feat(cra): NIST/OWASP security golden-set crosswalk + full measure texts in CRA tab
Crosswalk (cra_security_crosswalk.py): deterministic, hand-curated CRA Annex I -> NIST 800-53 Rev5 + OWASP Top 10:2021 mapping, the authoritative Security Golden Set (no RAG; semantic breadth comes later via the shared Controls-API). Mapper attaches NIST/OWASP refs per finding; golden-set completeness pinned by test (every requirement has >=1 NIST ref). CRA tab now shows the NIST/OWASP best- practice refs per finding and the full curated measure texts + norm references (from measures_library_cra.go). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
@@ -0,0 +1,92 @@
|
||||
"""CRA Annex I -> NIST 800-53 Rev5 + OWASP Top 10:2021 crosswalk (Security Golden Set).
|
||||
|
||||
Deterministic, hand-curated mapping. It is the AUTHORITATIVE reference set that
|
||||
the standalone CRA assessment uses to attach best-practice control IDs to each
|
||||
CRA essential requirement. NOT a RAG search — semantic breadth comes later via
|
||||
the shared Controls-API of the mapping session, NOT a second retrieval here.
|
||||
|
||||
Each entry maps a CRA-AI requirement to the well-established NIST 800-53 Rev5
|
||||
control identifiers and the OWASP Top 10:2021 category that govern the same
|
||||
control objective. Process-only requirements (disclosure/reporting) carry NIST
|
||||
refs where defensible and no OWASP code (OWASP Top 10 addresses code-level
|
||||
weaknesses, not disclosure processes) — left empty rather than invented.
|
||||
"""
|
||||
|
||||
# OWASP Top 10:2021 category labels (for display).
|
||||
OWASP_2021 = {
|
||||
"A01:2021": "Broken Access Control",
|
||||
"A02:2021": "Cryptographic Failures",
|
||||
"A04:2021": "Insecure Design",
|
||||
"A05:2021": "Security Misconfiguration",
|
||||
"A06:2021": "Vulnerable and Outdated Components",
|
||||
"A07:2021": "Identification and Authentication Failures",
|
||||
"A08:2021": "Software and Data Integrity Failures",
|
||||
"A09:2021": "Security Logging and Monitoring Failures",
|
||||
}
|
||||
|
||||
# req_id -> {"nist": [800-53 control IDs], "owasp": [Top 10:2021 codes]}
|
||||
CRA_SECURITY_CROSSWALK = {
|
||||
"CRA-AI-1": {"nist": ["CM-6", "CM-7"], "owasp": ["A05:2021"]},
|
||||
"CRA-AI-2": {"nist": ["CM-7", "SC-7"], "owasp": ["A05:2021"]},
|
||||
"CRA-AI-3": {"nist": ["SA-8", "SC-7", "SC-39"], "owasp": ["A04:2021"]},
|
||||
"CRA-AI-4": {"nist": ["AC-6"], "owasp": ["A01:2021"]},
|
||||
"CRA-AI-5": {"nist": ["SI-7", "CM-5"], "owasp": ["A08:2021"]},
|
||||
"CRA-AI-6": {"nist": ["SI-7"], "owasp": ["A08:2021"]},
|
||||
"CRA-AI-7": {"nist": ["IA-2", "IA-2(1)"], "owasp": ["A07:2021"]},
|
||||
"CRA-AI-8": {"nist": ["IA-5", "IA-5(1)"], "owasp": ["A07:2021"]},
|
||||
"CRA-AI-9": {"nist": ["IA-5"], "owasp": ["A07:2021"]},
|
||||
"CRA-AI-10": {"nist": ["AC-12", "SC-23"], "owasp": ["A07:2021"]},
|
||||
"CRA-AI-11": {"nist": ["AC-7"], "owasp": ["A07:2021"]},
|
||||
"CRA-AI-12": {"nist": ["AC-2", "AC-3", "AC-6"], "owasp": ["A01:2021"]},
|
||||
"CRA-AI-13": {"nist": ["SC-13", "SC-28"], "owasp": ["A02:2021"]},
|
||||
"CRA-AI-14": {"nist": ["SC-28"], "owasp": ["A02:2021"]},
|
||||
"CRA-AI-15": {"nist": ["SC-8", "SC-8(1)"], "owasp": ["A02:2021"]},
|
||||
"CRA-AI-16": {"nist": ["SC-12"], "owasp": ["A02:2021"]},
|
||||
"CRA-AI-17": {"nist": ["SI-12"], "owasp": []},
|
||||
"CRA-AI-18": {"nist": ["SA-3", "SA-8", "SA-15"], "owasp": ["A04:2021"]},
|
||||
"CRA-AI-19": {"nist": ["SA-11", "SA-15"], "owasp": ["A04:2021"]},
|
||||
"CRA-AI-20": {"nist": ["SA-11", "SA-11(1)"], "owasp": ["A04:2021"]},
|
||||
"CRA-AI-21": {"nist": ["SR-3", "SR-5", "SR-6"], "owasp": ["A06:2021"]},
|
||||
"CRA-AI-22": {"nist": ["RA-5", "SI-2", "SR-4"], "owasp": ["A06:2021"]},
|
||||
"CRA-AI-23": {"nist": ["SR-4", "SR-3"], "owasp": ["A06:2021"]},
|
||||
"CRA-AI-24": {"nist": ["AU-2", "AU-3"], "owasp": ["A09:2021"]},
|
||||
"CRA-AI-25": {"nist": ["AU-6", "SI-4"], "owasp": ["A09:2021"]},
|
||||
"CRA-AI-26": {"nist": ["SI-4"], "owasp": ["A09:2021"]},
|
||||
"CRA-AI-27": {"nist": ["AU-9"], "owasp": ["A09:2021"]},
|
||||
"CRA-AI-28": {"nist": ["SI-2", "SI-7"], "owasp": ["A08:2021"]},
|
||||
"CRA-AI-29": {"nist": ["SI-7(15)", "SC-12"], "owasp": ["A08:2021"]},
|
||||
"CRA-AI-30": {"nist": ["SI-7"], "owasp": ["A08:2021"]},
|
||||
"CRA-AI-31": {"nist": ["SA-22"], "owasp": ["A06:2021"]},
|
||||
"CRA-AI-32": {"nist": ["RA-5"], "owasp": ["A06:2021"]},
|
||||
"CRA-AI-33": {"nist": ["RA-5", "SR-4"], "owasp": ["A06:2021"]},
|
||||
"CRA-AI-34": {"nist": ["RA-5", "RA-7"], "owasp": []},
|
||||
"CRA-AI-35": {"nist": ["SI-5"], "owasp": []},
|
||||
"CRA-AI-36": {"nist": ["IR-4", "IR-6"], "owasp": []},
|
||||
"CRA-AI-37": {"nist": ["IR-6"], "owasp": []},
|
||||
"CRA-AI-38": {"nist": ["IR-6", "IR-8"], "owasp": []},
|
||||
"CRA-AI-39": {"nist": ["SI-2"], "owasp": ["A06:2021"]},
|
||||
"CRA-AI-40": {"nist": ["IR-5", "AU-11"], "owasp": []},
|
||||
}
|
||||
|
||||
|
||||
def security_refs_for(req_ids: list) -> dict:
|
||||
"""Union of NIST + OWASP refs across the given CRA-AI requirement ids.
|
||||
|
||||
Returns {"nist": [...], "owasp": [{"code": .., "label": ..}]}, deduped,
|
||||
order-stable. The golden set is the single source — no retrieval.
|
||||
"""
|
||||
nist: list = []
|
||||
owasp: list = []
|
||||
seen_owasp = set()
|
||||
for rid in req_ids:
|
||||
entry = CRA_SECURITY_CROSSWALK.get(rid)
|
||||
if not entry:
|
||||
continue
|
||||
for n in entry["nist"]:
|
||||
if n not in nist:
|
||||
nist.append(n)
|
||||
for code in entry["owasp"]:
|
||||
if code not in seen_owasp:
|
||||
seen_owasp.add(code)
|
||||
owasp.append({"code": code, "label": OWASP_2021.get(code, "")})
|
||||
return {"nist": nist, "owasp": owasp}
|
||||
Reference in New Issue
Block a user