feat(cra): NIST/OWASP security golden-set crosswalk + full measure texts in CRA tab
Crosswalk (cra_security_crosswalk.py): deterministic, hand-curated CRA Annex I -> NIST 800-53 Rev5 + OWASP Top 10:2021 mapping, the authoritative Security Golden Set (no RAG; semantic breadth comes later via the shared Controls-API). Mapper attaches NIST/OWASP refs per finding; golden-set completeness pinned by test (every requirement has >=1 NIST ref). CRA tab now shows the NIST/OWASP best- practice refs per finding and the full curated measure texts + norm references (from measures_library_cra.go). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
@@ -2,11 +2,15 @@
|
||||
|
||||
// DEMO data layer for the CRA / Cyber tab. The Kistenhubgeraet (crate lift) CE
|
||||
// project is treated AS IF it had an internet-connected IoT module. The cyber
|
||||
// findings are invented, but the CRA mapping below is the REAL output of the
|
||||
// deterministic backend mapper (compliance/services/cra_finding_mapper.py) run
|
||||
// on these findings — so the integration concept is faithful. The cross_links
|
||||
// (cyber re-opens a mechanically-mitigated safety hazard) are the core idea we
|
||||
// want to validate visually. Live wiring replaces this fixture later.
|
||||
// findings are invented, but the CRA mapping + the NIST 800-53 / OWASP Top 10
|
||||
// crosswalk below are the REAL output of the deterministic backend
|
||||
// (compliance/services/cra_finding_mapper.py + cra_security_crosswalk.py) run on
|
||||
// these findings — so the integration concept is faithful. Measure texts +
|
||||
// norm references are the real curated entries from measures_library_cra.go.
|
||||
// The cross_links (cyber re-opens a mechanically-mitigated safety hazard) are
|
||||
// the core idea we validate visually. Live wiring replaces this fixture later.
|
||||
|
||||
export interface OwaspRef { code: string; label: string }
|
||||
|
||||
export interface CRAFinding {
|
||||
id: string
|
||||
@@ -19,8 +23,17 @@ export interface CRAFinding {
|
||||
requirement_ids: string[]
|
||||
annex_anchor: string
|
||||
iso27001_ref: string[]
|
||||
nist_refs: string[]
|
||||
owasp_refs: OwaspRef[]
|
||||
risk_level: string
|
||||
measures: { id: string; description: string }[]
|
||||
measures: string[]
|
||||
}
|
||||
|
||||
export interface Measure {
|
||||
id: string
|
||||
name: string
|
||||
description: string
|
||||
norm_refs: string[]
|
||||
}
|
||||
|
||||
export interface CrossLink {
|
||||
@@ -38,19 +51,27 @@ export interface CRADemo {
|
||||
by_risk: Record<string, number>
|
||||
coverage_pct: number
|
||||
requirements_touched: string[]
|
||||
open_measures: { id: string; description: string }[]
|
||||
open_measures: Measure[]
|
||||
cross_links: CrossLink[]
|
||||
deadlines: { date: string; label: string }[]
|
||||
}
|
||||
|
||||
const MEASURE_DESC: Record<string, string> = {
|
||||
M541: 'Signierte Software- und Firmware-Updates mit Rollback-Schutz',
|
||||
M542: 'Initiale Default-Passwoerter beim ersten Start erzwungen aendern',
|
||||
M545: 'Cybersecurity-Hardening-Guide fuer den Anwender beilegen',
|
||||
M547: 'Updates ueber authentisierten Kanal mit Integritaetspruefung',
|
||||
}
|
||||
const ow = (code: string, label: string): OwaspRef => ({ code, label })
|
||||
|
||||
const m = (...ids: string[]) => ids.map((id) => ({ id, description: MEASURE_DESC[id] || '' }))
|
||||
const MEASURES: Measure[] = [
|
||||
{ id: 'M542', name: 'Initiale Default-Passwoerter beim ersten Start erzwungen aendern',
|
||||
description: 'Die Maschine fordert beim ersten Hochfahren zwingend die Aenderung aller werkseitigen Default-Passwoerter (Bediener, Wartung, Admin). Default-Credentials werden nicht in Klartext in der Dokumentation veroeffentlicht, sondern dem Betreiber separat (versiegelt) uebergeben. Eine Wiederherstellung auf Default-Credentials ist nur ueber physischen Zugriff moeglich.',
|
||||
norm_refs: ['Verordnung (EU) 2024/2847 (CRA), Anhang I', 'DIN EN 40000-1-2 (Entwurf)', 'ETSI EN 303 645'] },
|
||||
{ id: 'M547', name: 'Updates ueber authentisierten Kanal mit Integritaetspruefung',
|
||||
description: 'Der Update-Kanal (Online-Pull oder USB-Push) ist gegen Manipulation gesichert: TLS-1.3 mit Zertifikatspruefung bei Online-Updates, Hash-Pruefung der Update-Datei vor dem Anwenden. Der Update-Prozess ist atomar: bei Abbruch bleibt die alte Version lauffaehig.',
|
||||
norm_refs: ['Verordnung (EU) 2024/2847 (CRA), Anhang I', 'DIN EN 40000-1-2 (Entwurf)', 'IEC 62443-4-2'] },
|
||||
{ id: 'M541', name: 'Signierte Software- und Firmware-Updates mit Rollback-Schutz',
|
||||
description: 'Updates der Steuerungs-, Roboter- und Visualisierungssoftware werden ausschliesslich kryptographisch signiert ausgeliefert. Die Steuerung prueft die Signatur vor der Installation und verweigert das Einspielen unsignierter Pakete. Ein Rollback-Schutz verhindert das Downgraden auf nachweislich verwundbare Versionen.',
|
||||
norm_refs: ['Verordnung (EU) 2024/2847 (CRA), Anhang I', 'DIN EN 40000-1-2 (Entwurf)', 'IEC 62443-4-1'] },
|
||||
{ id: 'M545', name: 'Cybersecurity-Hardening-Guide fuer den Anwender beilegen',
|
||||
description: 'Die mit der Maschine ausgelieferte Dokumentation enthaelt einen Cybersecurity-Hardening-Guide: empfohlene Netzwerk-Segmentierung, deaktivierbare Dienste, sichere Konfiguration aller eingebauten Komponenten (PLC, HMI, Roboter), Empfehlungen zur Benutzer-Verwaltung. Der Guide wird bei Update-Releases gepflegt.',
|
||||
norm_refs: ['Verordnung (EU) 2024/2847 (CRA), Anhang II', 'DIN EN 40000-1-2 (Entwurf)', 'IEC 62443-3-3'] },
|
||||
]
|
||||
|
||||
const DEMO: CRADemo = {
|
||||
scenario:
|
||||
@@ -59,32 +80,38 @@ const DEMO: CRADemo = {
|
||||
{ id: 'KH-CY-1', title: 'Fernsteuer-Weboberflaeche mit universellem Default-Passwort', location: 'remote-ui/login',
|
||||
scanner_severity: 'critical', cwe: 'CWE-259', primary_requirement: 'CRA-AI-8',
|
||||
requirement_title: 'Keine Default-Passwoerter', requirement_ids: ['CRA-AI-8'],
|
||||
annex_anchor: 'Annex I, 1(3)(d)', iso27001_ref: ['A.8.5'], risk_level: 'CRITICAL', measures: m('M542') },
|
||||
annex_anchor: 'Annex I, 1(3)(d)', iso27001_ref: ['A.8.5'], nist_refs: ['IA-5', 'IA-5(1)'],
|
||||
owasp_refs: [ow('A07:2021', 'Identification and Authentication Failures')], risk_level: 'CRITICAL', measures: ['M542'] },
|
||||
{ id: 'KH-CY-2', title: 'IoT-Telemetrie unverschluesselt ueber MQTT', location: 'telemetry/mqtt',
|
||||
scanner_severity: 'high', cwe: 'CWE-319', primary_requirement: 'CRA-AI-15',
|
||||
requirement_title: 'Transport-Schutz (Data in Transit)', requirement_ids: ['CRA-AI-15', 'CRA-AI-13'],
|
||||
annex_anchor: 'Annex I, 1(3)(e)', iso27001_ref: ['A.8.24'], risk_level: 'HIGH', measures: [] },
|
||||
annex_anchor: 'Annex I, 1(3)(e)', iso27001_ref: ['A.8.24'], nist_refs: ['SC-8', 'SC-8(1)', 'SC-13', 'SC-28'],
|
||||
owasp_refs: [ow('A02:2021', 'Cryptographic Failures')], risk_level: 'HIGH', measures: [] },
|
||||
{ id: 'KH-CY-3', title: 'Firmware-Updates ohne Signaturpruefung', location: 'updater',
|
||||
scanner_severity: 'high', cwe: 'CWE-494', primary_requirement: 'CRA-AI-30',
|
||||
requirement_title: 'Update-Integritaet', requirement_ids: ['CRA-AI-30', 'CRA-AI-28', 'CRA-AI-6'],
|
||||
annex_anchor: 'Annex I, 1(4)', iso27001_ref: ['A.8.24'], risk_level: 'HIGH', measures: m('M547', 'M541') },
|
||||
annex_anchor: 'Annex I, 1(4)', iso27001_ref: ['A.8.24'], nist_refs: ['SI-7', 'SI-2'],
|
||||
owasp_refs: [ow('A08:2021', 'Software and Data Integrity Failures')], risk_level: 'HIGH', measures: ['M547', 'M541'] },
|
||||
{ id: 'KH-CY-4', title: 'Offener Debug-Port (telnet) am Controller', location: 'controller:23',
|
||||
scanner_severity: 'medium', cwe: 'CWE-1188', primary_requirement: 'CRA-AI-1',
|
||||
requirement_title: 'Secure-by-Default-Konfiguration', requirement_ids: ['CRA-AI-1'],
|
||||
annex_anchor: 'Annex I, 1(1)', iso27001_ref: ['A.8.9'], risk_level: 'HIGH', measures: m('M545') },
|
||||
annex_anchor: 'Annex I, 1(1)', iso27001_ref: ['A.8.9'], nist_refs: ['CM-6', 'CM-7'],
|
||||
owasp_refs: [ow('A05:2021', 'Security Misconfiguration')], risk_level: 'HIGH', measures: ['M545'] },
|
||||
{ id: 'KH-CY-5', title: 'Gebundelte libmodbus mit bekannter CVE (veraltet)', location: 'deps/libmodbus',
|
||||
scanner_severity: 'high', cwe: 'CWE-1104', primary_requirement: 'CRA-AI-22',
|
||||
requirement_title: 'Dependency-Monitoring', requirement_ids: ['CRA-AI-22'],
|
||||
annex_anchor: 'Annex I, 1(5)', iso27001_ref: ['A.8.8', 'A.8.25'], risk_level: 'HIGH', measures: [] },
|
||||
annex_anchor: 'Annex I, 1(5)', iso27001_ref: ['A.8.8', 'A.8.25'], nist_refs: ['RA-5', 'SI-2', 'SR-4'],
|
||||
owasp_refs: [ow('A06:2021', 'Vulnerable and Outdated Components')], risk_level: 'HIGH', measures: [] },
|
||||
{ id: 'KH-CY-6', title: 'Keine Sicherheits-Protokollierung der Remote-Befehle', location: 'remote-ui',
|
||||
scanner_severity: 'medium', cwe: 'CWE-778', primary_requirement: 'CRA-AI-24',
|
||||
requirement_title: 'Security-Logging', requirement_ids: ['CRA-AI-24'],
|
||||
annex_anchor: 'Annex I, 1(3)(g)', iso27001_ref: ['A.8.15'], risk_level: 'MEDIUM', measures: [] },
|
||||
annex_anchor: 'Annex I, 1(3)(g)', iso27001_ref: ['A.8.15'], nist_refs: ['AU-2', 'AU-3'],
|
||||
owasp_refs: [ow('A09:2021', 'Security Logging and Monitoring Failures')], risk_level: 'MEDIUM', measures: [] },
|
||||
],
|
||||
by_risk: { CRITICAL: 1, HIGH: 4, MEDIUM: 1, LOW: 0 },
|
||||
coverage_pct: 100.0,
|
||||
requirements_touched: ['CRA-AI-1', 'CRA-AI-6', 'CRA-AI-8', 'CRA-AI-13', 'CRA-AI-15', 'CRA-AI-22', 'CRA-AI-24', 'CRA-AI-28', 'CRA-AI-30'],
|
||||
open_measures: m('M542', 'M547', 'M541', 'M545'),
|
||||
open_measures: MEASURES,
|
||||
cross_links: [
|
||||
{
|
||||
cyber_finding_ids: ['KH-CY-1', 'KH-CY-3'],
|
||||
|
||||
Reference in New Issue
Block a user