import type { SystemInfoConfig } from './types' export const sbomConfig: SystemInfoConfig = { title: 'SBOM System-Info', description: 'Software Bill of Materials fuer Compliance und Security.', version: '1.0', architecture: { layers: [ { title: 'SBOM Dashboard', components: ['Dependency Tree', 'License Overview', 'CVE Alerts'], color: '#3b82f6' }, { title: 'Generators', components: ['Syft', 'Trivy', 'CycloneDX'], color: '#8b5cf6' }, { title: 'Analysis', components: ['License Checker', 'CVE Matcher', 'Outdated Detector'], color: '#10b981' }, { title: 'Reports', components: ['JSON', 'SPDX', 'CycloneDX'], color: '#f59e0b' }, ], }, features: [ { name: 'Dependency Scanning', status: 'active', description: 'Automatische Erkennung' }, { name: 'License Compliance', status: 'active', description: 'Lizenz-Pruefung' }, { name: 'CVE Matching', status: 'active', description: 'Schwachstellen-Erkennung' }, { name: 'Automatic Updates', status: 'planned', description: 'Dependabot-artige Updates' }, ], roadmap: [ { phase: 'Phase 1: Generation (Q1)', priority: 'high', items: ['Multi-Format Export', 'CI/CD Integration', 'Container SBOM', 'Runtime SBOM'] }, { phase: 'Phase 2: Analysis (Q2)', priority: 'medium', items: ['License Risk Scoring', 'Transitive Dependencies', 'Version Comparison', 'Diff Reports'] }, { phase: 'Phase 3: Governance (Q3)', priority: 'low', items: ['Policy Engine', 'Approval Workflow', 'Audit Trail', 'Supplier Management'] }, ], technicalDetails: [ { component: 'Generator', technology: 'Syft', version: '1.x', description: 'SBOM Creation' }, { component: 'Format', technology: 'CycloneDX', version: '1.5', description: 'Standard Format' }, { component: 'CVE DB', technology: 'NVD/OSV', description: 'Vulnerability Data' }, { component: 'License DB', technology: 'SPDX', description: 'License Identifiers' }, ], auditInfo: [ { category: 'SBOM Status', items: [ { label: 'Letzte Generierung', value: 'CI/CD', status: 'ok' }, { label: 'Format', value: 'CycloneDX 1.5', status: 'ok' }, { label: 'Komponenten', value: 'Alle erfasst', status: 'ok' }, { label: 'Transitive Deps', value: 'Inkludiert', status: 'ok' }, ], }, { category: 'Vulnerability Status', items: [ { label: 'Kritische CVEs', value: '0', status: 'ok' }, { label: 'Hohe CVEs', value: '0', status: 'ok' }, { label: 'Outdated Packages', value: 'Tracking', status: 'warning' }, { label: 'EOL Dependencies', value: '0', status: 'ok' }, ], }, { category: 'License Compliance', items: [ { label: 'Erlaubte Lizenzen', value: 'MIT, Apache, BSD', status: 'ok' }, { label: 'Copyleft (GPL)', value: '0', status: 'ok' }, { label: 'Unbekannte Lizenzen', value: '0', status: 'ok' }, { label: 'Kommerzielle', value: 'Review erforderlich', status: 'warning' }, ], }, ], fullDocumentation: `

Software Bill of Materials (SBOM)

1. Uebersicht

Das SBOM-Modul generiert und analysiert die vollstaendige Komponentenliste aller Software-Abhaengigkeiten. Es dient der Compliance, Sicherheit und Supply-Chain-Transparenz.

2. SBOM-Generierung

Source Code
     │
     v
┌───────────────────────────────────────────────────────────────┐
│                     SBOM Generators                           │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐   │
│  │    Syft     │  │   Trivy     │  │  Native Tooling     │   │
│  │  (Primary)  │  │ (Validation)│  │ (npm, go mod, pip)  │   │
│  └──────┬──────┘  └──────┬──────┘  └──────────┬──────────┘   │
└─────────┼────────────────┼────────────────────┼───────────────┘
          │                │                    │
          └────────────────┴────────────────────┘
                           │
                           v
                  ┌────────────────┐
                  │   CycloneDX    │
                  │    Format      │
                  └────────────────┘

3. Erfasste Komponenten

Typ	Quelle	Beispiele
npm packages	package-lock.json	react, next, tailwindcss, fabric.js, pdf-lib
Go modules	go.sum	gin, gorm, jwt-go
Python packages	requirements.txt	fastapi, pydantic, httpx
Container Images	Dockerfile	node:20-alpine, postgres:16
OS Packages	apk, apt	openssl, libpq

4. API Endpoints

Endpoint	Methode	Beschreibung
/api/sbom/generate	POST	SBOM neu generieren
/api/sbom/latest	GET	Aktuelles SBOM
/api/sbom/vulnerabilities	GET	CVE-Liste
/api/sbom/licenses	GET	Lizenz-Uebersicht
/api/sbom/diff	GET	Vergleich mit vorheriger Version

5. Vulnerability Scanning

SBOM
  │
  v
┌────────────────────────────────────────┐
│         Vulnerability Databases        │
│  ├── NVD (National Vulnerability DB)  │
│  ├── OSV (Open Source Vulnerabilities)│
│  ├── GitHub Advisory Database         │
│  └── Vendor-specific (npm, Go, PyPI)  │
└──────────────────┬─────────────────────┘
                   │
                   v
┌────────────────────────────────────────┐
│          CVE Matching Engine           │
│  ├── Version Range Checking            │
│  ├── CVSS Scoring                      │
│  └── Exploitability Assessment         │
└──────────────────┬─────────────────────┘
                   │
                   v
┌────────────────────────────────────────┐
│           Alert & Report               │
│  ├── Kritisch: Sofort-Benachrichtigung│
│  ├── Hoch: Tages-Report               │
│  └── Mittel/Niedrig: Wochen-Report    │
└────────────────────────────────────────┘

6. License Compliance

Kategorie	Lizenzen	Status
Permissive (erlaubt)	MIT, Apache 2.0, BSD, ISC	OK
Weak Copyleft	LGPL, MPL	Review
Strong Copyleft	GPL, AGPL	Nicht erlaubt
Proprietaer	Commercial	Genehmigung

7. CI/CD Integration

CI Pipeline
     │
     ├── Build Stage
     │   └── SBOM generieren
     │
     ├── Security Stage
     │   ├── CVE Scan
     │   └── License Check
     │
     ├── Gate
     │   ├── Critical CVE → Block
     │   ├── GPL License → Block
     │   └── High CVE → Warning
     │
     └── Publish Stage
         └── SBOM archivieren

8. Aufbewahrung & Compliance

Retention: 5 Jahre (Compliance)
Format: JSON + PDF Report
Signierung: Digital signiert
Audit: Jederzeit abrufbar

`, }