Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(cra): NIST/OWASP security golden-set crosswalk + full measure texts in CRA tab

Browse Source 
Crosswalk (cra_security_crosswalk.py): deterministic, hand-curated CRA Annex I ->
NIST 800-53 Rev5 + OWASP Top 10:2021 mapping, the authoritative Security Golden
Set (no RAG; semantic breadth comes later via the shared Controls-API). Mapper
attaches NIST/OWASP refs per finding; golden-set completeness pinned by test
(every requirement has >=1 NIST ref). CRA tab now shows the NIST/OWASP best-
practice refs per finding and the full curated measure texts + norm references
(from measures_library_cra.go).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-13 21:24:53 +02:00
parent cadc34dad4
commit 43ae33975d
5 changed files with 225 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin-compliance/app/sdk/iace/[projectId]/cra/_components/CRACyberView.tsx
+49 -24
View File
@@ -92,7 +92,7 @@ export function CRACyberView({ data }: { data: CRADemo }) {
<tr className="text-gray-500 border-b border-gray-200 dark:border-gray-700 text-left">
<th className="py-2 px-4">Cyber-Befund</th>
<th className="py-2 px-3">CRA-Anforderung</th>
<th className="py-2 px-3">Annex I</th>
<th className="py-2 px-3">Best Practice (NIST / OWASP)</th>
<th className="py-2 px-3">Risiko</th>
<th className="py-2 px-4">Maßnahmen</th>
</tr>
@@ -109,11 +109,25 @@ export function CRACyberView({ data }: { data: CRADemo }) {
{f.requirement_ids.length > 1 && (
<span className="text-[10px] text-gray-400"> +{f.requirement_ids.length - 1}</span>
)}
<div className="text-[10px] text-gray-400">{f.annex_anchor}</div>
</td>
<td className="py-2 px-3">
<div className="flex flex-wrap gap-1">
{f.nist_refs.map((n) => (
<span key={n} className="inline-block rounded bg-slate-100 text-slate-600 dark:bg-slate-700 dark:text-slate-300 px-1.5 py-0.5 text-[10px] font-mono">
{n}
</span>
))}
{f.owasp_refs.map((o) => (
<span key={o.code} title={o.label} className="inline-block rounded bg-blue-100 text-blue-700 dark:bg-blue-900/40 dark:text-blue-300 px-1.5 py-0.5 text-[10px] font-medium">
{o.code}
</span>
))}
</div>
</td>
<td className="py-2 px-3 text-gray-500">{f.annex_anchor}</td>
<td className="py-2 px-3"><RiskBadge level={f.risk_level} /></td>
<td className="py-2 px-4 text-gray-600 dark:text-gray-300">
{f.measures.length ? f.measures.map((me) => me.id).join(', ') : <span className="text-gray-400"></span>}
{f.measures.length ? f.measures.join(', ') : <span className="text-gray-400"></span>}
</td>
</tr>
))}
@@ -122,29 +136,40 @@ export function CRACyberView({ data }: { data: CRADemo }) {
</div>
</div>
{/* Measures + deadlines */}
<div className="grid md:grid-cols-2 gap-3">
<div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4">
<h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200 mb-2">Empfohlene Maßnahmen</h2>
<ul className="space-y-1.5">
{data.open_measures.map((me) => (
<li key={me.id} className="text-xs text-gray-600 dark:text-gray-300">
<span className="font-medium text-gray-700 dark:text-gray-200">{me.id}</span> {me.description}
</li>
))}
</ul>
</div>
<div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4">
<h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200 mb-2">CRA-Fristen</h2>
<ul className="space-y-1.5">
{data.deadlines.map((d) => (
<li key={d.date} className="text-xs text-gray-600 dark:text-gray-300 flex gap-2">
<span className="font-mono text-gray-500">{d.date}</span> {d.label}
</li>
))}
</ul>
{/* Recommended measures — full curated text + norm references */}
<div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4">
<h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200 mb-1">Empfohlene Maßnahmen</h2>
<p className="text-[11px] text-gray-400 mb-3">Kuratierte CRA-Maßnahmen aus der BreakPilot-Bibliothek mit Normverweisen.</p>
<div className="space-y-3">
{data.open_measures.map((me) => (
<div key={me.id} className="rounded-lg border border-gray-100 dark:border-gray-700/60 p-3">
<p className="text-sm font-medium text-gray-800 dark:text-gray-200">
<span className="font-mono text-purple-600 dark:text-purple-400">{me.id}</span> {me.name}
</p>
<p className="text-xs text-gray-600 dark:text-gray-300 mt-1">{me.description}</p>
<div className="flex flex-wrap gap-1 mt-2">
{me.norm_refs.map((nr) => (
<span key={nr} className="inline-block rounded bg-gray-100 text-gray-500 dark:bg-gray-700 dark:text-gray-300 px-1.5 py-0.5 text-[10px]">
{nr}
</span>
))}
</div>
</div>
))}
</div>
</div>
{/* CRA deadlines */}
<div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4">
<h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200 mb-2">CRA-Fristen</h2>
<ul className="flex flex-wrap gap-4">
{data.deadlines.map((d) => (
<li key={d.date} className="text-xs text-gray-600 dark:text-gray-300 flex items-center gap-2">
<span className="font-mono text-gray-500">{d.date}</span> {d.label}
</li>
))}
</ul>
</div>
</div>
)
}
admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRADemo.ts
+48 -21
View File
@@ -2,11 +2,15 @@
// DEMO data layer for the CRA / Cyber tab. The Kistenhubgeraet (crate lift) CE
// project is treated AS IF it had an internet-connected IoT module. The cyber
// findings are invented, but the CRA mapping below is the REAL output of the
// deterministic backend mapper (compliance/services/cra_finding_mapper.py) run
// on these findings — so the integration concept is faithful. The cross_links
// (cyber re-opens a mechanically-mitigated safety hazard) are the core idea we
// want to validate visually. Live wiring replaces this fixture later.
// findings are invented, but the CRA mapping + the NIST 800-53 / OWASP Top 10
// crosswalk below are the REAL output of the deterministic backend
// (compliance/services/cra_finding_mapper.py + cra_security_crosswalk.py) run on
// these findings — so the integration concept is faithful. Measure texts +
// norm references are the real curated entries from measures_library_cra.go.
// The cross_links (cyber re-opens a mechanically-mitigated safety hazard) are
// the core idea we validate visually. Live wiring replaces this fixture later.
export interface OwaspRef { code: string; label: string }
export interface CRAFinding {
id: string
@@ -19,8 +23,17 @@ export interface CRAFinding {
requirement_ids: string[]
annex_anchor: string
iso27001_ref: string[]
nist_refs: string[]
owasp_refs: OwaspRef[]
risk_level: string
measures: { id: string; description: string }[]
measures: string[]
}
export interface Measure {
id: string
name: string
description: string
norm_refs: string[]
}
export interface CrossLink {
@@ -38,19 +51,27 @@ export interface CRADemo {
by_risk: Record<string, number>
coverage_pct: number
requirements_touched: string[]
open_measures: { id: string; description: string }[]
open_measures: Measure[]
cross_links: CrossLink[]
deadlines: { date: string; label: string }[]
}
const MEASURE_DESC: Record<string, string> = {
M541: 'Signierte Software- und Firmware-Updates mit Rollback-Schutz',
M542: 'Initiale Default-Passwoerter beim ersten Start erzwungen aendern',
M545: 'Cybersecurity-Hardening-Guide fuer den Anwender beilegen',
M547: 'Updates ueber authentisierten Kanal mit Integritaetspruefung',
}
const ow = (code: string, label: string): OwaspRef => ({ code, label })
const m = (...ids: string[]) => ids.map((id) => ({ id, description: MEASURE_DESC[id] || '' }))
const MEASURES: Measure[] = [
{ id: 'M542', name: 'Initiale Default-Passwoerter beim ersten Start erzwungen aendern',
description: 'Die Maschine fordert beim ersten Hochfahren zwingend die Aenderung aller werkseitigen Default-Passwoerter (Bediener, Wartung, Admin). Default-Credentials werden nicht in Klartext in der Dokumentation veroeffentlicht, sondern dem Betreiber separat (versiegelt) uebergeben. Eine Wiederherstellung auf Default-Credentials ist nur ueber physischen Zugriff moeglich.',
norm_refs: ['Verordnung (EU) 2024/2847 (CRA), Anhang I', 'DIN EN 40000-1-2 (Entwurf)', 'ETSI EN 303 645'] },
{ id: 'M547', name: 'Updates ueber authentisierten Kanal mit Integritaetspruefung',
description: 'Der Update-Kanal (Online-Pull oder USB-Push) ist gegen Manipulation gesichert: TLS-1.3 mit Zertifikatspruefung bei Online-Updates, Hash-Pruefung der Update-Datei vor dem Anwenden. Der Update-Prozess ist atomar: bei Abbruch bleibt die alte Version lauffaehig.',
norm_refs: ['Verordnung (EU) 2024/2847 (CRA), Anhang I', 'DIN EN 40000-1-2 (Entwurf)', 'IEC 62443-4-2'] },
{ id: 'M541', name: 'Signierte Software- und Firmware-Updates mit Rollback-Schutz',
description: 'Updates der Steuerungs-, Roboter- und Visualisierungssoftware werden ausschliesslich kryptographisch signiert ausgeliefert. Die Steuerung prueft die Signatur vor der Installation und verweigert das Einspielen unsignierter Pakete. Ein Rollback-Schutz verhindert das Downgraden auf nachweislich verwundbare Versionen.',
norm_refs: ['Verordnung (EU) 2024/2847 (CRA), Anhang I', 'DIN EN 40000-1-2 (Entwurf)', 'IEC 62443-4-1'] },
{ id: 'M545', name: 'Cybersecurity-Hardening-Guide fuer den Anwender beilegen',
description: 'Die mit der Maschine ausgelieferte Dokumentation enthaelt einen Cybersecurity-Hardening-Guide: empfohlene Netzwerk-Segmentierung, deaktivierbare Dienste, sichere Konfiguration aller eingebauten Komponenten (PLC, HMI, Roboter), Empfehlungen zur Benutzer-Verwaltung. Der Guide wird bei Update-Releases gepflegt.',
norm_refs: ['Verordnung (EU) 2024/2847 (CRA), Anhang II', 'DIN EN 40000-1-2 (Entwurf)', 'IEC 62443-3-3'] },
]
const DEMO: CRADemo = {
scenario:
@@ -59,32 +80,38 @@ const DEMO: CRADemo = {
{ id: 'KH-CY-1', title: 'Fernsteuer-Weboberflaeche mit universellem Default-Passwort', location: 'remote-ui/login',
scanner_severity: 'critical', cwe: 'CWE-259', primary_requirement: 'CRA-AI-8',
requirement_title: 'Keine Default-Passwoerter', requirement_ids: ['CRA-AI-8'],
annex_anchor: 'Annex I, 1(3)(d)', iso27001_ref: ['A.8.5'], risk_level: 'CRITICAL', measures: m('M542') },
annex_anchor: 'Annex I, 1(3)(d)', iso27001_ref: ['A.8.5'], nist_refs: ['IA-5', 'IA-5(1)'],
owasp_refs: [ow('A07:2021', 'Identification and Authentication Failures')], risk_level: 'CRITICAL', measures: ['M542'] },
{ id: 'KH-CY-2', title: 'IoT-Telemetrie unverschluesselt ueber MQTT', location: 'telemetry/mqtt',
scanner_severity: 'high', cwe: 'CWE-319', primary_requirement: 'CRA-AI-15',
requirement_title: 'Transport-Schutz (Data in Transit)', requirement_ids: ['CRA-AI-15', 'CRA-AI-13'],
annex_anchor: 'Annex I, 1(3)(e)', iso27001_ref: ['A.8.24'], risk_level: 'HIGH', measures: [] },
annex_anchor: 'Annex I, 1(3)(e)', iso27001_ref: ['A.8.24'], nist_refs: ['SC-8', 'SC-8(1)', 'SC-13', 'SC-28'],
owasp_refs: [ow('A02:2021', 'Cryptographic Failures')], risk_level: 'HIGH', measures: [] },
{ id: 'KH-CY-3', title: 'Firmware-Updates ohne Signaturpruefung', location: 'updater',
scanner_severity: 'high', cwe: 'CWE-494', primary_requirement: 'CRA-AI-30',
requirement_title: 'Update-Integritaet', requirement_ids: ['CRA-AI-30', 'CRA-AI-28', 'CRA-AI-6'],
annex_anchor: 'Annex I, 1(4)', iso27001_ref: ['A.8.24'], risk_level: 'HIGH', measures: m('M547', 'M541') },
annex_anchor: 'Annex I, 1(4)', iso27001_ref: ['A.8.24'], nist_refs: ['SI-7', 'SI-2'],
owasp_refs: [ow('A08:2021', 'Software and Data Integrity Failures')], risk_level: 'HIGH', measures: ['M547', 'M541'] },
{ id: 'KH-CY-4', title: 'Offener Debug-Port (telnet) am Controller', location: 'controller:23',
scanner_severity: 'medium', cwe: 'CWE-1188', primary_requirement: 'CRA-AI-1',
requirement_title: 'Secure-by-Default-Konfiguration', requirement_ids: ['CRA-AI-1'],
annex_anchor: 'Annex I, 1(1)', iso27001_ref: ['A.8.9'], risk_level: 'HIGH', measures: m('M545') },
annex_anchor: 'Annex I, 1(1)', iso27001_ref: ['A.8.9'], nist_refs: ['CM-6', 'CM-7'],
owasp_refs: [ow('A05:2021', 'Security Misconfiguration')], risk_level: 'HIGH', measures: ['M545'] },
{ id: 'KH-CY-5', title: 'Gebundelte libmodbus mit bekannter CVE (veraltet)', location: 'deps/libmodbus',
scanner_severity: 'high', cwe: 'CWE-1104', primary_requirement: 'CRA-AI-22',
requirement_title: 'Dependency-Monitoring', requirement_ids: ['CRA-AI-22'],
annex_anchor: 'Annex I, 1(5)', iso27001_ref: ['A.8.8', 'A.8.25'], risk_level: 'HIGH', measures: [] },
annex_anchor: 'Annex I, 1(5)', iso27001_ref: ['A.8.8', 'A.8.25'], nist_refs: ['RA-5', 'SI-2', 'SR-4'],
owasp_refs: [ow('A06:2021', 'Vulnerable and Outdated Components')], risk_level: 'HIGH', measures: [] },
{ id: 'KH-CY-6', title: 'Keine Sicherheits-Protokollierung der Remote-Befehle', location: 'remote-ui',
scanner_severity: 'medium', cwe: 'CWE-778', primary_requirement: 'CRA-AI-24',
requirement_title: 'Security-Logging', requirement_ids: ['CRA-AI-24'],
annex_anchor: 'Annex I, 1(3)(g)', iso27001_ref: ['A.8.15'], risk_level: 'MEDIUM', measures: [] },
annex_anchor: 'Annex I, 1(3)(g)', iso27001_ref: ['A.8.15'], nist_refs: ['AU-2', 'AU-3'],
owasp_refs: [ow('A09:2021', 'Security Logging and Monitoring Failures')], risk_level: 'MEDIUM', measures: [] },
],
by_risk: { CRITICAL: 1, HIGH: 4, MEDIUM: 1, LOW: 0 },
coverage_pct: 100.0,
requirements_touched: ['CRA-AI-1', 'CRA-AI-6', 'CRA-AI-8', 'CRA-AI-13', 'CRA-AI-15', 'CRA-AI-22', 'CRA-AI-24', 'CRA-AI-28', 'CRA-AI-30'],
open_measures: m('M542', 'M547', 'M541', 'M545'),
open_measures: MEASURES,
cross_links: [
{
cyber_finding_ids: ['KH-CY-1', 'KH-CY-3'],