Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(cra): Scanner-Findings vollstaendig mappen + assess-from-scanner-Latenz senken
CI / detect-changes (push) Successful in 17s
Details
CI / branch-name (push) Has been skipped
Details
CI / guardrail-integrity (push) Has been skipped
Details
CI / secret-scan (push) Has been skipped
Details
CI / dep-audit (push) Has been skipped
Details
CI / sbom-scan (push) Has been skipped
Details
CI / build-sha-integrity (push) Successful in 13s
Details
CI / validate-canonical-controls (push) Successful in 12s
Details
CI / loc-budget (push) Successful in 25s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details
CI / nodejs-build (push) Has been skipped
Details
CI / test-go (push) Has been skipped
Details
CI / iace-gt-coverage (push) Has been skipped
Details
CI / test-python-backend (push) Successful in 30s
Details
CI / test-python-document-crawler (push) Has been skipped
Details
CI / test-python-dsms-gateway (push) Has been skipped
Details

Browse Source 
Punkt 2 (Coverage): semgrep/gdpr-Findings ohne CWE blieben unmapped (~21%).
Der Mapper nutzt jetzt den scanner rule_id + gezielte Keywords (gdpr ->
Datenminimierung CRA-AI-17, path-traversal/prototype-pollution -> CRA-AI-20,
nginx-header/Docker-Hardening -> CRA-AI-1/4, insecure-websocket -> CRA-AI-15).
Reale Scanner-Daten: unmapped 19/92 -> 0/92 (Coverage 100%).

Punkt 3 (Latenz): enrich_findings_with_breadth lief ~6 Aggregat-Queries je
(use_case,sub_topic)-Paar, nutzte aber nur die Liste. Jetzt EINE batched Query
(breadth_controls_batch) fuer alle Paare + Prozess-Cache (TTL 1800s). macmini:
cold 0,23s / warm 0,000s. Prod-Root-Cause: atom_classification ohne
(use_case,sub_topic)-Index nach DB-Swap -> Index dem DB-Owner empfohlen.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Bönisch
2026-06-17 13:17:51 +02:00
parent 4f4ffc2ad5
commit 72093e5501
5 changed files with 181 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/tests/test_cra_finding_mapper.py
+33
View File
@@ -56,6 +56,39 @@ def test_unmapped_finding_is_flagged_not_invented():
assert m.requirement_ids == []
def test_gdpr_scanner_finding_maps_to_data_minimisation():
# gdpr-pattern scanner finding (no cwe) -> CRA Annex I data minimisation
m = map_finding(ScannerFinding(
id="g1", category="gdpr", title="Data collection without apparent consent mechanism",
severity="medium"))
assert m.primary_requirement == "CRA-AI-17"
assert not m.unmapped
def test_semgrep_path_traversal_via_rule_id_maps_to_secure_testing():
# semgrep finding with NO cwe — the rule_id pins it as path traversal
m = map_finding(ScannerFinding(
id="s1", category="sast", rule_id="javascript.express.security.express-path-join-resolve",
title="Possible writing outside of the destination", severity="medium"))
assert m.primary_requirement == "CRA-AI-20"
assert not m.unmapped
def test_semgrep_prototype_pollution_maps_to_secure_testing():
m = map_finding(ScannerFinding(
id="s2", category="sast", title="Possibility of prototype polluting function detected",
severity="medium"))
assert m.primary_requirement == "CRA-AI-20"
def test_nginx_header_redefinition_maps_to_secure_config():
m = map_finding(ScannerFinding(
id="s3", category="sast", rule_id="generic.nginx.security.header-redefinition",
title="The 'add_header' directive is called in a 'location' block", severity="medium"))
assert m.primary_requirement == "CRA-AI-1"
assert not m.unmapped
def test_assessment_aggregates_and_coverage():
findings = [
ScannerFinding(id="a", cwe="CWE-259", severity="critical"), # CRA-AI-8