Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(cra): two-lane breadth — CRA-specific corpus + technical depth

Browse Source 
All 6 security use_cases are atom-grain now. Per finding we draw two lanes: the
CRA corpus (use_case=cra, the most on-point CRA obligations) + the technical
depth (code_security for secure-dev, else network_security). Controls merged,
deduped, each tagged with its use_case (shown in the best-practice depth).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-14 12:23:37 +02:00
parent a06c64af48
commit 398eaf3c36
4 changed files with 37 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin-compliance/app/sdk/iace/[projectId]/cra/_components/CRACyberView.tsx
+4 -2
View File
@@ -130,12 +130,14 @@ function FindingsTable({ findings }: { findings: CRAFinding[] }) {
{f.regulatory_breadth && f.regulatory_breadth.length > 0 && (
<div className="mt-2">
<p className="text-[10px] text-gray-400 mb-1">
Regulatorische Breite{f.sub_topic ? `${f.sub_topic}` : ''}
{f.breadth_use_case ? ` · ${f.breadth_use_case}` : ''} (NIST/OWASP/ENISA-Quellen)
Regulatorische Breite{f.sub_topic ? `${f.sub_topic}` : ''} (CRA + NIST/OWASP/ENISA-Quellen)
</p>
<ul className="space-y-0.5">
{f.regulatory_breadth.map((c) => (
<li key={c.control_id} className="text-[10px] text-gray-600 dark:text-gray-300">
{c.use_case && (
<span className="inline-block rounded bg-gray-200 text-gray-600 dark:bg-gray-600 dark:text-gray-200 px-1 py-0.5 text-[9px] mr-1">{c.use_case}</span>
)}
<span className="font-mono text-gray-500">{c.control_id}</span> {c.title}
<span className="text-gray-400"> · {c.source_regulation}</span>
</li>
admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRA.ts
-1
View File
@@ -58,7 +58,6 @@ function merge(live: any): CRADemo {
measures: m.measures || [],
evidence_type: m.evidence_type,
sub_topic: m.sub_topic,
breadth_use_case: m.breadth_use_case,
regulatory_breadth: m.regulatory_breadth || [],
priority_tier: m.priority_tier,
priority_score: m.priority_score,
admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRADemo.ts
+2 -3
View File
@@ -28,10 +28,9 @@ export interface CRAFinding {
risk_level: string
measures: string[]
evidence_type?: string // code | process | hybrid | document — drives the remediation-class badge
// regulatory breadth (atom-grain shared Controls-API: network_security / code_security), live only
// regulatory breadth (atom-grain shared Controls-API: cra + code/network_security), live only
sub_topic?: string
breadth_use_case?: string
regulatory_breadth?: { control_id: string; title: string; source_regulation: string; severity?: string }[]
regulatory_breadth?: { control_id: string; title: string; source_regulation: string; severity?: string; use_case?: string }[]
// priority layer (set live by the backend prioritizer; optional in the static fallback)
priority_tier?: string
priority_score?: number
backend-compliance/compliance/services/cra_use_case_controls.py
+31 -28
View File
@@ -38,27 +38,26 @@ _REQ_TO_SUBTOPIC = {
}
# Which atom-grain use_case is most relevant per sub_topic. Both network_security
# and code_security are atom-grain; secure-dev is best served by code_security.
_SUBTOPIC_TO_USECASE = {
"secure_development": "code_security",
}
_DEFAULT_USECASE = "network_security"
# Two breadth lanes per finding: the CRA-specific corpus (always — most on-point
# for a CRA assessment) + the technical-depth corpus for the sub_topic
# (code_security for secure-dev, else network_security). All atom-grain.
# isms/dora/kritis are also atom-grain — available for future per-regime routing.
_TECHNICAL_USECASE = {"secure_development": "code_security"} # default: network_security
def subtopic_for(req_id: str):
return _REQ_TO_SUBTOPIC.get(req_id)
def usecase_for(sub_topic: str) -> str:
return _SUBTOPIC_TO_USECASE.get(sub_topic, _DEFAULT_USECASE)
def usecases_for(sub_topic: str) -> list:
return ["cra", _TECHNICAL_USECASE.get(sub_topic, "network_security")]
def enrich_findings_with_breadth(mapped: list, db, limit: int = 5) -> None:
"""Attach `sub_topic` + `regulatory_breadth` (atom controls) to each finding.
Queries network_security once per distinct sub_topic (cached). Best-effort:
on any error a finding just gets an empty breadth — never breaks the assessment.
def enrich_findings_with_breadth(mapped: list, db, per_use_case: int = 3) -> None:
"""Attach `sub_topic` + `regulatory_breadth` (atom controls from the CRA corpus
+ the technical-depth corpus) to each finding, each control tagged with its
use_case. Queries are cached per (use_case, sub_topic). Best-effort: on any
error a finding just gets fewer/empty breadth — never breaks the assessment.
"""
svc = UseCaseControlsService(db)
cache: dict = {}
@@ -67,19 +66,23 @@ def enrich_findings_with_breadth(mapped: list, db, limit: int = 5) -> None:
m["sub_topic"] = st
if not st:
m["regulatory_breadth"] = []
m["breadth_use_case"] = None
continue
uc = usecase_for(st)
m["breadth_use_case"] = uc
key = (uc, st)
if key not in cache:
try:
res = svc.controls_for_use_case(uc, sub_topic=st, limit=limit)
cache[key] = [
{"control_id": c.get("control_id"), "title": c.get("title"),
"source_regulation": c.get("source_regulation"), "severity": c.get("severity")}
for c in res.get("controls", [])
]
except Exception:
cache[key] = []
m["regulatory_breadth"] = cache[key]
merged, seen = [], set()
for uc in usecases_for(st):
key = (uc, st)
if key not in cache:
try:
res = svc.controls_for_use_case(uc, sub_topic=st, limit=per_use_case)
cache[key] = [
{"control_id": c.get("control_id"), "title": c.get("title"),
"source_regulation": c.get("source_regulation"),
"severity": c.get("severity"), "use_case": uc}
for c in res.get("controls", [])
]
except Exception:
cache[key] = []
for c in cache[key]:
if c["control_id"] and c["control_id"] not in seen:
seen.add(c["control_id"])
merged.append(c)
m["regulatory_breadth"] = merged