CycloneDX CRA Validator

Validates CycloneDX SBOM documents against BSI TR-03183-2 v2.1.0 for EU Cyber Resilience Act (CRA) compliance.

Features

• 23 validation rules covering all BSI TR-03183-2 requirements
• JSON and XML CycloneDX format support
• Embedded SPDX license list for offline validation
• Strict mode and rule suppression
• Text and JSON report output
• CLI tool and .NET library
• Multi-targeting: net8.0 + netstandard2.0

Installation

Library (NuGet)

dotnet add package CycloneDX.CRA.Validator

CLI Tool

dotnet tool install -g CycloneDX.CRA.Validator.Tool

Quick Start

Library API

using CycloneDX.CRA.Validator;
using CycloneDX.CRA.Validator.Models;

// Validate from JSON string
var result = CraValidator.ValidateJson(jsonContent);

// Validate from file (auto-detects JSON/XML)
var result = CraValidator.ValidateFile("sbom.cdx.json");

// Validate with options
var options = new ValidationOptions
{
    StrictMode = true,
    SuppressRules = new HashSet<string> { "TR-P4" }
};
var result = CraValidator.ValidateJson(jsonContent, options);

// Check result
if (result.IsValid)
    Console.WriteLine("SBOM is compliant!");
else
    foreach (var error in result.Errors)
        Console.WriteLine($"[{error.RuleId}] {error.Message}");

// Format output
Console.WriteLine(result.ToText());
Console.WriteLine(result.ToJson());

CLI Tool

# Validate an SBOM (text output)
cra-validate sbom.cdx.json

# JSON output
cra-validate sbom.cdx.json --format json

# Strict mode (warnings become errors)
cra-validate sbom.cdx.json --strict

# Suppress specific rules
cra-validate sbom.cdx.json --suppress TR-P4 TR-T2

# Quiet mode (exit code only)
cra-validate sbom.cdx.json --quiet

# Verbose (include info-level findings)
cra-validate sbom.cdx.json --verbose

# Write output to file
cra-validate sbom.cdx.json --output report.txt

Exit codes: 0 = valid, 1 = validation failed, 2 = input error

Validation Rules

ID	Category	Severity	Description
TR-T1	Structural	Error	Schema validity (JSON/XML deserialization)
TR-T2	Structural	Warning	No vulnerability data in SBOM
TR-T3	Structural	Warning	All components in dependency graph
TR-T4	Structural	Error	Minimum spec version (CycloneDX >= 1.6)
TR-S1	SBOM	Error	Creator contact information (email/URL)
TR-S2	SBOM	Error	Timestamp present
TR-S3	SBOM	Error	Primary component declared
TR-S4	SBOM	Error	Spec version >= 1.6
TR-S5	SBOM	Error	Serial number present
TR-S6	SBOM	Warning	BOM version present
TR-C1	Component	Error	Component name non-empty
TR-C2	Component	Error	Component version non-empty
TR-C3	Component	Error	Creator contact (supplier/author with email/URL)
TR-C4	Component	Error/Warning	License (SPDX id/expression required; name-only = warning)
TR-C5	Component	Error/Warning	Hash (at least one; MD5/SHA-1 only = warning)
TR-C6	Component	Warning	Unique identifier (PURL/CPE)
TR-C7	Component	Error	Component type present
TR-C8	Component	Warning	Component in dependency graph
TR-P1	BSI Property	Error	Executable property (executable/non-executable)
TR-P2	BSI Property	Error	Archive property (archive/no archive)
TR-P3	BSI Property	Error	Structured property (structured/unstructured)
TR-P4	BSI Property	Warning	Filename property (no path separators)
TR-P5	BSI Property	Error	Associated licence (valid SPDX id/expression)

Configuration Options

Option	Type	Default	Description
TrVersion	string	"2.1.0"	BSI TR-03183-2 version
StrictMode	bool	false	Promote warnings to errors
SuppressRules	HashSet	empty	Rule IDs to skip
ValidatePrimaryComponent	bool	true	Validate metadata.component

Known Limitations

• BSI taxonomy properties (bsi:component:*) are not populated by most SBOM generation tools (e.g., cyclonedx-dotnet). You may need to add these properties manually or via a post-processing step.
• SARIF output format is not yet implemented (planned for a future release).

License

Apache-2.0