CRA Analyzer is a web-based tool designed to assess software security by analyzing SBOM (Software Bill of Materials) files. It helps organizations identify known vulnerabilities and measure compliance with the Cyber Resilience Act (CRA).
- β Upload and parse CycloneDX SBOM files (JSON or XML)
- π Scan for known vulnerabilities (CVE) using NVD feeds (online/offline)
- π‘οΈ Automatically evaluate CRA compliance with rule-based scoring
- π Generate downloadable PDF reports summarizing findings
- π₯οΈ Simple web interface built with Flask & Bootstrap
| Component | Technology Used |
|---|---|
| Programming Language | Python |
| Backend Framework | Flask |
| Database Layer | SQLAlchemy + Flask-SQLAlchemy + PyMySQL |
| Frontend | Bootstrap + Jinja2 (render_template) |
| SBOM Parsing | Custom parser (json, ElementTree) |
| CVE Scanning | NVD API, NVD JSON feeds (nvd-json-data-feeds), requests, lzma |
| Version Checking | packaging.version |
| Report Generation | ReportLab (PDF) |
| Session & Auth | Flask sessions |
- Python 3.10+ recommended
pip(Python package installer)- Git (for cloning the repository)
git clone https://github.com/istec-iuc/CRApp.git
cd CRAppA virtual environment keeps this projectβs Python packages isolated from other projects on your machine.
This avoids version conflicts and makes sure everyone uses the same dependencies listed in requirements.txt.
- Linux / macOS (bash/zsh):
source venv/bin/activate
- Windows (PowerShell):
venv\Scripts\Activate.ps1
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Then re-run the previous command.
pip install -r requirements.txtThis project uses a MySQL database, and the connection is already configured with the following credentials:
Host: localhost
Database: cra_analyzer
Username: cra_user
Password: StrongPassw0rd!- Download from: MySQL Community Downloads
π‘ If this is your first time installing MySQL, follow the official tutorial for setup, which covers installation, creating users, and starting the server:
MySQL Installation and Setup Guide
- During installation: -- Take note of your root password -- You can also install MySQL Workbench as a GUI interface Download MySQL Workbench
You can do this via MySQL Workbench
- Open MySQL Workbench
- Connect to the server as root
- In a new SQL tab, run:
CREATE DATABASE cra_analyzer CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'cra_user'@'localhost' IDENTIFIED BY 'StrongPassw0rd!';
GRANT ALL PRIVILEGES ON cra_analyzer.* TO 'cra_user'@'localhost';
FLUSH PRIVILEGES;π‘ Optional: You can create a MySQL Workbench connection using cra_user credentials.
This is not required for the app to run, but it makes browsing tables, checking data, and troubleshooting easier.
python app.pyThe application should now be running at http://127.0.0.1:5000
After starting the application and uploading an SBOM file:
- Go to the "CVE scan" page.
- Click the "Update CVE Data" button. This will download the latest known vulnerabilities (CVE) and store them locally. You can now perform up-to-date offline scans without needing an internet connection.
Follow these steps to use the tool:
Make sure your virtual environment is activated, then run:
python app.pyThe app will start and be accessible at http://127.0.0.1:5000 in your browser.
- Navigate to the "Upload SBOM" page.
- Choose and upload an SBOM file (in CycloneDX JSON or XML format).
- The uploaded SBOM will be parsed and display its components.
- On the "Upload Product" page, you can upload additional product information to link with the SBOM file.
- Navigate to the "Products" page.
- Select two uploaded products from the list.
- Click the "Compare" button to view a side-by-side comparison of: -- SBOM components -- Component versions This helps identify changes between different product versions or builds, and assess how updates may have impacted the overall security posture.
- Go to the "CVE Scan" page.
- Choose Online or Offline scanning. -- Online scan pulls real-time CVE data from the NVD. -- Offline scan uses locally stored CVE data (after clicking Update CVE Data on the "Version Control" page).
- Visit the "CRA Score" page.
- The app calculates your CRA compliance score based on predefined rules and logic.
- This score helps evaluate how well your software aligns with the EU Cyber Resilience Act.
- On the "Reports" page, click Generate Report.
- A professional PDF report will be created, summarizing: -- SBOM components -- Detected vulnerabilities -- CRA compliance score
- The report is saved for later access or download.
.
βββ app.py
βββ cra_analyzer_backup.sql
βββ cra_rule_checker.py
βββ last_updated.txt
βββ offline_vulnerability_scanner.py
βββ requirements.txt
βββ sbom_parser.py
βββ update_vulnerability_scanner.py
βββ version_checker.py
βββ version_mapping.json
βββ vulnerability_scanner.py
βββ .gitignore
βββ .DS_Store
βββ cveOffline/
βββ reports/
β βββ .DS_Store
βββ static/
β βββ css/
β β βββ style.css
β βββ js/
β βββ scripts.js
βββ templates/
β βββ index.html
β βββ layout.html
β βββ login.html
β βββ register.html
β βββ report.tex.j2
β βββ _log.html
β βββ _plans.html
β βββ _products.html
β βββ _product_add.html
| βββ _compare.html
β βββ _reports.html
β βββ _scan.html
β βββ _score.html
β βββ _upload.html
β βββ _version.html
βββ uploads/