Added (mostly empty) skeleton for Codyze

.github/CODEOWNERS

@@ -30,4 +30,8 @@ build.gradle.kts        @oxisto
 .github                 @oxisto
 
 cpg-language-ini        @maximiliankaul
+
 cpg-concepts            @maximiliankaul
+
+codyze                  @fwendland
+codyze-compliance       @fwendland @oxisto

buildSrc/build.gradle.kts

@@ -8,6 +8,7 @@ repositories {
 
 dependencies {
     implementation(libs.kotlin.gradle)
+    implementation(libs.kotlin.serialization)
     implementation(libs.dokka.gradle)
     implementation(libs.kover.gradle)
     implementation(libs.spotless.gradle)

buildSrc/src/main/kotlin/cpg.common-conventions.gradle.kts

@@ -12,6 +12,7 @@ plugins {
     signing
     `maven-publish`
     kotlin("jvm")
+    kotlin("plugin.serialization")
     id("org.jetbrains.dokka")
 }
 

codyze-compliance/build.gradle.kts

@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2025, Fraunhofer AISEC. All rights reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+plugins {
+    id("cpg.frontend-conventions")
+}
+
+publishing {
+    publications {
+        named<MavenPublication>("codyze-compliance") {
+            pom {
+                artifactId = "codyze"
+                name.set("Codyze - Compliance Module")
+                description.set("The compliance module of Codyze")
+            }
+        }
+    }
+}
+
+dependencies {
+    implementation(projects.cpgCore)
+    implementation(libs.clikt)
+    implementation(libs.kaml)
+}

codyze-compliance/src/main/kotlin/de/fraunhofer/aisec/cpg/codyze/compliance/Command.kt

@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2025, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+package de.fraunhofer.aisec.cpg.codyze.compliance
+
+import com.github.ajalt.clikt.core.CliktCommand
+import com.github.ajalt.clikt.core.subcommands
+import com.github.ajalt.clikt.parameters.groups.OptionGroup
+import com.github.ajalt.clikt.parameters.groups.provideDelegate
+import com.github.ajalt.clikt.parameters.options.default
+import com.github.ajalt.clikt.parameters.options.option
+import kotlin.io.path.Path
+
+/** Options common to all subcommands. */
+class ProjectOptions : OptionGroup("Project Options:") {
+    val directory by option("--project-dir", help = "The project directory").default(".")
+}
+
+/** The main `compliance` command. */
+class ComplianceCommand : CliktCommand() {
+    override fun run() {}
+}
+
+/** The `scan` command. This will scan the project for compliance violations in the future. */
+class ScanCommand : CliktCommand() {
+    private val projectOptions by ProjectOptions()
+
+    override fun run() {
+        TODO()
+    }
+}
+
+/**
+ * The `list-security-goals` command. This will list the names of all security goals in the
+ * specified project.
+ *
+ * This command assumes that the project contains a folder named `security-goals` that contains YAML
+ * files with the security goals.
+ */
+class ListSecurityGoals : CliktCommand() {
+    private val projectOptions by ProjectOptions()
+
+    override fun run() {
+        val goals = loadSecurityGoals(Path(projectOptions.directory).resolve("security-goals"))
+        goals.forEach { echo(it.name.localName) }
+    }
+}
+
+var Command = ComplianceCommand().subcommands(ScanCommand(), ListSecurityGoals())

codyze-compliance/src/main/kotlin/de/fraunhofer/aisec/cpg/codyze/compliance/SecurityGoal.kt

@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2025, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+package de.fraunhofer.aisec.cpg.codyze.compliance
+
+import com.charleskorn.kaml.Yaml
+import de.fraunhofer.aisec.cpg.graph.Component
+import de.fraunhofer.aisec.cpg.graph.Name
+import de.fraunhofer.aisec.cpg.graph.OverlayNode
+import java.io.File
+import java.nio.file.Path
+import kotlin.io.path.Path
+import kotlin.io.path.extension
+import kotlin.io.path.readText
+import kotlin.io.path.walk
+import kotlinx.serialization.KSerializer
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.decodeFromString
+import kotlinx.serialization.descriptors.PrimitiveKind
+import kotlinx.serialization.descriptors.PrimitiveSerialDescriptor
+import kotlinx.serialization.descriptors.SerialDescriptor
+import kotlinx.serialization.encoding.Decoder
+import kotlinx.serialization.encoding.Encoder
+
+@Serializable
+data class SecurityGoal(
+    @Serializable(with = NameSerializer::class) override var name: Name,
+    val description: String,
+    val components: List<@Serializable(with = ComponentSerializer::class) Component?> = listOf(),
+    val assumptions: List<String> = listOf(),
+    val restrictions: List<String> = listOf(),
+    val objectives: List<SecurityObjective>,
+) : OverlayNode()
+
+@Serializable
+class SecurityObjective(
+    @Serializable(with = NameSerializer::class) override var name: Name,
+    val description: String,
+    val statements: List<String>,
+    val components: List<@Serializable(with = ComponentSerializer::class) Component?> = listOf(),
+    val assumptions: List<String> = listOf(),
+    val restrictions: List<String> = listOf(),
+) : OverlayNode()
+
+/** A custom serializer for the [Name] class. */
+class NameSerializer : KSerializer<Name> {
+    override val descriptor: SerialDescriptor =
+        PrimitiveSerialDescriptor(Name::class.qualifiedName!!, PrimitiveKind.STRING)
+
+    override fun serialize(encoder: Encoder, value: Name) {
+        encoder.encodeString(value.localName)
+    }
+
+    override fun deserialize(decoder: Decoder): Name {
+        return Name(decoder.decodeString())
+    }
+}
+
+/** A custom serializer for the [Component] class. */
+class ComponentSerializer : KSerializer<Component?> {
+    override val descriptor: SerialDescriptor =
+        PrimitiveSerialDescriptor(Component::class.qualifiedName!!, PrimitiveKind.STRING)
+
+    override fun serialize(encoder: Encoder, value: Component?) {
+        if (value != null) {
+            encoder.encodeString(value.name.toString())
+        }
+    }
+
+    override fun deserialize(decoder: Decoder): Component? {
+        // TODO: find component by name somehow
+        return null
+    }
+}
+
+/** Load all security goals from a directory. */
+fun loadSecurityGoals(directory: Path): List<SecurityGoal> {
+    // Walk the directory and load all YAML files
+    return directory
+        .toFile()
+        .walk()
+        .filter { it.extension == "yaml" }
+        .toList()
+        .map { loadSecurityGoal(it) }
+}
+
+/** Load a single security goal from a file. */
+fun loadSecurityGoal(file: File): SecurityGoal {
+    return Yaml.default.decodeFromString<SecurityGoal>(file.readText())
+}

codyze-compliance/src/test/kotlin/de/fraunhofer/aisec/cpg/codyze/compliance/CommandTest.kt

@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2025, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+package de.fraunhofer.aisec.cpg.codyze.compliance
+
+import com.github.ajalt.clikt.testing.test
+import kotlin.test.*
+
+class CommandTest {
+
+    @Test
+    fun testComplianceCommand() {
+        val command = ComplianceCommand()
+        val result = command.test()
+        assertEquals(result.statusCode, 0)
+    }
+
+    @Test
+    fun testListSecurityGoalsCommand() {
+        val command = ListSecurityGoals()
+        val result = command.test("--project-dir src/test/resources/")
+        assertEquals(result.statusCode, 0)
+        assertEquals("Goal1\n", result.stdout)
+    }
+
+    @Test
+    fun testScanCommand() {
+        val command = ScanCommand()
+        val ex = assertFails {
+            val result = command.test("--project-dir src/test/resources/")
+            assertEquals(result.statusCode, 0)
+        }
+        assertIs<NotImplementedError>(ex)
+    }
+}

codyze-compliance/src/test/kotlin/de/fraunhofer/aisec/cpg/codyze/compliance/SecurityGoalTest.kt

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2025, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ *                    $$$$$$\  $$$$$$$\   $$$$$$\
+ *                   $$  __$$\ $$  __$$\ $$  __$$\
+ *                   $$ /  \__|$$ |  $$ |$$ /  \__|
+ *                   $$ |      $$$$$$$  |$$ |$$$$\
+ *                   $$ |      $$  ____/ $$ |\_$$ |
+ *                   $$ |  $$\ $$ |      $$ |  $$ |
+ *                   \$$$$$   |$$ |      \$$$$$   |
+ *                    \______/ \__|       \______/
+ *
+ */
+package de.fraunhofer.aisec.cpg.codyze.compliance
+
+import kotlin.io.path.Path
+import kotlin.test.*
+
+class SecurityGoalTest {
+    @Test
+    fun testLoad() {
+        val goals = loadSecurityGoals(Path("src/test/resources/security-goals"))
+        val goal1 = goals.firstOrNull()
+        assertNotNull(goal1)
+        assertEquals("Goal1", goal1.name.localName)
+        assertEquals("Make it very secure", goal1.description)
+
+        val objective1 = goal1.objectives.firstOrNull()
+        assertNotNull(objective1)
+        assertEquals("Good encryption", objective1.name.localName)
+        assertEquals("Encryption used is very good", objective1.description)
+    }
+}

codyze-compliance/src/test/resources/security-goals/goal1.yaml

@@ -0,0 +1,12 @@
+name: Goal1
+description: Make it very secure
+components:
+  - auth
+  - webserver
+assumptions:
+  - Third party code is very good
+objectives:
+  - name: Good encryption
+    description: Encryption used is very good
+    statements:
+      - For each algorithm A, if A is used, then A must be a very good cryptographic algorithm