Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(cra): Befund-Detail aufgeräumt + Rechts-Anker (source_article) sichtbar

Browse Source 
Frontend (CRA/Cyber-Tab):
- Erklär-Zwischensätze je Ebene (Befund -> CRA-Anforderung -> Best-Practice-
  Standard -> Maßnahmen) + "So liest du einen Befund"-Legende.
- Kuratierte M-Maßnahmen und atom-grain "Regulatorische Breite" in EINE Sektion
  "Maßnahmen (wählbar)" zusammengeführt (statt zwei konkurrierender Listen).
- Standalone "Empfohlene Maßnahmen (Sollzustand)" entfernt (jetzt je Befund).

Backend:
- Atom-Controls-Query liefert jetzt cpl.source_article (Artikel/Anhang/Erwägungs-
  grund-Anker) zusätzlich zu source_regulation; via LATERAL-Join.
- enrich_findings_with_breadth trägt source_article in regulatory_breadth.
- Daten waren schon ingestiert (682/691 CRA-Atome haben source_article) — wurden
  nur nicht selektiert/angezeigt.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-14 23:14:53 +02:00
parent e5ea2ee7dd
commit 828230746e
5 changed files with 116 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin-compliance/app/sdk/iace/[projectId]/cra/_components/CRACyberView.tsx
+73 -61
View File
@@ -1,7 +1,7 @@
'use client'
import { Fragment, useState } from 'react'
import { CRADemo, CRAFinding } from '../_hooks/useCRADemo'
import { CRADemo, CRAFinding, Measure } from '../_hooks/useCRADemo'
const RISK_BADGE: Record<string, string> = {
CRITICAL: 'bg-red-100 text-red-700 dark:bg-red-900/40 dark:text-red-300',
@@ -59,7 +59,7 @@ function EvidenceTag({ et }: { et?: string }) {
)
}
function FindingsTable({ findings }: { findings: CRAFinding[] }) {
function FindingsTable({ findings, measuresById }: { findings: CRAFinding[]; measuresById: Record<string, Measure> }) {
const [open, setOpen] = useState<Record<string, boolean>>({})
const toggle = (id: string) => setOpen((o) => ({ ...o, [id]: !o[id] }))
return (
@@ -101,50 +101,79 @@ function FindingsTable({ findings }: { findings: CRAFinding[] }) {
onClick={() => toggle(f.id)}
className="text-[11px] text-purple-600 hover:underline whitespace-nowrap"
>
NIST/OWASP {open[f.id] ? '▲' : '▼'}
Standard &amp; Maßnahmen {open[f.id] ? '▲' : '▼'}
</button>
</td>
</tr>
{open[f.id] && (
<tr className="border-b border-gray-100 dark:border-gray-700/50 bg-gray-50/60 dark:bg-gray-900/30">
<td colSpan={6} className="px-4 py-2">
<p className="text-[10px] text-gray-400 mb-1">Best-Practice-Tiefe (Golden-Set-Crosswalk)</p>
<div className="flex flex-wrap gap-1 items-center">
<span className="text-[10px] text-gray-500 mr-1">NIST 800-53:</span>
{f.nist_refs.map((n) => (
<span key={n} className="inline-block rounded bg-slate-100 text-slate-600 dark:bg-slate-700 dark:text-slate-300 px-1.5 py-0.5 text-[10px] font-mono">{n}</span>
))}
<span className="text-[10px] text-gray-500 mx-1">OWASP:</span>
{f.owasp_refs.map((o) => (
<span key={o.code} className="inline-block rounded bg-blue-100 text-blue-700 dark:bg-blue-900/40 dark:text-blue-300 px-1.5 py-0.5 text-[10px] font-medium">{o.code} · {o.label}</span>
))}
{f.iso27001_ref.length > 0 && (
<>
<span className="text-[10px] text-gray-500 mx-1">ISO 27001:</span>
{f.iso27001_ref.map((iso) => (
<span key={iso} className="inline-block rounded bg-gray-100 text-gray-500 dark:bg-gray-700 dark:text-gray-300 px-1.5 py-0.5 text-[10px]">{iso}</span>
))}
</>
)}
<td colSpan={6} className="px-4 py-3 space-y-3">
{/* Best-Practice-Standard — der Maßstab (kein Code-Rezept) */}
<div>
<p className="text-[10px] text-gray-500 mb-1">
<span className="font-semibold text-gray-600 dark:text-gray-300">Best-Practice-Standard</span>
{' '} woran erfüllt" gemessen wird (Kontroll-Frameworks, noch kein Code-Rezept):
</p>
<div className="flex flex-wrap gap-1 items-center">
<span className="text-[10px] text-gray-500 mr-1">NIST 800-53:</span>
{f.nist_refs.map((n) => (
<span key={n} className="inline-block rounded bg-slate-100 text-slate-600 dark:bg-slate-700 dark:text-slate-300 px-1.5 py-0.5 text-[10px] font-mono">{n}</span>
))}
<span className="text-[10px] text-gray-500 mx-1">OWASP:</span>
{f.owasp_refs.map((o) => (
<span key={o.code} className="inline-block rounded bg-blue-100 text-blue-700 dark:bg-blue-900/40 dark:text-blue-300 px-1.5 py-0.5 text-[10px] font-medium">{o.code} · {o.label}</span>
))}
{f.iso27001_ref.length > 0 && (
<>
<span className="text-[10px] text-gray-500 mx-1">ISO 27001:</span>
{f.iso27001_ref.map((iso) => (
<span key={iso} className="inline-block rounded bg-gray-100 text-gray-500 dark:bg-gray-700 dark:text-gray-300 px-1.5 py-0.5 text-[10px]">{iso}</span>
))}
</>
)}
</div>
</div>
{f.regulatory_breadth && f.regulatory_breadth.length > 0 && (
<div className="mt-2">
<p className="text-[10px] text-gray-400 mb-1">
Regulatorische Breite{f.sub_topic ? `${f.sub_topic}` : ''} (CRA + NIST/OWASP/ENISA-Quellen)
</p>
{/* Maßnahmen (wählbar) — kuratierte Kern-Maßnahme + belegte Optionen, zusammengeführt */}
<div>
<p className="text-[10px] text-gray-500 mb-1">
<span className="font-semibold text-gray-600 dark:text-gray-300">Maßnahmen (wählbar)</span>
{' '}— passend kombinieren, nicht alle abhaken. Das Risiko ist geschlossen, wenn die Pflicht real erfüllt ist.
</p>
{f.measures.length > 0 && (
<ul className="space-y-1 mb-1.5">
{f.measures.map((mid) => {
const m = measuresById[mid]
return (
<li key={mid} className="text-[10px] text-gray-600 dark:text-gray-300">
<span className="inline-block rounded bg-purple-100 text-purple-700 dark:bg-purple-900/40 dark:text-purple-300 px-1 py-0.5 text-[9px] mr-1">kuratiert</span>
<span className="font-medium text-gray-700 dark:text-gray-200">{m ? m.name : mid}</span>
{m && m.description ? <span className="text-gray-500"> — {m.description}</span> : null}
{m && m.norm_refs && m.norm_refs.length > 0 ? <span className="text-gray-400"> · {m.norm_refs.join(', ')}</span> : null}
</li>
)
})}
</ul>
)}
{f.regulatory_breadth && f.regulatory_breadth.length > 0 && (
<ul className="space-y-0.5">
{f.regulatory_breadth.map((c) => (
<li key={c.control_id} className="text-[10px] text-gray-600 dark:text-gray-300">
{c.use_case && (
<span className="inline-block rounded bg-gray-200 text-gray-600 dark:bg-gray-600 dark:text-gray-200 px-1 py-0.5 text-[9px] mr-1">{c.use_case}</span>
)}
<span className="inline-block rounded bg-gray-200 text-gray-600 dark:bg-gray-600 dark:text-gray-200 px-1 py-0.5 text-[9px] mr-1">{c.use_case || 'Option'}</span>
<span className="font-mono text-gray-500">{c.control_id}</span> {c.title}
<span className="text-gray-400"> · {c.source_regulation}</span>
<span className="text-gray-400"> · {c.source_regulation}{c.source_article ? `, ${c.source_article}` : ''}</span>
</li>
))}
</ul>
</div>
)}
)}
{f.measures.length === 0 && (!f.regulatory_breadth || f.regulatory_breadth.length === 0) && (
<p className="text-[10px] text-gray-400">Keine kuratierte Maßnahme hinterlegt — Standard (oben) + Code-Fix aus dem Scan nutzen.</p>
)}
</div>
<p className="text-[10px] text-gray-400 italic">
Konkreter Code-Fix (Patch, z. B. Verschlüsselungsverfahren/Schlüssel) folgt aus dem Repo-Scan, sobald das Repository angebunden ist.
</p>
</td>
</tr>
)}
@@ -157,6 +186,9 @@ function FindingsTable({ findings }: { findings: CRAFinding[] }) {
}
export function CRACyberView({ data }: { data: CRADemo }) {
const measuresById: Record<string, Measure> = Object.fromEntries(
data.open_measures.map((m) => [m.id, m]),
)
return (
<div className="space-y-6">
{/* Co-Pilot framing — advisory, not alarmist */}
@@ -224,8 +256,15 @@ export function CRACyberView({ data }: { data: CRADemo }) {
<div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800">
<div className="px-4 py-3 border-b border-gray-100 dark:border-gray-700">
<h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200">Befunde → CRA-Anforderung</h2>
<p className="text-[11px] text-gray-500 mt-1 leading-relaxed">
So liest du einen Befund: <span className="font-medium text-gray-600 dark:text-gray-300">Cyber-Befund</span> (was der Scan sah)
{' → '}<span className="font-medium text-gray-600 dark:text-gray-300">CRA-Anforderung</span> (was das Gesetz verlangt)
{' → '}<span className="font-medium text-gray-600 dark:text-gray-300">Best-Practice-Standard</span> (woran „erfüllt" gemessen wird)
{' → '}<span className="font-medium text-gray-600 dark:text-gray-300">Maßnahmen</span> (mögliche Umsetzungen passend wählen, nicht alle).
Klick Standard &amp; Maßnahmen" für die Details je Befund.
</p>
</div>
<FindingsTable findings={data.findings} />
<FindingsTable findings={data.findings} measuresById={measuresById} />
</div>
{/* Quick wins — high impact, low effort (second view) */}
@@ -247,33 +286,6 @@ export function CRACyberView({ data }: { data: CRADemo }) {
</div>
)}
{/* Recommended measures — full curated text + norm references */}
<div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4">
<h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200 mb-1">Empfohlene Maßnahmen (Sollzustand)</h2>
<p className="text-[11px] text-gray-400 mb-3">
Kuratierte CRA-Maßnahmen mit Normverweisen sie beschreiben den <span className="font-medium">umzubauenden Prozess / das Sollziel</span>,
kein Auto-Fix. Konkrete Code-Fixes entstehen separat, wenn der Repo-Scan ein Source-Code-Risiko an einer
Stelle sieht (Findings mit <span className="text-emerald-600 dark:text-emerald-400">Code-nah"</span>).
</p>
<div className="space-y-3">
{data.open_measures.map((me) => (
<div key={me.id} className="rounded-lg border border-gray-100 dark:border-gray-700/60 p-3">
<p className="text-sm font-medium text-gray-800 dark:text-gray-200">
<span className="font-mono text-purple-600 dark:text-purple-400">{me.id}</span> — {me.name}
</p>
<p className="text-xs text-gray-600 dark:text-gray-300 mt-1">{me.description}</p>
<div className="flex flex-wrap gap-1 mt-2">
{me.norm_refs.map((nr) => (
<span key={nr} className="inline-block rounded bg-gray-100 text-gray-500 dark:bg-gray-700 dark:text-gray-300 px-1.5 py-0.5 text-[10px]">
{nr}
</span>
))}
</div>
</div>
))}
</div>
</div>
{/* CRA deadlines */}
<div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 p-4">
<h2 className="text-sm font-semibold text-gray-800 dark:text-gray-200 mb-2">CRA-Fristen</h2>
admin-compliance/app/sdk/iace/[projectId]/cra/_hooks/useCRADemo.ts
+1 -1
View File
@@ -30,7 +30,7 @@ export interface CRAFinding {
evidence_type?: string // code | process | hybrid | document — drives the remediation-class badge
// regulatory breadth (atom-grain shared Controls-API: cra + code/network_security), live only
sub_topic?: string
regulatory_breadth?: { control_id: string; title: string; source_regulation: string; severity?: string; use_case?: string }[]
regulatory_breadth?: { control_id: string; title: string; source_regulation: string; source_article?: string; severity?: string; use_case?: string }[]
// priority layer (set live by the backend prioritizer; optional in the static fallback)
priority_tier?: string
priority_score?: number
backend-compliance/compliance/services/cra_use_case_controls.py
+1
View File
@@ -76,6 +76,7 @@ def enrich_findings_with_breadth(mapped: list, db, per_use_case: int = 3) -> Non
cache[key] = [
{"control_id": c.get("control_id"), "title": c.get("title"),
"source_regulation": c.get("source_regulation"),
"source_article": c.get("source_article"),
"severity": c.get("severity"), "use_case": uc}
for c in res.get("controls", [])
]
backend-compliance/compliance/services/use_case_controls.py
+7 -2
View File
@@ -78,10 +78,14 @@ _LIST_SQL = text("""
_ATOM_LIST_SQL = text("""
SELECT ac.control_uuid, ac.sub_topic, ac.canonical_obligation,
cc.control_id, cc.title, cc.objective, cc.severity,
(SELECT cpl.source_regulation FROM control_parent_links cpl
WHERE cpl.control_uuid = ac.control_uuid LIMIT 1) AS source_regulation
cpl.source_regulation, cpl.source_article
FROM atom_classification ac
JOIN canonical_controls cc ON cc.id = ac.control_uuid
LEFT JOIN LATERAL (
SELECT cpl.source_regulation, cpl.source_article
FROM control_parent_links cpl
WHERE cpl.control_uuid = ac.control_uuid LIMIT 1
) cpl ON true
WHERE ac.use_case = :uc AND ac.relevant = true
AND (:sub IS NULL OR ac.sub_topic = :sub)
ORDER BY ac.sub_topic NULLS LAST,
@@ -228,6 +232,7 @@ class UseCaseControlsService:
"sub_topic": r.sub_topic,
"canonical_obligation": r.canonical_obligation,
"source_regulation": r.source_regulation,
"source_article": r.source_article,
}
for r in rows
]
backend-compliance/tests/test_cra_use_case_controls.py
+34 -1
View File
@@ -1,5 +1,9 @@
"""Pin the CRA-AI -> network_security sub_topic map (DB enrichment verified live)."""
from compliance.services.cra_use_case_controls import subtopic_for
from compliance.services import cra_use_case_controls
from compliance.services.cra_use_case_controls import (
enrich_findings_with_breadth,
subtopic_for,
)
from compliance.api.cra_annex_i_data import ANNEX_I_REQUIREMENTS
# Exact atom-grain sub_topic keys (verified against the live atom_classification).
@@ -14,3 +18,32 @@ def test_every_requirement_maps_to_a_valid_subtopic():
for req in ANNEX_I_REQUIREMENTS:
st = subtopic_for(req["req_id"])
assert st in _VALID, "{} -> {}".format(req["req_id"], st)
class _FakeControlsService:
"""Stands in for UseCaseControlsService: returns one atom control per call,
carrying the legal anchor (source_article) the real atom query now selects."""
def __init__(self, db):
pass
def controls_for_use_case(self, use_case, sub_topic=None, limit=3):
return {"controls": [{
"control_id": "AI-{}-{}".format(use_case, sub_topic),
"title": "Test obligation",
"source_regulation": "Cyber Resilience Act (CRA)",
"source_article": "Artikel 13",
"severity": "high",
}]}
def test_breadth_carries_source_article(monkeypatch):
monkeypatch.setattr(
cra_use_case_controls, "UseCaseControlsService", _FakeControlsService,
)
mapped = [{"primary_requirement": "CRA-AI-8"}] # -> authentication sub_topic
enrich_findings_with_breadth(mapped, db=None)
breadth = mapped[0]["regulatory_breadth"]
assert breadth, "expected breadth controls"
assert all("source_article" in c for c in breadth)
assert any(c["source_article"] == "Artikel 13" for c in breadth)