diff --git a/obligations/obligation_join_keys.json b/obligations/obligation_join_keys.json new file mode 100644 index 00000000..872ae771 --- /dev/null +++ b/obligations/obligation_join_keys.json @@ -0,0 +1,423 @@ +{ + "schema_version": "obligation_join_keys_v1", + "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).", + "count": 47, + "obligation_ids": [ + { + "obligation_id": "sbom_creation", + "regulation": "CRA", + "family": "sbom", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I Part II (1)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "sbom_dependency_coverage", + "regulation": "CRA", + "family": "sbom", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Art. 3(36) i.V.m. Annex I Part II (1)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "sbom_format_standard", + "regulation": "CRA", + "family": "sbom", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I Part II (1)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "sbom_maintenance_update", + "regulation": "CRA", + "family": "sbom", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I Part II (1)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "sbom_completeness_verification", + "regulation": "CRA", + "family": "sbom", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "sbom_tooling_automation", + "regulation": "CRA", + "family": "sbom", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "IMPLEMENTATION" + }, + { + "obligation_id": "sbom_access_provision", + "regulation": "CRA", + "family": "sbom", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "sbom_authority_provision", + "regulation": "CRA", + "family": "sbom", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Art. 31 / Annex I Part II (1)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "sbom_confidentiality", + "regulation": "CRA", + "family": "sbom", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Art. 31(4)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "sbom_supply_chain_contracts", + "regulation": "CRA", + "family": "sbom", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "sbom_technical_documentation", + "regulation": "CRA", + "family": "sbom", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Art. 31 i.V.m. Annex VII" + ], + "source_role": "EVIDENCE" + }, + { + "obligation_id": "vuln_identification_inventory", + "regulation": "CRA", + "family": "vuln", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I Part II (1)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "vuln_assessment_prioritization", + "regulation": "CRA", + "family": "vuln", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I Part II (1)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "vuln_remediation_patching", + "regulation": "CRA", + "family": "vuln", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I Part II (2) & (8)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "vuln_handling_process", + "regulation": "CRA", + "family": "vuln", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Article 13(8) & Annex VII" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "coordinated_vulnerability_disclosure", + "regulation": "CRA", + "family": "vuln", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I Part II (5)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "exploited_vuln_reporting_authorities", + "regulation": "CRA", + "family": "vuln", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Article 14 & Article 16" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "vuln_info_dissemination_users", + "regulation": "CRA", + "family": "vuln", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I Part II (4) & (6)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "user_authentication_required", + "regulation": "CRA", + "family": "authentication", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(d)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "authentication_policy_documented", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "auth_exceptions_documented", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "mfa_required", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "step_up_authentication", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "privileged_op_reauth", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "strong_crypto_authentication", + "regulation": "CRA", + "family": "authentication", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(e)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "credential_lifecycle_management", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "credential_confidentiality_protection", + "regulation": "CRA", + "family": "authentication", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(e)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "password_policy", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "no_default_credentials", + "regulation": "CRA", + "family": "authentication", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(a)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "account_lockout_failed_attempts", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "server_side_validation", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "session_binding_management", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "reauth_after_inactivity", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "token_validation_lifecycle", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "mutual_authentication", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "revocation_check", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "encrypted_auth_channel", + "regulation": "CRA", + "family": "authentication", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(e)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "tls_certificate_auth", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "service_to_service_auth", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "auth_key_management", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "biometric_authentication", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "federated_auth_assertions", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "separate_authn_authz", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_authentication", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "supplier_access_auth", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "personal_admin_accounts", + "regulation": "CRA", + "family": "authentication", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "firmware_software_authentication", + "regulation": "CRA", + "family": "authentication", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(c)" + ], + "source_role": "LEGAL_BASIS" + } + ] +} \ No newline at end of file diff --git a/scripts/obligation_discovery/export_join_keys.py b/scripts/obligation_discovery/export_join_keys.py new file mode 100644 index 00000000..e25a6b19 --- /dev/null +++ b/scripts/obligation_discovery/export_join_keys.py @@ -0,0 +1,52 @@ +"""Exportiert den OBLIGATION_ID-Join-Key-Vertrag aus den Registry-Artefakten. +Die obligation_id ist der stabile Brueckenschluessel zwischen Legal Knowledge Graph +(citation_spans haengen an obligation_id) und Compliance Execution Graph +(control_mapping.source_norm -> obligation_id). citation_units = die legal_basis-Anker, +ueber die beide Seiten heute (vor obligation_id-Adoption) bruecken koennen. + +DISZIPLIN: obligation_id wird RE-GELINKT, NIE neu vergeben (Pendant zu span_id/control_uuid). + + python3 scripts/obligation_discovery/export_join_keys.py obligations/cra.json obligations/cra_authentication.json +""" +from __future__ import annotations + +import argparse +import json + + +def main() -> None: + ap = argparse.ArgumentParser() + ap.add_argument("registries", nargs="+") + ap.add_argument("--out", default="obligations/obligation_join_keys.json") + a = ap.parse_args() + keys = [] + for path in a.registries: + reg = json.load(open(path, encoding="utf-8")) + for o in reg.get("obligations", []): + citation_units = [b.get("anchor", "") for b in o.get("legal_basis", []) if b.get("anchor")] + keys.append({ + "obligation_id": o["id"], + "regulation": reg.get("regulation", ""), + "family": o.get("family", ""), + "tier": o.get("tier", ""), + "citation_units": citation_units, + "source_role": o.get("source_role", ""), + }) + out = { + "schema_version": "obligation_join_keys_v1", + "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt " + "citation_spans an obligation_id; Compliance Execution Graph mappt " + "control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. " + "obligation_id NIE neu vergeben (re-link).", + "count": len(keys), + "obligation_ids": keys, + } + json.dump(out, open(a.out, "w", encoding="utf-8"), ensure_ascii=False, indent=1) + from collections import Counter + print(f"exportiert: {a.out} ({len(keys)} obligation_ids)") + print("Regulierungen:", dict(Counter(k["regulation"] for k in keys))) + print("Familien:", dict(Counter(k["family"] for k in keys))) + + +if __name__ == "__main__": + main()