Metadata-Version: 2.4
Name: cra-scanner
Version: 0.3.0
Summary: Open-source CRA Readiness Scanner CLI for assessing EU Cyber Resilience Act readiness from SBOMs and project signals.
Author-email: Complaro <info@complaro.com>
License: MIT
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: click>=8.1
Requires-Dist: rich>=13.0
Requires-Dist: cyclonedx-python-lib>=7.6
Requires-Dist: spdx-tools>=0.8
Requires-Dist: httpx>=0.27
Requires-Dist: packaging>=23.0
Requires-Dist: semver>=3.0
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == "dev"
Dynamic: license-file

# cra-scanner

Open source CLI tool for assessing EU Cyber Resilience Act (CRA) compliance readiness from SBOMs and project signals.

[![PyPI version](https://badge.fury.io/py/cra-scanner.svg)](https://pypi.org/project/cra-scanner/)
[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](https://opensource.org/licenses/MIT)

**cra-scanner is developed by [Complaro](https://complaro.com)**, an open source CRA compliance platform. The CLI is fully functional as a standalone tool under the MIT license. Complaro offers a hosted platform for teams that need continuous monitoring, ENISA reporting, and collaboration features.

## Installation

```bash
pip install cra-scanner
```

## Quick Start

Scan a project directory:

```bash
cra-scanner scan .
```

Scan with an explicit SBOM:

```bash
cra-scanner scan . --sbom path/to/bom.json
```

Output as JSON:

```bash
cra-scanner scan . --format json --output report.json
```

Fail if score is below a threshold (useful in CI/CD):

```bash
cra-scanner scan . --min-score 50
```

Disable live vulnerability scanning (offline/fast mode):

```bash
cra-scanner scan . --no-vuln-scan
```

Provide a GitHub token for higher advisory API rate limits:

```bash
cra-scanner scan . --github-token $GITHUB_TOKEN
```

## CRA Readiness Score

The scanner returns a score from 0-100 based on:

| Dimension | Points | What it checks |
|-----------|--------|----------------|
| **SBOM** | 40 | Presence, coverage, version completeness |
| **Vulnerabilities** | 30 | Known vulnerability exposure via OSV.dev, GitHub Advisories, CISA KEV |
| **Practices** | 30 | SECURITY.md, Dependabot, documentation |

The score is a directional indicator, not legal advice.

## Vulnerability Scanning

cra-scanner queries real vulnerability databases for each component in your SBOM:

- **OSV.dev** (primary) — precise purl and ecosystem matching for npm, PyPI, Maven, Go, Cargo, and more
- **GitHub Advisory Database** (fallback) — ecosystem-specific advisory lookups
- **CISA KEV** (cross-reference) — flags actively exploited vulnerabilities that may trigger CRA 24-hour reporting obligations

Version range matching uses ecosystem-aware comparison:
- **Semver** for npm, Cargo, Go
- **PEP 440** for Python/PyPI
- **Explicit version lists** when provided by the advisory

Each finding includes a confidence tier (high/medium/low) based on match precision.

## SBOM Format Support

- CycloneDX JSON and XML
- SPDX JSON and tag-value

SBOMs are auto-discovered in your project directory, or you can specify one with `--sbom`.

## GitHub Action

Use cra-scanner in your CI/CD pipeline:

```yaml
name: CRA Compliance Check
on: [push, pull_request]

jobs:
  cra-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run CRA Scanner
        uses: complaro/cra-scanner/action@main
        with:
          min-score: 40
```

See [action/README.md](action/README.md) for full documentation.

## Roadmap

- [x] SBOM parsing (CycloneDX, SPDX)
- [x] CRA readiness scoring
- [x] Vulnerability matching against OSV.dev, GitHub Advisories, CISA KEV
- [x] Version range comparison (semver, PEP 440)
- [x] GitHub Action for CI/CD
- [ ] SARIF output for GitHub/GitLab code scanning
- [ ] CycloneDX VEX output
- [ ] Auto-SBOM generation from package managers
- [ ] CPE matching for NVD lookups

## Complaro Platform

cra-scanner is a free, open source tool that runs locally. For teams managing multiple products, [Complaro](https://complaro.com) provides:

- Continuous vulnerability monitoring across all products
- ENISA report generation (24h, 72h, 14-day)
- Slack and Jira integrations
- CRA classification wizard
- Team collaboration and audit trail

Free for 1 product at [complaro.com](https://complaro.com).

## License

MIT - see [LICENSE](LICENSE)

## Links

- [PyPI](https://pypi.org/project/cra-scanner/)
- [Complaro](https://complaro.com)
- [EU Cyber Resilience Act](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act)
