Fraunhofer-AISEC · oxisto · Jan 16, 2025 · Jan 14, 2025 · Jan 14, 2025 · Jan 16, 2025
@@ -30,4 +30,8 @@ build.gradle.kts        @oxisto
 .github                 @oxisto
 
 cpg-language-ini        @maximiliankaul
+
 cpg-concepts            @maximiliankaul
+
+codyze                  @fwendland
+codyze-compliance       @fwendland @oxisto
@@ -8,6 +8,7 @@ repositories {
 
 dependencies {
     implementation(libs.kotlin.gradle)
+    implementation(libs.kotlin.serialization)
     implementation(libs.dokka.gradle)
     implementation(libs.kover.gradle)
     implementation(libs.spotless.gradle)

@@ -12,6 +12,7 @@ plugins {
     signing
     `maven-publish`
     kotlin("jvm")
+    kotlin("plugin.serialization")
     id("org.jetbrains.dokka")
 }
 

@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2025, Fraunhofer AISEC. All rights reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+plugins {
+    id("cpg.frontend-conventions")
+}
+
+publishing {
+    publications {
+        named<MavenPublication>("codyze-compliance") {
+            pom {
+                artifactId = "codyze"
+                name.set("Codyze - Compliance Module")
+                description.set("The compliance module of Codyze")
+            }
+        }
+    }
+}
+
+dependencies {
+    implementation(projects.cpgCore)
+    implementation(libs.clikt)
+    implementation(libs.kaml)
+}
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2025, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+package de.fraunhofer.aisec.cpg.codyze.compliance
+
+import com.github.ajalt.clikt.core.CliktCommand
+import com.github.ajalt.clikt.core.subcommands
+import com.github.ajalt.clikt.parameters.groups.OptionGroup
+import com.github.ajalt.clikt.parameters.groups.provideDelegate
+import com.github.ajalt.clikt.parameters.options.default
+import com.github.ajalt.clikt.parameters.options.option
+import kotlin.io.path.Path
+
+/** Options common to all subcommands. */
+class ProjectOptions : OptionGroup("Project Options:") {
+    val directory by option("--project-dir", help = "The project directory").default(".")
+}
+
+/** The main `compliance` command. */
+class ComplianceCommand : CliktCommand() {
+    override fun run() {}
+}
+
+/** The `scan` command. This will scan the project for compliance violations in the future. */
+class ScanCommand : CliktCommand() {
+    private val projectOptions by ProjectOptions()
+
+    override fun run() {
+        TODO()
+    }
+}
+
+/**
+ * The `list-security-goals` command. This will list the names of all security goals in the
+ * specified project.
+ *
+ * This command assumes that the project contains a folder named `security-goals` that contains YAML
+ * files with the security goals.
+ */
+class ListSecurityGoals : CliktCommand() {
+    private val projectOptions by ProjectOptions()
+
+    override fun run() {
+        val goals = loadSecurityGoals(Path(projectOptions.directory).resolve("security-goals"))
+        goals.forEach { echo(it.name.localName) }
+    }
+}
+
+var Command = ComplianceCommand().subcommands(ScanCommand(), ListSecurityGoals())
@@ -0,0 +1,144 @@
+/*
+ * Copyright (c) 2025, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+package de.fraunhofer.aisec.cpg.codyze.compliance
+
+import com.charleskorn.kaml.Yaml
+import com.charleskorn.kaml.decodeFromStream
+import de.fraunhofer.aisec.cpg.TranslationResult
+import de.fraunhofer.aisec.cpg.graph.Component
+import de.fraunhofer.aisec.cpg.graph.Name
+import de.fraunhofer.aisec.cpg.graph.OverlayNode
+import java.io.File
+import java.io.InputStream
+import java.nio.file.Path
+import kotlinx.serialization.Contextual
+import kotlinx.serialization.KSerializer
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.decodeFromString
+import kotlinx.serialization.descriptors.PrimitiveKind
+import kotlinx.serialization.descriptors.PrimitiveSerialDescriptor
+import kotlinx.serialization.descriptors.SerialDescriptor
+import kotlinx.serialization.encoding.Decoder
+import kotlinx.serialization.encoding.Encoder
+import kotlinx.serialization.modules.SerializersModule
+
+@Serializable
+data class SecurityGoal(
+    @Serializable(with = NameSerializer::class) override var name: Name,
+    val description: String,
+    val components: List<@Contextual Component?> = listOf(),
+    val assumptions: List<String> = listOf(),
+    val restrictions: List<String> = listOf(),
+    val objectives: List<SecurityObjective>,
+) : OverlayNode()
+
+@Serializable
+class SecurityObjective(
+    @Serializable(with = NameSerializer::class) override var name: Name,
+    val description: String,
+    val statements: List<String>,
+    val components: List<@Contextual Component?> = listOf(),
+    val assumptions: List<String> = listOf(),
+    val restrictions: List<String> = listOf(),
+) : OverlayNode()
+
+/** A custom serializer for the [Name] class. */
+class NameSerializer : KSerializer<Name> {
+    override val descriptor: SerialDescriptor =
+        PrimitiveSerialDescriptor(Name::class.qualifiedName!!, PrimitiveKind.STRING)
+
+    override fun serialize(encoder: Encoder, value: Name) {
+        encoder.encodeString(value.localName)
+    }
+
+    override fun deserialize(decoder: Decoder): Name {
+        return Name(decoder.decodeString())
+    }
+}
+
+/**
+ * A custom serializer for the [Component] class. If the [result] is non-null, it is used to resolve
+ * the component name in an actual [Component] of the [result]. Otherwise, a new [Component] with
+ * the given name is returned.
+ */
+class ComponentSerializer(val result: TranslationResult?) : KSerializer<Component> {
+    override val descriptor: SerialDescriptor =
+        PrimitiveSerialDescriptor(Component::class.qualifiedName!!, PrimitiveKind.STRING)
+
+    override fun serialize(encoder: Encoder, value: Component) {
+        encoder.encodeString(value.name.toString())
+    }
+
+    override fun deserialize(decoder: Decoder): Component {
+        // Use the context to find the component by name
+        val componentName = decoder.decodeString()
+
+        return if (result != null) {
+            result.components.first { it.name.localName == componentName }
+        } else {
+            Component().also { it.name = Name(componentName) }
+        }
+    }
+}
+
+/**
+ * Load all security goals from a directory. If a [result] is given, it will be used to resolve
+ * component names.
+ */
+fun loadSecurityGoals(directory: Path, result: TranslationResult? = null): List<SecurityGoal> {
+    // Walk the directory and load all YAML files
+    return directory
+        .toFile()
+        .walk()
+        .filter { it.extension == "yaml" }
+        .toList()
+        .map { loadSecurityGoal(it, result) }
+}
+
+/**
+ * Load a single security goal from a file. If a [result] is given, it will be used to resolve
+ * component names.
+ */
+fun loadSecurityGoal(file: File, result: TranslationResult? = null): SecurityGoal {
+    return yaml(result).decodeFromString<SecurityGoal>(file.readText())
+}
+
+/**
+ * Load a single security goal from an input stream. If a [result] is given, it will be used to
+ * resolve component names.
+ */
+fun loadSecurityGoal(stream: InputStream, result: TranslationResult? = null): SecurityGoal {
+    return yaml(result).decodeFromStream<SecurityGoal>(stream)
+}
+
+/**
+ * This function returns a [Yaml] instance that is configured to use the given [result] to resolve
+ * components.
+ */
+private fun yaml(result: TranslationResult?): Yaml {
+    val module = SerializersModule { contextual(Component::class, ComponentSerializer(result)) }
+    return Yaml(serializersModule = module)
+}
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2025, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+package de.fraunhofer.aisec.cpg.codyze.compliance
+
+import com.github.ajalt.clikt.testing.test
+import kotlin.test.*
+
+class CommandTest {
+
+    @Test
+    fun testComplianceCommand() {
+        val command = ComplianceCommand()
+        val result = command.test()
+        assertEquals(0, result.statusCode)
+    }
+
+    @Test
+    fun testListSecurityGoalsCommand() {
+        val command = ListSecurityGoals()
+        val result = command.test("--project-dir src/test/resources/")
+        assertEquals(0, result.statusCode)
+        assertEquals("Goal1\n", result.stdout)
+    }
+
+    @Test
+    fun testScanCommand() {
+        val command = ScanCommand()
+        val ex = assertFails {
+            val result = command.test("--project-dir src/test/resources/")
+            assertEquals(0, result.statusCode)
+        }
+        assertIs<NotImplementedError>(ex)
+    }
+}