in dependencies:
                dependencies[parent_ref] = []
            dependencies[parent_ref].append(child_ref)

    return components, dependencies


def parse_sbom(sbom_path):
    """Load and parse an SBOM file, auto-detecting the format."""
    if not os.path.isfile(sbom_path):
        raise FileNotFoundError(f"SBOM file not found: {sbom_path}")

    with open(sbom_path, "r", encoding="utf-8") as f:
        sbom_data = json.load(f)

    fmt = detect_sbom_format(sbom_data)
    print(f"\n[INFO] Parsing SBOM: {sbom_path}")

    if fmt == "cyclonedx":
        return parse_cyclonedx(sbom_data), fmt
    elif fmt == "spdx":
        return parse_spdx(sbom_data), fmt
    else:
        raise ValueError(
            f"Unrecognized SBOM format. Expected CycloneDX or SPDX JSON. "
            f"Keys found: {list(sbom_data.keys())[:10]}"
        )


def query_nvd_by_cpe(cpe_name, api_key=None):
    """Query NVD 2.0 API for CVEs matching a CPE name."""
    if not HAS_REQUESTS:
        return []

    params = {"cpeName": cpe_name, "resultsPerPage": NVD_RESULTS_PER_PAGE}
    headers = {}
    if api_key:
        headers["apiKey"] = api_key

    try:
        resp = requests.get(NVD_CVE_API, params=params, headers=headers, timeout=30)
        if resp.status_code == 403:
            print(f"    [WARN] NVD API rate limited. Waiting...", file=sys.stderr)
            time.sleep(NVD_RATE_LIMIT_NO_KEY * 2)
            resp = requests.get(NVD_CVE_API, params=params, headers=headers, timeout=30)
        resp.raise_for_status()
        return resp.json().get("vulnerabilities", [])
    except requests.RequestException as e:
        print(f"    [WARN] NVD API error for {cpe_name}: {e}", file=sys.stderr)
        return []


def query_nvd_by_keyword(keyword, api_key=None):
    """Query NVD 2.0 API for CVEs matching a keyword search."""
    if not HAS_REQUESTS:
        return []

    params = {"keywordSearch": keyword, "resultsPerPage": NVD_RESULTS_PER_PAGE}
    headers = {}
    if api_key:
        headers["apiKey"] = api_key

    try:
        resp = requests.get(NVD_CVE_API, params=params, headers=headers, timeout=30)
        resp.raise_for_status()
        return resp.json().get("vulnerabilities", [])
    except requests.RequestException as e:
        print(f"    [WARN] NVD keyword search error for '{keyword}': {e}", file=sys.stderr)
        return []


def extract_cve_info(vuln_entry):
    """Extract structured CVE information from an NVD API response entry."""
    cve_data = vuln_entry.get("cve", {})
    cve_id = cve_data.get("id", "UNKNOWN")

    # Extract CVSS score (prefer v3.1, fallback to v3.0, then v2.0)
    cvss_score = 0.0
    cvss_version = "none"
    metrics = cve_data.get("metrics", {})

    for version_key in ["cvssMetricV31", "cvssMetricV30", "cvssMetricV2"]:
        metric_list = metrics.get(version_key, [])
        if metric_list:
            cvss_data = metric_list[0].get("cvssData", {})
            cvss_score = cvss_data.get("baseScore", 0.0)
            cvss_version = cvss_data.get("version", version_key)
            break

    # Extract description
    descriptions = cve_data.get("descriptions", [])
    description = ""
    for desc in descriptions:
        if desc.get("lang") == "en":
            description = desc.get("value", "")
            break

    # Determine severity
    severity = "LOW"
    for level, threshold in sorted(SEVERITY_THRESHOLDS.items(),
                                    key=lambda x: x[1], reverse=True):
        if cvss_score >= threshold:
            severity = level
            break

    # Check for known exploited (CISA KEV indicator)
    is_kev = False
    for ref in cve_data.get("references", []):
        if "cisa.gov" in ref.get("url", "").lower():
            is_kev = True
            break

    return {
        "cve_id": cve_id,
        "cvss_score": cvss_score,
        "cvss_version": cvss_version,
        "severity": severity,
        "description": description[:300],
        "is_kev": is_kev,
        "published": cve_data.get("published", ""),
    }


def correlate_cves(components, api_key=None, skip_nvd=False):
    """Correlate all SBOM components against NVD for known vulnerabilities."""
    rate_limit = NVD_RATE_LIMIT_WITH_KEY if api_key else NVD_RATE_LIMIT_NO_KEY
    total = len(components)
    vuln_count = 0

    print(f"\n[INFO] Correlating {total} components against NVD CVE database...")
    if not api_key:
        print(f"  [NOTE] No NVD API key. Rate limited to 1 request per {rate_limit}s.")
        print(f"  Get a free key at: https://nvd.nist.gov/developers/request-an-api-key")

    if skip_nvd:
        print(f"  [NOTE] NVD queries skipped (--skip-nvd flag). Using offline mode.")
        return components

    for idx, comp in enumerate(components):
        print(f"  [{idx+1}/{total}] {comp.name}@{comp.version}...", end="", flush=True)

        vulns = []
        # Try CPE-based search first (most precise)
        if comp.cpe:
            vulns = query_nvd_by_cpe(comp.cpe, api_key)

        # Fallback to keyword search if no CPE or no results
        if not vulns:
            keyword = f"{comp.name} {comp.version}"
            vulns = query_nvd_by_keyword(keyword, api_key)

        # Process results
        for v in vulns:
            cve_info = extract_cve_info(v)
            if cve_info["cvss_score"] > 0:
                comp.cves.append(cve_info)
                if cve_info["cvss_score"] > comp.max_cvss:
                    comp.max_cvss = cve_info["cvss_score"]

        # Assign risk level
        if comp.max_cvss >= SEVERITY_THRESHOLDS["CRITICAL"]:
            comp.risk_level = "CRITICAL"
        elif comp.max_cvss >= SEVERITY_THRESHOLDS["HIGH"]:
            comp.risk_level = "HIGH"
        elif comp.max_cvss >= SEVERITY_THRESHOLDS["MEDIUM"]:
            comp.risk_level = "MEDIUM"
        elif comp.max_cvss > 0:
            comp.risk_level = "LOW"

        cve_count = len(comp.cves)
        vuln_count += cve_count
        status = f" {cve_count} CVEs (max CVSS: {comp.max_cvss})" if cve_count else " clean"
        print(status)

        # Rate limiting
        if idx < total - 1:
            time.sleep(rate_limit)

    print(f"\n[INFO] Correlation complete. Found {vuln_count} total CVEs across all components.")
    return components


def build_dependency_graph(components, dependencies):
    """Build a directed dependency graph using networkx."""
    if not HAS_NETWORKX:
        print("[WARN] networkx not installed. Dependency graph analysis skipped.", file=sys.stderr)
        return None

    G = nx.DiGraph()

    # Build lookup for components by purl or name@version
    comp_lookup = {}
    for comp in components:
        ref = comp.purl or f"{comp.name}@{comp.version}"
        G.add_node(ref, name=comp.name, version=comp.version,
                   max_cvss=comp.max_cvss, risk_level=comp.risk_level,
                   cve_count=len(comp.cves))
        comp_lookup[ref] = comp

    # Add edges from dependency relationships
    for parent_ref, children in dependencies.items():
        if parent_ref not in G:
            G.add_node(parent_ref)
        for child_ref in children:
            if child_ref not in G:
                G.add_node(child_ref)
            G.add_edge(parent_ref, child_ref)

    return G


def analyze_dependency_graph(G):
    """Analyze the dependency graph for risk metrics."""
    if G is None or len(G.nodes) == 0:
        return {}

    analysis = {
        "total_nodes": G.number_of_nodes(),
        "total_edges": G.number_of_edges(),
        "is_dag": nx.is_directed_acyclic_graph(G),
    }

    # Find most depended-on components (highest in-degree)
    in_degrees = sorted(G.in_degree(), key=lambda x: x[1], reverse=True)
    analysis["most_depended_on"] = [
        {"ref": node, "dependents": deg, **G.nodes[node]}
        for node, deg in in_degrees[:10] if deg > 0
    ]

    # Find root nodes (no incoming edges - likely the application itself)
    roots = [n for n, d in G.in_degree() if d == 0]
    analysis["root_components"] = len(roots)

    # Find leaf nodes (no outgoing edges - no dependencies)
    leaves = [n for n, d in G.out_degree() if d == 0]
    analysis["leaf_components"] = len(leaves)

    # Calculate longest dependency chain
    if analysis["is_dag"] and len(G.nodes) > 0:
        try:
            longest_path = nx.dag_longest_path(G)
            analysis["deepest_chain_length"] = len(longest_path)
            analysis["deepest_chain"] = longest_path
        except nx.NetworkXError:
            analysis["deepest_chain_length"] = 0

    # Identify vulnerable components with high in-degree (blast radius)
    high_risk_hubs = []
    for node, deg in in_degrees:
        node_data = G.nodes.get(node, {})
        if node_data.get("max_cvss", 0) >= SEVERITY_THRESHOLDS["HIGH"] and deg > 0:
            high_risk_hubs.append({
                "ref": node,
                "dependents": deg,
                "max_cvss": node_data.get("max_cvss", 0),
                "risk_level": node_data.get("risk_level", "UNKNOWN"),
            })
    analysis["high_risk_hubs"] = high_risk_hubs

    # Betweenness centrality for bottleneck identification
    if len(G.nodes) > 1:
        centrality = nx.betweenness_centrality(G)
        top_central = sorted(centrality.items(), key=lambda x: x[1], reverse=True)[:5]
        analysis["bottleneck_components"] = [
            {"ref": node, "centrality": round(cent, 4)} for node, cent in top_central if cent > 0
        ]

    return analysis


def check_license_compliance(components):
    """Check for potentially problematic licenses in SBOM components."""
    copyleft_licenses = {
        "GPL-2.0", "GPL-2.0-only", "GPL-2.0-or-later",
        "GPL-3.0", "GPL-3.0-only", "GPL-3.0-or-later",
        "AGPL-3.0", "AGPL-3.0-only", "AGPL-3.0-or-later",
        "LGPL-2.1", "LGPL-2.1-only", "LGPL-2.1-or-later",
        "LGPL-3.0", "LGPL-3.0-only", "LGPL-3.0-or-later",
        "MPL-2.0", "EUPL-1.2", "CPAL-1.0", "OSL-3.0",
    }

    findings = {
        "copyleft_components": [],
        "unknown_license_components": [],
        "license_distribution": defaultdict(int),
    }

    for comp in components:
        if not comp.licenses or comp.licenses == ["NOASSERTION"]:
            findings["unknown_license_components"].append(
                {"name": comp.name, "version": comp.version}
            )
        for lic in comp.licenses:
            findings["license_distribution"][lic] += 1
            if lic in copyleft_licenses:
                findings["copyleft_components"].append({
                    "name": comp.name,
                    "version": comp.version,
                    "license": lic,
                })

    findings["license_distribution"] = dict(findings["license_distribution"])
    return findings


def generate_report(components, dependencies, graph_analysis, license_info,
                    sbom_path, sbom_format, output_path=None):
    """Generate a comprehensive vulnerability analysis report."""
    # Aggregate statistics
    vuln_components = [c for c in components if c.cves]
    total_cves = sum(len(c.cves) for c in components)
    severity_counts = defaultdict(lambda: {"components": 0, "cves": 0})

    for comp in components:
        if comp.risk_level != "NONE":
            severity_counts[comp.risk_level]["components"] += 1
            severity_counts[comp.risk_level]["cves"] += len(comp.cves)

    report_lines = []
    report_lines.append("=" * 60)
    report_lines.append("SBOM VULNERABILITY ANALYSIS REPORT")
    report_lines.append("=" * 60)
    report_lines.append(f"SBOM File:          {sbom_path}")
    report_lines.append(f"Format:             {sbom_format}")
    report_lines.append(f"Analysis Date:      {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S UTC')}")
    report_lines.append(f"Total Components:   {len(components)}")

    direct_deps = len(dependencies)
    transitive = len(components) - direct_deps if direct_deps < len(components) else 0
    report_lines.append(f"Dependencies:       {len(dependencies)} direct, ~{transitive} transitive")
    report_lines.append("")

    report_lines.append("VULNERABILITY SUMMARY")
    report_lines.append("-" * 40)
    for level in ["CRITICAL", "HIGH", "MEDIUM", "LOW"]:
        counts = severity_counts.get(level, {"components": 0, "cves": 0})
        report_lines.append(
            f"  {level:10s}: {counts['components']:3d} components / {counts['cves']:3d} CVEs"
        )
    report_lines.append(f"  {'TOTAL':10s}: {len(vuln_components):3d} components / {total_cves:3d} CVEs")
    report_lines.append("")

    # Critical and high findings detail
    critical_high = sorted(
        [c for c in components if c.risk_level in ("CRITICAL", "HIGH")],
        key=lambda c: c.max_cvss, reverse=True
    )

    if critical_high:
        report_lines.append("CRITICAL & HIGH FINDINGS")
        report_lines.append("-" * 40)
        for i, comp in enumerate(critical_high[:20], 1):
            report_lines.append(f"\n  {i}. {comp.name}@{comp.version} [{comp.risk_level}]")
            for cve in sorted(comp.cves, key=lambda c: c["cvss_score"], reverse=True)[:5]:
                kev_flag = " [CISA KEV]" if cve.get("is_kev") else ""
                report_lines.append(
                    f"     {cve['cve_id']} (CVSS {cve['cvss_score']:.1f}){kev_flag}"
                )
                if cve["description"]:
                    desc_short = cve["description"][:120]
                    report_lines.append(f"       {desc_short}...")

    # Dependency graph analysis
    if graph_analysis:
        report_lines.append("")
        report_lines.append("DEPENDENCY GRAPH ANALYSIS")
        report_lines.append("-" * 40)
        report_lines.append(f"  Nodes: {graph_analysis.get('total_nodes', 0)}")
        report_lines.append(f"  Edges: {graph_analysis.get('total_edges', 0)}")
        report_lines.append(f"  DAG: {graph_analysis.get('is_dag', 'N/A')}")
        chain_len = graph_analysis.get("deepest_chain_length", 0)
        if chain_len:
            report_lines.append(f"  Deepest dependency chain: {chain_len} levels")

        hubs = graph_analysis.get("high_risk_hubs", [])
        if hubs:
            report_lines.append(f"\n  HIGH-RISK HUBS (vulnerable + many dependents):")
            for hub in hubs[:5]:
                report_lines.append(
                    f"    {hub['ref']}: {hub['dependents']} dependents, "
                    f"CVSS {hub['max_cvss']:.1f} [{hub['risk_level']}]"
                )

    # License compliance
    if license_info:
        report_lines.append("")
        report_lines.append("LICENSE COMPLIANCE")
        report_lines.append("-" * 40)
        copyleft = license_info.get("copyleft_components", [])
        unknown = license_info.get("unknown_license_components", [])
        report_lines.append(f"  Copyleft licenses found: {len(copyleft)}")
        for cl in copyleft[:10]:
            report_lines.append(f"    {cl['name']}@{cl['version']}: {cl['license']}")
        report_lines.append(f"  Unknown/missing licenses: {len(unknown)}")

    report_text = "\n".join(report_lines)
    print(f"\n{report_text}")

    # Build JSON result
    result = {
        "sbom_file": sbom_path,
        "sbom_format": sbom_format,
        "analysis_timestamp": datetime.utcnow().isoformat(),
        "summary": {
            "total_components": len(components),
            "vulnerable_components": len(vuln_components),
            "total_cves": total_cves,
            "severity_counts": dict(severity_counts),
        },
        "components": [c.to_dict() for c in components],
        "dependency_graph": graph_analysis or {},
        "license_compliance": license_info or {},
    }

    if output_path:
        with open(output_path, "w", encoding="utf-8") as f:
            json.dump(result, f, indent=2, default=str)
        print(f"\n[OK] Full report saved to {output_path}")

    return result


def analyze_sbom(sbom_path, api_key=None, output_path=None, skip_nvd=False):
    """Full SBOM analysis pipeline: parse, correlate CVEs, graph analysis, report."""
    (components, dependencies), sbom_format = parse_sbom(sbom_path)
    print(f"  Components: {len(components)}")
    print(f"  Dependency entries: {len(dependencies)}")

    # Correlate with NVD
    components = correlate_cves(components, api_key=api_key, skip_nvd=skip_nvd)

    # Build and analyze dependency graph
    G = build_dependency_graph(components, dependencies)
    graph_analysis = analyze_dependency_graph(G)

    # License compliance check
    license_info = check_license_compliance(components)

    # Generate report
    result = generate_report(
        components, dependencies, graph_analysis, license_info,
        sbom_path, sbom_format, output_path
    )

    return result


def compare_sboms(sbom_path_old, sbom_path_new, api_key=None):
    """Compare two SBOMs to identify added, removed, and changed components."""
    (comps_old, _), _ = parse_sbom(sbom_path_old)
    (comps_new, _), _ = parse_sbom(sbom_path_new)

    old_set = {f"{c.name}@{c.version}" for c in comps_old}
    new_set = {f"{c.name}@{c.version}" for c in comps_new}
    old_names = {c.name for c in comps_old}
    new_names = {c.name for c in comps_new}

    added = new_set - old_set
    removed = old_set - new_set

    # Version changes: same name, different version
    old_versions = {c.name: c.version for c in comps_old}
    new_versions = {c.name: c.version for c in comps_new}
    version_changes = []
    for name in old_names & new_names:
        if old_versions[name] != new_versions[name]:
            version_changes.append({
                "name": name,
                "old_version": old_versions[name],
                "new_version": new_versions[name],
            })

    print(f"\n{'='*60}")
    print(f"SBOM DIFF REPORT")
    print(f"{'='*60}")
    print(f"Old: {sbom_path_old} ({len(comps_old)} components)")
    print(f"New: {sbom_path_new} ({len(comps_new)} components)")
    print(f"\nAdded:   {len(added)} components")
    for a in sorted(added):
        print(f"  + {a}")
    print(f"\nRemoved: {len(removed)} components")
    for r in sorted(removed):
        print(f"  - {r}")
    print(f"\nVersion Changes: {len(version_changes)}")
    for vc in version_changes:
        print(f"  ~ {vc['name']}: {vc['old_version']} -> {vc['new_version']}")

    return {"added": sorted(added), "removed": sorted(removed),
            "version_changes": version_changes}


def main():
    parser = argparse.ArgumentParser(
        description="SBOM Supply Chain Vulnerability Analysis Agent"
    )
    subparsers = parser.add_subparsers(dest="command", help="Available commands")

    # Analyze SBOM
    analyze_parser = subparsers.add_parser("analyze", help="Analyze an SBOM for vulnerabilities")
    analyze_parser.add_argument("sbom_path", help="Path to SBOM file (CycloneDX or SPDX JSON)")
    analyze_parser.add_argument("--api-key", help="NVD API key for higher rate limits")
    analyze_parser.add_argument("--output", "-o", help="Save full report to JSON file")
    analyze_parser.add_argument("--skip-nvd", action="store_true",
                                help="Skip NVD API queries (offline mode)")

    # Compare two SBOMs
    diff_parser = subparsers.add_parser("diff", help="Compare two SBOMs for changes")
    diff_parser.add_argument("old_sbom", help="Path to old/baseline SBOM")
    diff_parser.add_argument("new_sbom", help="Path to new/current SBOM")
    diff_parser.add_argument("--api-key", help="NVD API key")

    # Parse only (no NVD queries)
    parse_parser = subparsers.add_parser("parse", help="Parse SBOM and list components")
    parse_parser.add_argument("sbom_path", help="Path to SBOM file")
    parse_parser.add_argument("--output", "-o", help="Save component list to JSON")

    # License check
    license_parser = subparsers.add_parser("licenses", help="Check license compliance")
    license_parser.add_argument("sbom_path", help="Path to SBOM file")

    args = parser.parse_args()

    if args.command == "analyze":
        if not HAS_REQUESTS:
            print("[ERROR] requests library required. Install: pip install requests",
                  file=sys.stderr)
            sys.exit(1)
        api_key = args.api_key or os.environ.get("NVD_API_KEY")
        analyze_sbom(args.sbom_path, api_key=api_key, output_path=args.output,
                     skip_nvd=args.skip_nvd)

    elif args.command == "diff":
        compare_sboms(args.old_sbom, args.new_sbom, api_key=args.api_key)

    elif args.command == "parse":
        (components, dependencies), fmt = parse_sbom(args.sbom_path)
        print(f"\n  Total components: {len(components)}")
        for comp in components:
            print(f"    {comp.name}@{comp.version} [{comp.component_type}] "
                  f"licenses={comp.licenses}")
        if args.output:
            data = {"format": fmt, "component_count": len(components),
                    "components": [c.to_dict() for c in components]}
            with open(args.output, "w") as f:
                json.dump(data, f, indent=2)
            print(f"\n[OK] Component list saved to {args.output}")

    elif args.command == "licenses":
        (components, _), _ = parse_sbom(args.sbom_path)
        info = check_license_compliance(components)
        print(f"\nLicense Distribution:")
        for lic, count in sorted(info["license_distribution"].items(),
                                  key=lambda x: x[1], reverse=True):
            print(f"  {lic}: {count}")
        if info["copyleft_components"]:
            print(f"\nCopyleft Components ({len(info['copyleft_components'])}):")
            for cl in info["copyleft_components"]:
                print(f"  {cl['name']}@{cl['version']}: {cl['license']}")
        if info["unknown_license_components"]:
            print(f"\nUnknown License ({len(info['unknown_license_components'])}):")
            for ul in info["unknown_license_components"]:
                print(f"  {ul['name']}@{ul['version']}")

    else:
        parser.print_help()


if __name__ == "__main__":
    main()
Keep exploring