Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(cra): SBOM- + DAST-Findings aus dem Scanner-MCP konsumieren
CI / detect-changes (push) Successful in 8s
Details
CI / branch-name (push) Has been skipped
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / build-sha-integrity (push) Successful in 6s
Details
CI / validate-canonical-controls (push) Successful in 10s
Details
CI / loc-budget (push) Successful in 20s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Has been skipped
Details
CI / test-go (push) Successful in 1m4s
Details
CI / iace-gt-coverage (push) Successful in 15s
Details
CI / test-python-backend (push) Successful in 24s
Details
CI / test-python-document-crawler (push) Has been skipped
Details
CI / test-python-dsms-gateway (push) Has been skipped
Details

Browse Source 
Sharangs compliance-scanner-agent exponiert SBOM (sbom_vuln_report) + DAST
(list_dast_findings) als eigene MCP-Tools (nicht via list_findings). Neuer
fetch_all_findings(repo_id) zieht list_findings + SBOM + DAST in EINER
MCP-Session und normalisiert ins Finding-Schema:
- SBOM: ein Finding pro verwundbarem Paket (nicht pro CVE), cwe=CWE-1395
  -> deterministisch CRA-AI-22 (robust gegen Paketnamen wie "sqlite").
- DAST: cwe/endpoint/vuln_type uebernommen -> Mapping via cwe/keywords.
assess-from-scanner nutzt fetch_all_findings + liefert source.breakdown
(code/sbom/dast). DAST hat im MCP keinen repo_id-Filter -> dast_repo_scoped:false
(deployment-weit, transparent geflaggt).

Echte MCP-Daten: Kitchenasty 58 code + 35 sbom + 81 dast -> 174 gemappt
(Coverage 94,3%, alle 35 SBOM -> CRA-AI-22).

Enthaelt zusaetzlich das Qdrant->Prod-Kopierскript (#42, verbatim macmini->prod).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Bönisch
2026-06-18 12:05:05 +02:00
parent 8f21650d74
commit 43e02f794a
4 changed files with 298 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/compliance/api/cra_assess_routes.py
+5 -3
View File
@@ -21,7 +21,7 @@ from compliance.services.cra_applicability import (
compute_verdict, compute_machinery_verdict, maturity as evidence_maturity, MACHINE_INTEGRATOR,
)
from compliance.services.cra_datasheet_extractor import extract_grenzen
from compliance.services.scanner_mcp_client import fetch_findings
from compliance.services.scanner_mcp_client import fetch_findings, fetch_all_findings
from compliance.services.cra_snapshot_store import save_snapshot, list_snapshots, get_snapshot
from compliance.services.cra_use_case_controls import enrich_findings_with_breadth
from compliance.services.cra_component_findings import findings_from_components
@@ -121,10 +121,11 @@ async def assess_from_scanner(body: ScannerPullRequest):
scan_type/cvss_score/file_path). Returns empty assessment if no scanner is
configured — the frontend then keeps its demo scenario.
"""
findings = await fetch_findings(
pulled = await fetch_all_findings(
repo_id=body.repo_id, severity=body.severity,
base_url=body.scanner_url, token=body.token,
)
findings = pulled.get("findings", [])
payload = {
"findings": findings,
"weights": body.weights,
@@ -136,7 +137,8 @@ async def assess_from_scanner(body: ScannerPullRequest):
enrich_findings_with_breadth(result.get("mapped", []), db)
finally:
db.close()
result["source"] = {"scanner": True, "pulled": len(findings)}
result["source"] = {"scanner": True, "pulled": len(findings),
"breakdown": pulled.get("breakdown", {})}
return result
backend-compliance/compliance/services/scanner_mcp_client.py
+127
View File
@@ -57,3 +57,130 @@ async def fetch_findings(
texts = [c.text for c in (result.content or []) if getattr(c, "type", "") == "text"]
return parse_findings_text(texts[0]) if texts else []
# --- SBOM + DAST consumption (Sharang's scanner exposes these as dedicated MCP
# tools, not via list_findings) -------------------------------------------------
_SEV_BY_RANK = {4: "critical", 3: "high", 2: "medium", 1: "low"}
_SEV_RANK = {v: k for k, v in _SEV_BY_RANK.items()}
def normalize_sbom_report(text: str) -> list:
"""sbom_vuln_report -> one finding per VULNERABLE PACKAGE (not per CVE — a repo
can have hundreds of CVEs but ~dozens of packages). scan_type='dependency' so
the CRA mapper routes it to dependency-monitoring (CRA-AI-22)."""
try:
data = json.loads(text)
except (json.JSONDecodeError, TypeError):
return []
if not isinstance(data, dict):
return []
repo_id = data.get("repo_id", "")
out = []
for pkg in data.get("packages") or []:
vulns = pkg.get("vulnerabilities") or []
if not vulns:
continue
ids, seen, best = [], set(), 0
for v in vulns:
vid = v.get("id")
if vid and vid not in seen:
seen.add(vid)
ids.append(vid)
best = max(best, _SEV_RANK.get((v.get("severity") or "").lower(), 0))
name, ver = pkg.get("name", ""), pkg.get("version", "")
pm = pkg.get("package_manager", "") or ""
shown = ", ".join(ids[:8]) + ("" if len(ids) > 8 else "")
out.append({
"id": f"sbom:{repo_id}:{name}@{ver}",
"repo_id": repo_id,
"title": f"Verwundbare Abhängigkeit: {name} {ver} ({len(ids)} Schwachstelle(n))",
"description": f"Abhängigkeit {name} {ver} ({pm}) mit bekannten Schwachstellen: {shown}.",
"scan_type": "dependency",
# CWE-1395 (Dependency on Vulnerable Third-Party Component) → the CWE
# path maps deterministically to CRA-AI-22, robust against package
# names that happen to contain keyword tokens (e.g. "sqlite" → "sql").
"cwe": "CWE-1395",
"severity": _SEV_BY_RANK.get(best, "medium"),
"location": f"{pm}:{name}@{ver}" if pm else f"{name}@{ver}",
})
return out
def normalize_dast(text: str) -> list:
"""list_dast_findings -> findings (carry cwe + endpoint + vuln_type so the CRA
mapper routes them via cwe/keywords). scan_type='dast'."""
out = []
for d in parse_findings_text(text):
if not isinstance(d, dict):
continue
out.append({
"id": d.get("_id") or d.get("id") or "",
"repo_id": d.get("repo_id") or "",
"title": d.get("title", ""),
"description": " ".join(x for x in [d.get("vuln_type", ""), d.get("description", "")] if x),
"scan_type": "dast",
"cwe": str(d.get("cwe", "") or ""),
"severity": (d.get("severity") or "").lower(),
"location": d.get("endpoint") or d.get("target_id") or "",
"exploited": bool(d.get("exploitable", False)),
})
return out
async def _open_and_call(url: str, tok: str, calls: list) -> dict:
"""Open ONE MCP session and run [(tool, params), ...] -> {tool: text}. A tool
that errors yields '' (best-effort; the assessment degrades, never breaks)."""
from mcp.client.session import ClientSession
from mcp.client.streamable_http import streamablehttp_client
headers = {"Authorization": f"Bearer {tok}"} if tok else None
out: dict = {}
async with streamablehttp_client(url, headers=headers) as (read, write, _):
async with ClientSession(read, write) as session:
await session.initialize()
for tool, params in calls:
try:
res = await session.call_tool(tool, params)
texts = [c.text for c in (res.content or []) if getattr(c, "type", "") == "text"]
out[tool] = texts[0] if texts else ""
except Exception:
out[tool] = ""
return out
async def fetch_all_findings(
repo_id: Optional[str] = None,
severity: Optional[str] = None,
limit: int = 200,
base_url: Optional[str] = None,
token: Optional[str] = None,
include_dast: bool = True,
) -> dict:
"""Pull list_findings + SBOM-vulns + DAST in one MCP session and return a
unified finding list plus a per-source breakdown. SBOM is repo-scoped
(sbom_vuln_report requires repo_id); DAST has no repo_id filter in the MCP, so
it is deployment-wide (flagged in the breakdown). Returns {} on no config."""
url = (base_url or SCANNER_MCP_URL).rstrip("/")
tok = token or SCANNER_MCP_TOKEN
if not url:
return {"findings": [], "breakdown": {}}
calls = [("list_findings", {"limit": limit, **({"repo_id": repo_id} if repo_id else {}),
**({"severity": severity} if severity else {})})]
if repo_id:
calls.append(("sbom_vuln_report", {"repo_id": repo_id}))
if include_dast:
calls.append(("list_dast_findings", {"limit": limit,
**({"severity": severity} if severity else {})}))
res = await _open_and_call(url, tok, calls)
code = parse_findings_text(res.get("list_findings", ""))
sbom = normalize_sbom_report(res.get("sbom_vuln_report", "")) if repo_id else []
dast = normalize_dast(res.get("list_dast_findings", "")) if include_dast else []
return {
"findings": code + sbom + dast,
"breakdown": {"code": len(code), "sbom": len(sbom), "dast": len(dast),
"dast_repo_scoped": False},
}