Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(ucca): control-mapping model per review feedback

Browse Source 
- DROP confidence from the persisted mapping: a curated mapping is a
  professional statement, not an AI guess (retriever score -> rationale only).
- ADD mapping_status (candidate|accepted|rejected|superseded) — the review state.
- ADD audit trail (reviewed_by/review_date/review_reason); accepted/rejected
  fail-closed without it.
- EXTEND mapping_type: + implements, + contradicts.
- Advisor truth = mapping_status=accepted (acceptedOnly filter).
- migrate the 18 CRA->OWASP rows to mapping_status=candidate.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-25 09:50:37 +02:00
parent 2f3c98fbe0
commit 53ea388ea0
3 changed files with 85 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ai-compliance-sdk/data/control_mappings/cra_owasp.jsonl
+23 -21
View File
@@ -1,22 +1,24 @@
// Control-Mapping: CRA Annex I -> OWASP ASVS 5.0. Eine Zeile = ein Mapping (Schema: ControlMapping).
// provenance=retriever_candidate: Vorschlaege des Control-Intent-Retriever (sdk-dev), NOCH NICHT kuratiert.
// Erst nach Human/Rule-Review wird provenance=human_curated/rule_based gesetzt (= Audit-Wahrheit, die der Advisor nutzt).
// Erzeugt 2026-06-25 via gen_cra_owasp.py. REVIEW-Hinweise: (2)(d) Verschluesselung -> V14 (Config) ist falsch, gehoert zu V11 (Crypto); V14.2.4 ueber-erscheint.
{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.3.1", "mapping_type": "supports", "confidence": "medium", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.197) fuer 'Authentifizierung und Zugriffskontrolle, Schutz vor unbefugtem Zugriff'. Retriever-Vorschlag, Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "supports", "confidence": "medium", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.194) fuer 'Authentifizierung und Zugriffskontrolle, Schutz vor unbefugtem Zugriff'. Retriever-Vorschlag, Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.190) fuer 'Authentifizierung und Zugriffskontrolle, Schutz vor unbefugtem Zugriff'. Schwacher Kandidat (V14=Config), Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Retriever-Top (score 1.206), aber V14=Config statt V11=Crypto — wahrscheinlich FALSCH, Review-Korrektur auf V11.x.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.3.2", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.146). Review noetig (Crypto gehoert zu V11).", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.3", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.145). Review noetig (Crypto gehoert zu V11).", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(e) — Integritaet", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.202), V14.2.4 ueber-erscheint — Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(e) — Integritaet", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V1.2.4", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.166). Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(e) — Integritaet", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.159). Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.3.3", "mapping_type": "supports", "confidence": "medium", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.223) fuer Logging. Plausibel (V16=Logging), Review zur Bestaetigung.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.3.4", "mapping_type": "supports", "confidence": "medium", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.196) fuer Logging. Plausibel (V16=Logging), Review zur Bestaetigung.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.1.1", "mapping_type": "supports", "confidence": "medium", "provenance": "retriever_candidate", "rationale": "Top-OWASP-Kandidat (score 1.186) fuer Logging. Plausibel (V16=Logging), Review zur Bestaetigung.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(l) — Sichere Updates", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.141) — ASVS deckt 'sichere Updates' kaum ab, Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(l) — Sichere Updates", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V2.4.1", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.138). Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(l) — Sichere Updates", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.129). Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(i) — Angriffsflaeche minimieren", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.162). Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(i) — Angriffsflaeche minimieren", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V15.3.3", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.136). Review noetig.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(i) — Angriffsflaeche minimieren", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V8.2.4", "mapping_type": "related", "confidence": "low", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.136). Review noetig.", "version": "2026-06-25"}
// mapping_status=candidate: Vorschlaege des Control-Intent-Retriever (sdk-dev), NOCH NICHT reviewt.
// Review setzt mapping_status=accepted|rejected + provenance=human_curated + reviewed_by/review_date/review_reason.
// Der Advisor nutzt NUR mapping_status=accepted (acceptedOnly). KEIN confidence-Feld: ein kuratiertes Mapping ist
// eine fachliche Feststellung, keine KI-Vermutung. Retriever-Score steht nur informativ in der rationale.
// Erzeugt 2026-06-25 via gen_cra_owasp.py. Review offen (Schritt B).
{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.3.1", "mapping_type": "supports", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever-Top (score 1.197) fuer Authentifizierung/Zugriffskontrolle. V6=Auth — plausibel.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "supports", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever (score 1.194) fuer Authentifizierung/Zugriffskontrolle. V6=Auth — plausibel.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever (score 1.190), aber V14=Config — schwacher Kandidat.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever-Top (score 1.206), aber V14=Config statt V11=Crypto — wahrscheinlich FALSCH.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.3.2", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever (score 1.146). Crypto gehoert zu V11.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.3", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever (score 1.145). Crypto gehoert zu V11.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(e) — Integritaet", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever (score 1.202), V14.2.4 ueber-erscheint.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(e) — Integritaet", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V1.2.4", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever (score 1.166).", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(e) — Integritaet", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever (score 1.159).", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.3.3", "mapping_type": "supports", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever-Top (score 1.223) fuer Logging. V16=Logging — plausibel.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.3.4", "mapping_type": "supports", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever (score 1.196) fuer Logging. V16=Logging — plausibel.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V16.1.1", "mapping_type": "supports", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Retriever (score 1.186) fuer Logging. V16=Logging — plausibel.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(l) — Sichere Updates", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V14.2.4", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.141) — ASVS deckt sichere Updates kaum ab.", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(l) — Sichere Updates", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V2.4.1", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.138).", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(l) — Sichere Updates", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.129).", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(i) — Angriffsflaeche minimieren", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V6.1.1", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.162).", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(i) — Angriffsflaeche minimieren", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V15.3.3", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.136).", "version": "2026-06-25"}
{"source_norm": "CRA Annex I Part I (2)(i) — Angriffsflaeche minimieren", "source_role": "operational_requirement", "target_framework": "OWASP ASVS", "target_control": "V8.2.4", "mapping_type": "related", "mapping_status": "candidate", "provenance": "retriever_candidate", "rationale": "Schwacher Kandidat (score 1.136).", "version": "2026-06-25"}