From 01956ee6906ed6831af9966b97b134e95713fbc9 Mon Sep 17 00:00:00 2001 From: Benjamin Admin Date: Thu, 25 Jun 2026 19:12:17 +0200 Subject: [PATCH] =?UTF-8?q?feat:=20cross-domain=20relationship=20discovery?= =?UTF-8?q?=20=E2=80=94=20Capability-Schicht-Entwurf=20(CRA=20P1)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Stufe 1+2 der Ontologie-Entdeckung (User-Schaerfung #54): nicht Aehnlichkeit sondern STRUKTURELLE Beziehung. 93 Obligations -> BGE-M3 -> 101 cross-family Paare -> Opus klassifiziert in 8 Kategorien (genau eine je Paar). - scripts/obligation_discovery/cross_domain_pairs.py (Stufe 1, key-frei) - scripts/obligation_discovery/classify_relationships.py (Stufe 2, Opus) - obligations/cross_domain_relationships.json: 16 SHARED_CAPABILITY -> 8 Capabilities (mfa/session/transport-tls/code_signing/anomaly_detection), 23 SUPPORTED_BY (Hubs: vuln_identification_inventory<-SBOM-Familie 5x, vuln_remediation_patching 5x), 1 SAME_OBLIGATION (vuln_remediation_patching == provide_security_updates, MERGE-Kandidat), 42 OVERLAP_ONLY sauber verworfen. Erstentwurf der Capability-Schicht (Phase 4). Co-Authored-By: Claude Opus 4.7 --- obligations/cross_domain_relationships.json | 1552 +++++++++++++++++ .../classify_relationships.py | 85 + .../cross_domain_pairs.py | 66 + 3 files changed, 1703 insertions(+) create mode 100644 obligations/cross_domain_relationships.json create mode 100644 scripts/obligation_discovery/classify_relationships.py create mode 100644 scripts/obligation_discovery/cross_domain_pairs.py diff --git a/obligations/cross_domain_relationships.json b/obligations/cross_domain_relationships.json new file mode 100644 index 00000000..8141f05f --- /dev/null +++ b/obligations/cross_domain_relationships.json @@ -0,0 +1,1552 @@ +{ + "schema_version": "cross_domain_relationships_v1", + "generated_by": "cross_domain_pairs.py + classify_relationships.py (claude-opus-4-8)", + "scope": "6 CRA-P1-Familien, 93 Obligations, 101 cross-family Kandidatenpaare (BGE-M3 top-8 >=0.60)", + "method": "User-Schaerfung: nicht Aehnlichkeit sondern STRUKTURELLE Beziehung (8 Kategorien, genau eine je Paar).", + "distribution": { + "SHARED_CAPABILITY": 16, + "SAME_OBLIGATION": 1, + "OVERLAP_ONLY": 42, + "SUPPORTED_BY": 23, + "SHARED_EVIDENCE": 7, + "SHARED_PROCEDURE": 5, + "UNRELATED": 7 + }, + "capability_layer_draft": [ + { + "capability": "mfa", + "n_pairs": 5, + "fulfills_obligations": [ + "authentication/mfa_required", + "authentication/privileged_op_reauth", + "authentication/remote_access_authentication", + "authentication/supplier_access_auth", + "remote_access/remote_access_mfa", + "remote_access/remote_access_user_validation_ot" + ], + "domains": [ + "authentication", + "remote_access" + ] + }, + { + "capability": "session_management", + "n_pairs": 3, + "fulfills_obligations": [ + "authentication/reauth_after_inactivity", + "authentication/session_binding_management", + "remote_access/remote_session_management", + "remote_access/temporary_remote_access_mgmt" + ], + "domains": [ + "authentication", + "remote_access" + ] + }, + { + "capability": "tls_encryption", + "n_pairs": 2, + "fulfills_obligations": [ + "authentication/encrypted_auth_channel", + "remote_access/reject_insecure_remote_protocols", + "remote_access/remote_access_encryption" + ], + "domains": [ + "authentication", + "remote_access" + ] + }, + { + "capability": "mutual_tls", + "n_pairs": 2, + "fulfills_obligations": [ + "authentication/mutual_authentication", + "authentication/service_to_service_auth", + "remote_access/remote_access_confidentiality_integrity", + "remote_access/remote_access_encryption" + ], + "domains": [ + "authentication", + "remote_access" + ] + }, + { + "capability": "code_signing", + "n_pairs": 1, + "fulfills_obligations": [ + "authentication/firmware_software_authentication", + "updates/signed_update_integrity" + ], + "domains": [ + "authentication", + "updates" + ] + }, + { + "capability": "access_control", + "n_pairs": 1, + "fulfills_obligations": [ + "authentication/credential_confidentiality_protection", + "sbom/sbom_confidentiality" + ], + "domains": [ + "authentication", + "sbom" + ] + }, + { + "capability": "anomaly_detection", + "n_pairs": 1, + "fulfills_obligations": [ + "logging/log_monitoring_alerting", + "remote_access/remote_access_threat_detection" + ], + "domains": [ + "logging", + "remote_access" + ] + }, + { + "capability": "tls_certificate_auth", + "n_pairs": 1, + "fulfills_obligations": [ + "authentication/tls_certificate_auth", + "remote_access/remote_access_encryption" + ], + "domains": [ + "authentication", + "remote_access" + ] + } + ], + "consolidation_suggestions": [ + "tls_encryption + mutual_tls + tls_certificate_auth -> EINE Capability 'transport_encryption' (TLS-Varianten, vom Klassifikator fein gesplittet).", + "access_control-Cluster (credential_confidentiality_protection <-> sbom_confidentiality) ist SCHWACH -> eher OVERLAP_ONLY." + ], + "merge_candidates": [ + { + "a": "vuln/vuln_remediation_patching", + "b": "updates/provide_security_updates", + "reason": "Beide fordern Schwachstellenbehebung via Patches im Support-Zeitraum, deckungsgleich." + } + ], + "supported_by_hierarchy": [ + { + "child": "vuln/vuln_remediation_patching", + "parent": "remote_access/remote_access_vuln_patch_mgmt", + "reason": "Fernwartungs-Patching ist domaenenspezifischer Teilfall der allgemeinen Schwachstellenbehebung." + }, + { + "child": "updates/trusted_update_source", + "parent": "authentication/firmware_software_authentication", + "reason": "Vertrauenswuerdige Quelle ergaenzt Signaturpflicht der Update-Authentifizierung." + }, + { + "child": "sbom/sbom_completeness_verification", + "parent": "vuln/vuln_identification_inventory", + "reason": "SBOM-Vollstaendigkeitspruefung traegt zur Schwachstellen-Identifikation bei." + }, + { + "child": "remote_access/remote_access_vuln_patch_mgmt", + "parent": "updates/provide_security_updates", + "reason": "Fernwartungs-Patching ist Teilfall der allgemeinen Update-Bereitstellung." + }, + { + "child": "remote_access/remote_access_logging_audit", + "parent": "logging/event_logging_security_events", + "reason": "Fernwartungsprotokollierung ist Teilfall des allgemeinen Security-Event-Loggings." + }, + { + "child": "vuln/vuln_info_dissemination_users", + "parent": "updates/provide_security_updates", + "reason": "Nutzerinformation ergaenzt die Update-Bereitstellungspflicht." + }, + { + "child": "remote_access/remote_access_architecture_design", + "parent": "authentication/remote_access_authentication", + "reason": "Sichere Fernzugriffsarchitektur unterstuetzt Gateway-basierte Authentifizierung." + }, + { + "child": "sbom/sbom_creation", + "parent": "vuln/vuln_identification_inventory", + "reason": "SBOM-Erstellung liefert das Inventar fuer Schwachstellen-Identifikation." + }, + { + "child": "updates/update_risk_assessment", + "parent": "vuln/vuln_remediation_patching", + "reason": "Update-Risikobeurteilung speist die risikobasierte Schwachstellenbehebung." + }, + { + "child": "remote_access/remote_access_vuln_patch_mgmt", + "parent": "vuln/vuln_assessment_prioritization", + "reason": "Fernwartungs-Patching bewertet/priorisiert Schwachstellen wie allgemeine Bewertungspflicht." + }, + { + "child": "updates/update_testing_validation", + "parent": "vuln/vuln_remediation_patching", + "reason": "Update-Testen unterstuetzt zuverlaessige Schwachstellenbehebung via Patches." + }, + { + "child": "remote_access/remote_access_user_validation_ot", + "parent": "authentication/remote_access_authentication", + "reason": "OT-Nutzervalidierung ist domaenenspezifische Auspraegung der Remote-Authentifizierung." + }, + { + "child": "sbom/sbom_maintenance_update", + "parent": "vuln/vuln_identification_inventory", + "reason": "Aktualisierte SBOM unterstuetzt kontinuierliche Schwachstellen-Identifikation." + }, + { + "child": "remote_access/remote_access_vuln_patch_mgmt", + "parent": "vuln/vuln_handling_process", + "reason": "Fernwartungs-Patching ist Teilfall des allgemeinen Vuln-Handling-Prozesses." + }, + { + "child": "sbom/sbom_tooling_automation", + "parent": "vuln/vuln_identification_inventory", + "reason": "Automatisierte SBOM-Generierung unterstuetzt Schwachstellen-Identifikation." + }, + { + "child": "updates/support_period_maintenance", + "parent": "vuln/vuln_remediation_patching", + "reason": "Wartung im Support-Zeitraum unterstuetzt fristgerechte Schwachstellenbehebung." + }, + { + "child": "updates/automatic_updates_optout", + "parent": "vuln/vuln_remediation_patching", + "reason": "Automatische Updates unterstuetzen zeitnahe Schwachstellenbehebung." + }, + { + "child": "updates/update_risk_assessment", + "parent": "vuln/vuln_assessment_prioritization", + "reason": "Update-Risikobeurteilung speist standardisierte Schwachstellen-Priorisierung." + }, + { + "child": "updates/update_rollback", + "parent": "vuln/vuln_remediation_patching", + "reason": "Rollback unterstuetzt sichere Behebung fehlerhafter Patches." + }, + { + "child": "sbom/sbom_dependency_coverage", + "parent": "vuln/vuln_identification_inventory", + "reason": "Dependency-Dokumentation unterstuetzt Schwachstellen-Identifikation in Komponenten." + }, + { + "child": "remote_access/remote_access_vuln_patch_mgmt", + "parent": "updates/support_period_maintenance", + "reason": "Fernwartungs-Patching ist Teilfall der Support-Wartungsmassnahmen." + }, + { + "child": "logging/logging_library_supply_chain", + "parent": "remote_access/remote_access_vuln_patch_mgmt", + "reason": "Logging-Library-Patching ist domaenenspezifischer Teilfall des Vuln-Patch-Managements." + }, + { + "child": "vuln/vuln_info_dissemination_users", + "parent": "updates/automatic_updates_optout", + "reason": "Nutzerinformation ergaenzt automatische Update-Bereitstellung." + } + ], + "hierarchy_hubs": { + "vuln/vuln_identification_inventory": 5, + "vuln/vuln_remediation_patching": 5, + "remote_access/remote_access_vuln_patch_mgmt": 2, + "updates/provide_security_updates": 2, + "authentication/remote_access_authentication": 2, + "vuln/vuln_assessment_prioritization": 2, + "authentication/firmware_software_authentication": 1, + "logging/event_logging_security_events": 1, + "vuln/vuln_handling_process": 1, + "updates/support_period_maintenance": 1, + "updates/automatic_updates_optout": 1 + }, + "shared_evidence": [ + { + "a": "logging/log_retention_archival", + "b": "remote_access/remote_access_logging_audit", + "evidence": "audit_log", + "reason": "Beide nutzen Audit-Logs zur Aufbewahrung/Auswertung." + }, + { + "a": "logging/access_control_event_logging", + "b": "remote_access/remote_access_logging_audit", + "evidence": "audit_log", + "reason": "Beide protokollieren Zugriffsereignisse in Audit-Logs." + }, + { + "a": "logging/log_timestamp_synchronization", + "b": "remote_access/remote_access_logging_audit", + "evidence": "audit_log", + "reason": "Beide nutzen zeitgestempelte Audit-Logs." + }, + { + "a": "logging/log_transmission_security", + "b": "remote_access/remote_access_logging_audit", + "evidence": "audit_log", + "reason": "Beide betreffen Audit-Logs, Transport bzw. Erfassung." + }, + { + "a": "logging/log_monitoring_alerting", + "b": "remote_access/remote_access_logging_audit", + "evidence": "audit_log", + "reason": "Beide nutzen Logs zur Ueberwachung/Auswertung." + }, + { + "a": "logging/network_traffic_logging", + "b": "remote_access/remote_access_logging_audit", + "evidence": "audit_log", + "reason": "Beide protokollieren Netzwerk-/Fernzugriffsereignisse." + }, + { + "a": "logging/incident_response_logging", + "b": "remote_access/remote_access_logging_audit", + "evidence": "audit_log", + "reason": "Beide verknuepfen Aktivitaeten mit Audit-Logs." + } + ], + "shared_procedure": [ + { + "a": "vuln/vuln_handling_process", + "b": "logging/logging_governance_roles", + "reason": "Beide ueber Governance-Prozesse mit Rollen/Verantwortlichkeiten erfuellt." + }, + { + "a": "vuln/vuln_handling_process", + "b": "authentication/authentication_policy_documented", + "reason": "Beide ueber dokumentierte, gepflegte Richtlinien/Prozesse erfuellt." + }, + { + "a": "logging/logging_availability_resilience", + "b": "remote_access/remote_access_fallback_concept", + "reason": "Beide ueber Fallback-/Redundanzkonzepte bei Ausfaellen erfuellt." + }, + { + "a": "sbom/sbom_access_provision", + "b": "vuln/coordinated_vulnerability_disclosure", + "reason": "Beide ueber definierte externe Kommunikations-/Meldekanaele erfuellt." + }, + { + "a": "vuln/vuln_handling_process", + "b": "updates/support_period_maintenance", + "reason": "Beide ueber definierte Prozesse/Zeithorizonte im Support-Zeitraum erfuellt." + } + ], + "noise_counts": { + "OVERLAP_ONLY": 42, + "UNRELATED": 7 + }, + "raw_results": [ + { + "a": "mfa_required", + "fa": "authentication", + "b": "remote_access_mfa", + "fb": "remote_access", + "sim": 0.791, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "mfa", + "evidence_name": "", + "reason": "Beide durch MFA-Faehigkeit erfuellt, unterschiedlicher Geltungsbereich." + }, + { + "a": "vuln_remediation_patching", + "fa": "vuln", + "b": "provide_security_updates", + "fb": "updates", + "sim": 0.774, + "relation": "SAME_OBLIGATION", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Beide fordern Schwachstellenbehebung via Patches im Support-Zeitraum, deckungsgleich." + }, + { + "a": "firmware_software_authentication", + "fa": "authentication", + "b": "signed_update_integrity", + "fb": "updates", + "sim": 0.75, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "code_signing", + "evidence_name": "", + "reason": "Beide durch kryptografische Signatur/Verifikation von Updates erfuellt." + }, + { + "a": "credential_confidentiality_protection", + "fa": "authentication", + "b": "log_transmission_security", + "fb": "logging", + "sim": 0.739, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Credential-Schutz vs. Log-Transportsicherheit, nur thematische Naehe." + }, + { + "a": "supplier_access_auth", + "fa": "authentication", + "b": "remote_access_mfa", + "fb": "remote_access", + "sim": 0.727, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "mfa", + "evidence_name": "", + "reason": "Beide ueber starke Multi-Faktor-Authentifizierung erfuellt." + }, + { + "a": "encrypted_auth_channel", + "fa": "authentication", + "b": "remote_access_encryption", + "fb": "remote_access", + "sim": 0.724, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "tls_encryption", + "evidence_name": "", + "reason": "Beide durch verschluesselte Kanaele/TLS erfuellt." + }, + { + "a": "credential_confidentiality_protection", + "fa": "authentication", + "b": "log_data_minimization_privacy", + "fb": "logging", + "sim": 0.72, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Beide betreffen sensible Daten in Logs, distinkte Pflichten." + }, + { + "a": "vuln_remediation_patching", + "fa": "vuln", + "b": "remote_access_vuln_patch_mgmt", + "fb": "remote_access", + "sim": 0.709, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "Fernwartungs-Patching ist domaenenspezifischer Teilfall der allgemeinen Schwachstellenbehebung." + }, + { + "a": "sbom_confidentiality", + "fa": "sbom", + "b": "credential_confidentiality_protection", + "fb": "authentication", + "sim": 0.706, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "access_control", + "evidence_name": "", + "reason": "Beide ueber Zugriffskontrolle vertraulicher Daten erfuellt." + }, + { + "a": "credential_confidentiality_protection", + "fa": "authentication", + "b": "log_integrity_immutability", + "fb": "logging", + "sim": 0.698, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Credential-Schutz vs. Log-Integritaet, distinkt." + }, + { + "a": "log_retention_archival", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.696, + "relation": "SHARED_EVIDENCE", + "direction": "none", + "capability_name": "", + "evidence_name": "audit_log", + "reason": "Beide nutzen Audit-Logs zur Aufbewahrung/Auswertung." + }, + { + "a": "access_control_event_logging", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.688, + "relation": "SHARED_EVIDENCE", + "direction": "none", + "capability_name": "", + "evidence_name": "audit_log", + "reason": "Beide protokollieren Zugriffsereignisse in Audit-Logs." + }, + { + "a": "session_binding_management", + "fa": "authentication", + "b": "remote_session_management", + "fb": "remote_access", + "sim": 0.688, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "session_management", + "evidence_name": "", + "reason": "Beide ueber sicheres Session-Management erfuellt." + }, + { + "a": "firmware_software_authentication", + "fa": "authentication", + "b": "trusted_update_source", + "fb": "updates", + "sim": 0.687, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Vertrauenswuerdige Quelle ergaenzt Signaturpflicht der Update-Authentifizierung." + }, + { + "a": "log_timestamp_synchronization", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.687, + "relation": "SHARED_EVIDENCE", + "direction": "none", + "capability_name": "", + "evidence_name": "audit_log", + "reason": "Beide nutzen zeitgestempelte Audit-Logs." + }, + { + "a": "sbom_completeness_verification", + "fa": "sbom", + "b": "vuln_identification_inventory", + "fb": "vuln", + "sim": 0.685, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Vollstaendigkeitspruefung traegt zur Schwachstellen-Identifikation bei." + }, + { + "a": "remote_access_authentication", + "fa": "authentication", + "b": "remote_access_confidentiality_integrity", + "fb": "remote_access", + "sim": 0.684, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Authentifizierung vs. Vertraulichkeit/Integritaet der Verbindung, distinkt." + }, + { + "a": "privileged_op_reauth", + "fa": "authentication", + "b": "remote_access_mfa", + "fb": "remote_access", + "sim": 0.684, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "mfa", + "evidence_name": "", + "reason": "Beide ueber zusaetzliche Authentifizierung privilegierter Operationen erfuellt." + }, + { + "a": "log_transmission_security", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.682, + "relation": "SHARED_EVIDENCE", + "direction": "none", + "capability_name": "", + "evidence_name": "audit_log", + "reason": "Beide betreffen Audit-Logs, Transport bzw. Erfassung." + }, + { + "a": "firmware_software_authentication", + "fa": "authentication", + "b": "component_remote_interface_security", + "fb": "remote_access", + "sim": 0.681, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Code-Signing vs. Schnittstellensicherheit, nur lose Verbindung." + }, + { + "a": "credential_confidentiality_protection", + "fa": "authentication", + "b": "remote_access_confidentiality_integrity", + "fb": "remote_access", + "sim": 0.678, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Credential-Schutz vs. Remote-Verbindungsschutz, distinkt." + }, + { + "a": "log_access_control_protection", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.675, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Log-Zugriffskontrolle vs. Fernwartungsprotokollierung, distinkt." + }, + { + "a": "remote_access_vuln_patch_mgmt", + "fa": "remote_access", + "b": "provide_security_updates", + "fb": "updates", + "sim": 0.674, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "Fernwartungs-Patching ist Teilfall der allgemeinen Update-Bereitstellung." + }, + { + "a": "sbom_confidentiality", + "fa": "sbom", + "b": "remote_access_confidentiality_integrity", + "fb": "remote_access", + "sim": 0.672, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Vertraulichkeit vs. Remote-Verbindungsschutz, distinkt." + }, + { + "a": "log_monitoring_alerting", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.672, + "relation": "SHARED_EVIDENCE", + "direction": "none", + "capability_name": "", + "evidence_name": "audit_log", + "reason": "Beide nutzen Logs zur Ueberwachung/Auswertung." + }, + { + "a": "access_control_event_logging", + "fa": "logging", + "b": "reject_insecure_remote_protocols", + "fb": "remote_access", + "sim": 0.671, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Logging abgewiesener Zugriffe vs. Protokollblockade, distinkt." + }, + { + "a": "vuln_handling_process", + "fa": "vuln", + "b": "logging_governance_roles", + "fb": "logging", + "sim": 0.664, + "relation": "SHARED_PROCEDURE", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Beide ueber Governance-Prozesse mit Rollen/Verantwortlichkeiten erfuellt." + }, + { + "a": "logging_config_management", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.662, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Logging-Konfiguration vs. Fernwartungsprotokollierung, nur thematische Naehe." + }, + { + "a": "sbom_completeness_verification", + "fa": "sbom", + "b": "firmware_software_authentication", + "fb": "authentication", + "sim": 0.659, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Pruefung vs. Code-Signing, distinkt." + }, + { + "a": "remote_access_authentication", + "fa": "authentication", + "b": "remote_access_mfa", + "fb": "remote_access", + "sim": 0.659, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "mfa", + "evidence_name": "", + "reason": "Beide ueber starke/Multi-Faktor-Authentifizierung des Remote-Zugriffs erfuellt." + }, + { + "a": "sbom_confidentiality", + "fa": "sbom", + "b": "log_data_minimization_privacy", + "fb": "logging", + "sim": 0.658, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Vertraulichkeit vs. Log-Datenschutz, distinkt." + }, + { + "a": "firmware_software_authentication", + "fa": "authentication", + "b": "update_testing_validation", + "fb": "updates", + "sim": 0.658, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Signatur-Authentifizierung vs. Update-Testen, distinkt." + }, + { + "a": "remote_access_authentication", + "fa": "authentication", + "b": "remote_access_encryption", + "fb": "remote_access", + "sim": 0.658, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Authentifizierung vs. Verschluesselung des Remote-Zugriffs, distinkt." + }, + { + "a": "event_logging_security_events", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.658, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Fernwartungsprotokollierung ist Teilfall des allgemeinen Security-Event-Loggings." + }, + { + "a": "firmware_software_authentication", + "fa": "authentication", + "b": "automatic_updates_optout", + "fb": "updates", + "sim": 0.657, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Update-Signatur vs. Auto-Update-Konfiguration, distinkt." + }, + { + "a": "remote_maintenance_governance", + "fa": "remote_access", + "b": "support_period_maintenance", + "fb": "updates", + "sim": 0.657, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Fernwartungs-Governance vs. Support-Wartung, nur thematische Naehe." + }, + { + "a": "vuln_info_dissemination_users", + "fa": "vuln", + "b": "provide_security_updates", + "fb": "updates", + "sim": 0.656, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "Nutzerinformation ergaenzt die Update-Bereitstellungspflicht." + }, + { + "a": "remote_access_authentication", + "fa": "authentication", + "b": "remote_access_architecture_design", + "fb": "remote_access", + "sim": 0.656, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Sichere Fernzugriffsarchitektur unterstuetzt Gateway-basierte Authentifizierung." + }, + { + "a": "user_authentication_required", + "fa": "authentication", + "b": "remote_access_training", + "fb": "remote_access", + "sim": 0.656, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Authentifizierung vs. Nutzerschulung, distinkt." + }, + { + "a": "sbom_completeness_verification", + "fa": "sbom", + "b": "update_testing_validation", + "fb": "updates", + "sim": 0.656, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Pruefung vs. Update-Testen, distinkt." + }, + { + "a": "sbom_creation", + "fa": "sbom", + "b": "vuln_identification_inventory", + "fb": "vuln", + "sim": 0.655, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Erstellung liefert das Inventar fuer Schwachstellen-Identifikation." + }, + { + "a": "vuln_remediation_patching", + "fa": "vuln", + "b": "update_risk_assessment", + "fb": "updates", + "sim": 0.653, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Update-Risikobeurteilung speist die risikobasierte Schwachstellenbehebung." + }, + { + "a": "network_traffic_logging", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.653, + "relation": "SHARED_EVIDENCE", + "direction": "none", + "capability_name": "", + "evidence_name": "audit_log", + "reason": "Beide protokollieren Netzwerk-/Fernzugriffsereignisse." + }, + { + "a": "session_binding_management", + "fa": "authentication", + "b": "log_transmission_security", + "fb": "logging", + "sim": 0.653, + "relation": "UNRELATED", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Session-Binding vs. Log-Transport, keine echte Beziehung." + }, + { + "a": "vuln_assessment_prioritization", + "fa": "vuln", + "b": "remote_access_vuln_patch_mgmt", + "fb": "remote_access", + "sim": 0.652, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Fernwartungs-Patching bewertet/priorisiert Schwachstellen wie allgemeine Bewertungspflicht." + }, + { + "a": "credential_confidentiality_protection", + "fa": "authentication", + "b": "log_retention_archival", + "fb": "logging", + "sim": 0.652, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Credential-Schutz vs. Log-Aufbewahrung, distinkt." + }, + { + "a": "encrypted_auth_channel", + "fa": "authentication", + "b": "reject_insecure_remote_protocols", + "fb": "remote_access", + "sim": 0.651, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "tls_encryption", + "evidence_name": "", + "reason": "Beide deaktivieren/blockieren unverschluesselte Kanaele." + }, + { + "a": "mutual_authentication", + "fa": "authentication", + "b": "remote_access_confidentiality_integrity", + "fb": "remote_access", + "sim": 0.649, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "mutual_tls", + "evidence_name": "", + "reason": "Beide ueber gegenseitige Authentifizierung/Verbindungssicherung erfuellt." + }, + { + "a": "token_validation_lifecycle", + "fa": "authentication", + "b": "update_testing_validation", + "fb": "updates", + "sim": 0.649, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Token-Validierung vs. Update-Validierung, nur Wortueberlappung." + }, + { + "a": "remote_access_authentication", + "fa": "authentication", + "b": "remote_access_training", + "fb": "remote_access", + "sim": 0.648, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Authentifizierung vs. Schulung, distinkt." + }, + { + "a": "remote_access_vuln_patch_mgmt", + "fa": "remote_access", + "b": "update_testing_validation", + "fb": "updates", + "sim": 0.648, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Fernwartungs-Patching vs. Update-Testen, distinkt." + }, + { + "a": "vuln_remediation_patching", + "fa": "vuln", + "b": "update_testing_validation", + "fb": "updates", + "sim": 0.646, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Update-Testen unterstuetzt zuverlaessige Schwachstellenbehebung via Patches." + }, + { + "a": "logging_config_management", + "fa": "logging", + "b": "automatic_updates_optout", + "fb": "updates", + "sim": 0.646, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Logging-Default vs. Update-Default-Konfiguration, nur Themenueberlappung." + }, + { + "a": "access_control_event_logging", + "fa": "logging", + "b": "remote_access_control_least_privilege", + "fb": "remote_access", + "sim": 0.644, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Zugriffsprotokollierung vs. Least-Privilege-Fernzugriff, distinkt." + }, + { + "a": "service_to_service_auth", + "fa": "authentication", + "b": "remote_access_encryption", + "fb": "remote_access", + "sim": 0.644, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "mutual_tls", + "evidence_name": "", + "reason": "Beide ueber TLS/mTLS-basierte Authentifizierung/Verschluesselung erfuellt." + }, + { + "a": "personal_admin_accounts", + "fa": "authentication", + "b": "remote_access_mfa", + "fb": "remote_access", + "sim": 0.643, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Persoenliche Admin-Konten vs. Remote-MFA, distinkt." + }, + { + "a": "incident_response_logging", + "fa": "logging", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.642, + "relation": "SHARED_EVIDENCE", + "direction": "none", + "capability_name": "", + "evidence_name": "audit_log", + "reason": "Beide verknuepfen Aktivitaeten mit Audit-Logs." + }, + { + "a": "mfa_required", + "fa": "authentication", + "b": "remote_access_training", + "fb": "remote_access", + "sim": 0.641, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "MFA vs. Schulung, distinkt." + }, + { + "a": "session_binding_management", + "fa": "authentication", + "b": "temporary_remote_access_mgmt", + "fb": "remote_access", + "sim": 0.639, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "session_management", + "evidence_name": "", + "reason": "Beide ueber sicheres, zeitbegrenztes Session-Management erfuellt." + }, + { + "a": "remote_access_authentication", + "fa": "authentication", + "b": "remote_access_user_validation_ot", + "fb": "remote_access", + "sim": 0.638, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "OT-Nutzervalidierung ist domaenenspezifische Auspraegung der Remote-Authentifizierung." + }, + { + "a": "sbom_completeness_verification", + "fa": "sbom", + "b": "log_integrity_immutability", + "fb": "logging", + "sim": 0.638, + "relation": "UNRELATED", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Pruefung vs. Log-Integritaet, keine Beziehung." + }, + { + "a": "sbom_maintenance_update", + "fa": "sbom", + "b": "vuln_identification_inventory", + "fb": "vuln", + "sim": 0.636, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "Aktualisierte SBOM unterstuetzt kontinuierliche Schwachstellen-Identifikation." + }, + { + "a": "vuln_handling_process", + "fa": "vuln", + "b": "authentication_policy_documented", + "fb": "authentication", + "sim": 0.635, + "relation": "SHARED_PROCEDURE", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Beide ueber dokumentierte, gepflegte Richtlinien/Prozesse erfuellt." + }, + { + "a": "remote_access_authentication", + "fa": "authentication", + "b": "remote_access_threat_detection", + "fb": "remote_access", + "sim": 0.634, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Authentifizierung vs. Threat-Detection, distinkt." + }, + { + "a": "vuln_info_dissemination_users", + "fa": "vuln", + "b": "update_testing_validation", + "fb": "updates", + "sim": 0.632, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Nutzerinformation vs. Update-Testen, distinkt." + }, + { + "a": "user_authentication_required", + "fa": "authentication", + "b": "signed_update_integrity", + "fb": "updates", + "sim": 0.632, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Nutzer-Authentifizierung vs. Update-Signatur, nur Wortueberlappung." + }, + { + "a": "log_monitoring_alerting", + "fa": "logging", + "b": "remote_access_threat_detection", + "fb": "remote_access", + "sim": 0.632, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "anomaly_detection", + "evidence_name": "", + "reason": "Beide ueber Anomalie-/Bedrohungserkennung erfuellt." + }, + { + "a": "no_default_credentials", + "fa": "authentication", + "b": "automatic_updates_optout", + "fb": "updates", + "sim": 0.632, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Default-Credentials vs. Auto-Update-Default, nur Default-Thema." + }, + { + "a": "tls_certificate_auth", + "fa": "authentication", + "b": "remote_access_encryption", + "fb": "remote_access", + "sim": 0.631, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "tls_certificate_auth", + "evidence_name": "", + "reason": "Beide ueber TLS/Client-Zertifikate erfuellt." + }, + { + "a": "reauth_after_inactivity", + "fa": "authentication", + "b": "remote_session_management", + "fb": "remote_access", + "sim": 0.63, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "session_management", + "evidence_name": "", + "reason": "Beide ueber Inaktivitaets-Timeout/Reauth des Session-Managements erfuellt." + }, + { + "a": "vuln_handling_process", + "fa": "vuln", + "b": "logging_config_management", + "fb": "logging", + "sim": 0.629, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Vuln-Prozess vs. Logging-Konfiguration, nur Dokumentationsbezug." + }, + { + "a": "sbom_access_provision", + "fa": "sbom", + "b": "vuln_identification_inventory", + "fb": "vuln", + "sim": 0.628, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Bereitstellung vs. Schwachstellen-Inventar, distinkt." + }, + { + "a": "vuln_handling_process", + "fa": "vuln", + "b": "remote_access_vuln_patch_mgmt", + "fb": "remote_access", + "sim": 0.627, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Fernwartungs-Patching ist Teilfall des allgemeinen Vuln-Handling-Prozesses." + }, + { + "a": "logging_availability_resilience", + "fa": "logging", + "b": "remote_access_fallback_concept", + "fb": "remote_access", + "sim": 0.626, + "relation": "SHARED_PROCEDURE", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Beide ueber Fallback-/Redundanzkonzepte bei Ausfaellen erfuellt." + }, + { + "a": "remote_access_authentication", + "fa": "authentication", + "b": "remote_maintenance_governance", + "fb": "remote_access", + "sim": 0.625, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Authentifizierung vs. Fernwartungs-Governance, distinkt." + }, + { + "a": "vuln_assessment_prioritization", + "fa": "vuln", + "b": "update_testing_validation", + "fb": "updates", + "sim": 0.625, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Schwachstellenbewertung vs. Update-Testen, distinkt." + }, + { + "a": "sbom_tooling_automation", + "fa": "sbom", + "b": "vuln_identification_inventory", + "fb": "vuln", + "sim": 0.624, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "Automatisierte SBOM-Generierung unterstuetzt Schwachstellen-Identifikation." + }, + { + "a": "vuln_remediation_patching", + "fa": "vuln", + "b": "support_period_maintenance", + "fb": "updates", + "sim": 0.624, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Wartung im Support-Zeitraum unterstuetzt fristgerechte Schwachstellenbehebung." + }, + { + "a": "network_traffic_logging", + "fa": "logging", + "b": "component_remote_interface_security", + "fb": "remote_access", + "sim": 0.621, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Netzwerk-Logging vs. Schnittstellensicherheit, distinkt." + }, + { + "a": "sbom_completeness_verification", + "fa": "sbom", + "b": "signed_update_integrity", + "fb": "updates", + "sim": 0.621, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Pruefung vs. Update-Signatur, distinkt." + }, + { + "a": "vuln_assessment_prioritization", + "fa": "vuln", + "b": "password_policy", + "fb": "authentication", + "sim": 0.62, + "relation": "UNRELATED", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Schwachstellenbewertung vs. Passwortrichtlinie, Falsch-Positiv." + }, + { + "a": "session_binding_management", + "fa": "authentication", + "b": "remote_access_training", + "fb": "remote_access", + "sim": 0.62, + "relation": "UNRELATED", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Session-Management vs. Schulung, keine Beziehung." + }, + { + "a": "vuln_remediation_patching", + "fa": "vuln", + "b": "automatic_updates_optout", + "fb": "updates", + "sim": 0.619, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Automatische Updates unterstuetzen zeitnahe Schwachstellenbehebung." + }, + { + "a": "vuln_handling_process", + "fa": "vuln", + "b": "remote_access_logging_audit", + "fb": "remote_access", + "sim": 0.619, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Vuln-Prozess vs. Fernwartungsprotokollierung, distinkt." + }, + { + "a": "credential_confidentiality_protection", + "fa": "authentication", + "b": "log_timestamp_synchronization", + "fb": "logging", + "sim": 0.617, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Credential-Schutz vs. Log-Zeitstempel, nur Logbezug." + }, + { + "a": "vuln_assessment_prioritization", + "fa": "vuln", + "b": "update_risk_assessment", + "fb": "updates", + "sim": 0.617, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Update-Risikobeurteilung speist standardisierte Schwachstellen-Priorisierung." + }, + { + "a": "vuln_handling_process", + "fa": "vuln", + "b": "update_rollback", + "fb": "updates", + "sim": 0.617, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Vuln-Prozess vs. Update-Rollback, distinkt." + }, + { + "a": "vuln_remediation_patching", + "fa": "vuln", + "b": "update_rollback", + "fb": "updates", + "sim": 0.616, + "relation": "SUPPORTED_BY", + "direction": "b->a", + "capability_name": "", + "evidence_name": "", + "reason": "Rollback unterstuetzt sichere Behebung fehlerhafter Patches." + }, + { + "a": "supplier_access_auth", + "fa": "authentication", + "b": "remote_access_user_validation_ot", + "fb": "remote_access", + "sim": 0.613, + "relation": "SHARED_CAPABILITY", + "direction": "none", + "capability_name": "mfa", + "evidence_name": "", + "reason": "Beide ueber starke Authentifizierung/Validierung externer Fernzugriffe erfuellt." + }, + { + "a": "vuln_info_dissemination_users", + "fa": "vuln", + "b": "remote_access_vuln_patch_mgmt", + "fb": "remote_access", + "sim": 0.612, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Nutzerinformation vs. Fernwartungs-Patching, distinkt." + }, + { + "a": "remote_access_vuln_patch_mgmt", + "fa": "remote_access", + "b": "update_rollback", + "fb": "updates", + "sim": 0.61, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Fernwartungs-Patching vs. Rollback, distinkt." + }, + { + "a": "vuln_info_dissemination_users", + "fa": "vuln", + "b": "log_monitoring_alerting", + "fb": "logging", + "sim": 0.609, + "relation": "UNRELATED", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Nutzerinformation vs. Log-Monitoring, Falsch-Positiv." + }, + { + "a": "sbom_dependency_coverage", + "fa": "sbom", + "b": "vuln_identification_inventory", + "fb": "vuln", + "sim": 0.608, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "Dependency-Dokumentation unterstuetzt Schwachstellen-Identifikation in Komponenten." + }, + { + "a": "remote_access_vuln_patch_mgmt", + "fa": "remote_access", + "b": "support_period_maintenance", + "fb": "updates", + "sim": 0.608, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "Fernwartungs-Patching ist Teilfall der Support-Wartungsmassnahmen." + }, + { + "a": "logging_config_management", + "fa": "logging", + "b": "support_period_maintenance", + "fb": "updates", + "sim": 0.608, + "relation": "UNRELATED", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Logging-Konfiguration vs. Support-Wartung, keine Beziehung." + }, + { + "a": "sbom_format_standard", + "fa": "sbom", + "b": "log_format_standardization", + "fb": "logging", + "sim": 0.606, + "relation": "OVERLAP_ONLY", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "SBOM-Format vs. Log-Format, nur Standardisierungsthema, distinkt." + }, + { + "a": "logging_library_supply_chain", + "fa": "logging", + "b": "remote_access_vuln_patch_mgmt", + "fb": "remote_access", + "sim": 0.606, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "Logging-Library-Patching ist domaenenspezifischer Teilfall des Vuln-Patch-Managements." + }, + { + "a": "remote_access_authentication", + "fa": "authentication", + "b": "support_period_maintenance", + "fb": "updates", + "sim": 0.605, + "relation": "UNRELATED", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Remote-Authentifizierung vs. Support-Wartung, Falsch-Positiv." + }, + { + "a": "sbom_access_provision", + "fa": "sbom", + "b": "coordinated_vulnerability_disclosure", + "fb": "vuln", + "sim": 0.604, + "relation": "SHARED_PROCEDURE", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Beide ueber definierte externe Kommunikations-/Meldekanaele erfuellt." + }, + { + "a": "vuln_handling_process", + "fa": "vuln", + "b": "support_period_maintenance", + "fb": "updates", + "sim": 0.602, + "relation": "SHARED_PROCEDURE", + "direction": "none", + "capability_name": "", + "evidence_name": "", + "reason": "Beide ueber definierte Prozesse/Zeithorizonte im Support-Zeitraum erfuellt." + }, + { + "a": "vuln_info_dissemination_users", + "fa": "vuln", + "b": "automatic_updates_optout", + "fb": "updates", + "sim": 0.601, + "relation": "SUPPORTED_BY", + "direction": "a->b", + "capability_name": "", + "evidence_name": "", + "reason": "Nutzerinformation ergaenzt automatische Update-Bereitstellung." + } + ] +} \ No newline at end of file diff --git a/scripts/obligation_discovery/classify_relationships.py b/scripts/obligation_discovery/classify_relationships.py new file mode 100644 index 00000000..86b31a85 --- /dev/null +++ b/scripts/obligation_discovery/classify_relationships.py @@ -0,0 +1,85 @@ +"""Cross-Domain Relationship Discovery — Stufe 2: Opus klassifiziert jede Kandidaten-Beziehung +in GENAU EINE Kategorie. Liefert das Rohmaterial der Compliance-Ontologie (insb. SHARED_CAPABILITY += Capability-Schicht). ANTHROPIC_API_KEY aus ENV (nie hartcodiert). Streaming. + + ANTHROPIC_API_KEY=… python3 classify_relationships.py --pairs /tmp/cd_pairs.json \ + --only-cross-family --out /tmp/cd_classified.json +""" +from __future__ import annotations + +import argparse +import json +import os +import re +from collections import Counter + +SYS = """Du bist Compliance-Ontologe. Gegeben Paare von Legal Obligations (CRA), bestimme fuer +JEDES Paar GENAU EINE Beziehung. Ziel ist NICHT Aehnlichkeit, sondern die STRUKTURELLE Beziehung. + +Kategorien (genau EINE; bei Mehrdeutigkeit gilt diese Prioritaet): +1 SAME_OBLIGATION — dieselbe rechtliche Pflicht, nur pro Domaene anders formuliert -> MERGE-Kandidat. +2 SUPPORTED_BY — A ist domaenenspezifische Auspraegung/Teilfall von B ODER A traegt zur Erfuellung von B bei. RICHTUNG angeben. +3 SHARED_CAPABILITY — beide werden durch DIESELBE technische Faehigkeit erfuellt (z.B. MFA, TLS-Verschluesselung, digitale Signatur, Session-Management, Patch-Management, Logging-Pipeline). capability_name (snake_case) angeben. +4 SHARED_PROCEDURE — beide ueber denselben operativen Prozess erfuellt, ohne gemeinsames technisches Artefakt. +5 SHARED_EVIDENCE — beide erzeugen/nutzen denselben Nachweis (Audit-Log, SBOM, Release Notes). evidence_name angeben. +6 SHARED_GUIDANCE — beide berufen sich auf denselben externen Standard (NIST/OWASP/ISO), sonst distinkt. +7 OVERLAP_ONLY — nur oberflaechliche Wort-/Themenueberlappung, keine echte strukturelle Beziehung. +8 UNRELATED — Falsch-Positiv der Embedding-Naehe. + +Gib AUSSCHLIESSLICH JSON aus: +{"results":[{"i":0,"relation":"SHARED_CAPABILITY","direction":"a->b|b->a|none","capability_name":"","evidence_name":"","reason":"max 18 Woerter"}]} +Regeln: relation = genau eine der 8 Strings. direction nur bei SUPPORTED_BY, sonst "none". +capability_name NUR bei SHARED_CAPABILITY (sonst ""), evidence_name NUR bei SHARED_EVIDENCE (sonst ""). +Sei streng: SHARED_GUIDANCE/OVERLAP_ONLY/UNRELATED grosszuegig nutzen; SAME_OBLIGATION nur bei echter Deckungsgleichheit. +Gib fuer JEDES Paar (per Index i) genau ein Ergebnis.""" + + +def build_user(pairs: list[dict]) -> str: + lines = [] + for i, p in enumerate(pairs): + lines.append(f'[{i}] A={p["a"]} ({p["fa"]}/{p["ta"]}): {p["da"]}\n' + f' B={p["b"]} ({p["fb"]}/{p["tb"]}): {p["db"]} [sim={p["sim"]}]') + return "Paare:\n" + "\n".join(lines) + + +def main() -> None: + ap = argparse.ArgumentParser() + ap.add_argument("--pairs", required=True) + ap.add_argument("--only-cross-family", action="store_true") + ap.add_argument("--min-sim", type=float, default=0.0) + ap.add_argument("--model", default="claude-opus-4-8") + ap.add_argument("--out", required=True) + a = ap.parse_args() + d = json.load(open(a.pairs, encoding="utf-8")) + pairs = [p for p in d["pairs"] + if (not a.only_cross_family or p["cross_family"]) and p["sim"] >= a.min_sim] + + import anthropic + client = anthropic.Anthropic(api_key=os.environ["ANTHROPIC_API_KEY"]) + with client.messages.stream(model=a.model, max_tokens=24000, system=SYS, + messages=[{"role": "user", "content": build_user(pairs)}]) as st: + msg = st.get_final_message() + txt = msg.content[0].text + m = re.search(r"\{.*\}", txt, re.DOTALL) + data = json.loads(m.group(0) if m else txt) + + res = [] + for r in data.get("results", []): + i = r.get("i") + if not isinstance(i, int) or i < 0 or i >= len(pairs): + continue + p = pairs[i] + res.append({"a": p["a"], "fa": p["fa"], "b": p["b"], "fb": p["fb"], "sim": p["sim"], + "relation": r.get("relation", "?"), "direction": r.get("direction", "none"), + "capability_name": r.get("capability_name", ""), + "evidence_name": r.get("evidence_name", ""), "reason": r.get("reason", "")}) + dist = Counter(r["relation"] for r in res) + out = {"n_pairs": len(pairs), "n_classified": len(res), "distribution": dict(dist), + "model": a.model, "results": res} + json.dump(out, open(a.out, "w", encoding="utf-8"), ensure_ascii=False, indent=1) + print(f"classified {len(res)}/{len(pairs)} | {dict(dist)}") + print("written:", a.out) + + +if __name__ == "__main__": + main() diff --git a/scripts/obligation_discovery/cross_domain_pairs.py b/scripts/obligation_discovery/cross_domain_pairs.py new file mode 100644 index 00000000..09155bb5 --- /dev/null +++ b/scripts/obligation_discovery/cross_domain_pairs.py @@ -0,0 +1,66 @@ +"""Cross-Domain Relationship Discovery — Stufe 1 (key-frei, im bp-compliance-backend-Container). +Alle Obligations mehrerer Registries -> BGE-M3-Embedding -> je Obligation Top-K Nachbarn -> +Kandidaten-Paare (cross- UND same-family) >= min-sim. KEIN Urteil hier — nur Kandidaten. +Stufe 2 (classify_relationships.py) klassifiziert die Beziehung per Opus. + + python3 cross_domain_pairs.py /tmp/reg/cra.json /tmp/reg/cra_authentication.json ... \ + --top-k 8 --min-sim 0.60 --out /tmp/cd_pairs.json +""" +from __future__ import annotations + +import argparse +import asyncio +import json + +from _core import cosine + + +async def run(paths: list[str], top_k: int, min_sim: float, out: str) -> None: + from compliance.services.mc_embedding_matcher import _embed_texts + + obls: list[dict] = [] + for p in paths: + reg = json.load(open(p, encoding="utf-8")) + fam = reg.get("family", "") + for o in reg.get("obligations", []): + obls.append({"id": o["id"], "family": o.get("family", "") or fam, + "tier": o.get("tier", ""), "name": o.get("name", ""), + "desc": o.get("description", "")}) + vecs = await _embed_texts([f'{o["name"]}. {o["desc"]}' for o in obls]) + n = len(obls) + print(f"obligations={n}") + + best: dict[tuple[int, int], float] = {} + for i in range(n): + nbrs = sorted(((cosine(vecs[i], vecs[j]), j) for j in range(n) if j != i), reverse=True)[:top_k] + for s, j in nbrs: + if s < min_sim: + continue + a, b = sorted((i, j)) + if (a, b) not in best or s > best[(a, b)]: + best[(a, b)] = s + + pairs = [] + for (a, b), s in sorted(best.items(), key=lambda x: -x[1]): + pairs.append({ + "a": obls[a]["id"], "fa": obls[a]["family"], "ta": obls[a]["tier"], "da": obls[a]["desc"][:220], + "b": obls[b]["id"], "fb": obls[b]["family"], "tb": obls[b]["tier"], "db": obls[b]["desc"][:220], + "sim": round(s, 3), "cross_family": obls[a]["family"] != obls[b]["family"]}) + cf = sum(1 for p in pairs if p["cross_family"]) + json.dump({"n_obligations": n, "n_pairs": len(pairs), "cross_family": cf, "pairs": pairs}, + open(out, "w", encoding="utf-8"), ensure_ascii=False, indent=1) + print(f"pairs={len(pairs)} (cross-family={cf}, same-family={len(pairs) - cf}) written: {out}") + + +def main() -> None: + ap = argparse.ArgumentParser() + ap.add_argument("registries", nargs="+") + ap.add_argument("--top-k", type=int, default=8) + ap.add_argument("--min-sim", type=float, default=0.60) + ap.add_argument("--out", default="/tmp/cd_pairs.json") + a = ap.parse_args() + asyncio.run(run(a.registries, a.top_k, a.min_sim, a.out)) + + +if __name__ == "__main__": + main()