feat(citability): logischer norm_id-Join auf legal_basis (KB-v2 Zitier-Vertrag)
Wake-up #2 (Domaene 2): Zitierfaehigkeit ohne char-Level-Spans via logischem norm_id-Join auf KB-v2-Units (bp_compliance_kb_2026_1_build). Konvention (Board Compliance/KB-v2 2026-07-01): EU-<ACT>-Anhang<ROM> (Annex-Ebene, confirmed) / EU-<ACT>-Art<N> + EU-<ACT>-Kapitel<ROM> (verify_pending). Namensvariante EU-MaschVO-* (NICHT MaschinenVO). KEINE neue Klasse — norm_ids ist ein Attribut auf legal_basis (freeze-safe). - 65/65 legal_basis gejoint (CRA 40 + MaschVO 25), 0 unparsed; 64 Obligations citation_status -> norm_id_linked (BP/guidance-anchored bleiben ohne norm_id). - 53 annex_confirmed, 12 verify_pending; distinkt 5 Annex-IDs + 19 Art/Kapitel. - norm_id_manifest.json = KB-v2-Handoff (verify_pending Art-/Kapitel-IDs pruefen). - Granularitaet annex-grob (Part/Punkt = KB-Enhancement TBD); Artikel-norm_ids in KB-v2 noch zu verifizieren. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
+125
-36
@@ -11,7 +11,12 @@
|
||||
"name": "SBOM-Erstellungsprozess",
|
||||
"description": "Erzeugen einer vollstaendigen, maschinenlesbaren Software Bill of Materials fuer ein Produkt mit digitalen Elementen.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["sbom_creation", "sbom_dependency_coverage", "sbom_format_standard", "sbom_tooling_automation"],
|
||||
"fulfills_obligations": [
|
||||
"sbom_creation",
|
||||
"sbom_dependency_coverage",
|
||||
"sbom_format_standard",
|
||||
"sbom_tooling_automation"
|
||||
],
|
||||
"steps": [
|
||||
"Komponenten und (direkte + transitive) Abhaengigkeiten inventarisieren",
|
||||
"SBOM automatisiert in der Build-/Toolchain generieren",
|
||||
@@ -24,15 +29,22 @@
|
||||
"Format ist maschinenlesbar und standardkonform (CycloneDX/SPDX)",
|
||||
"direkte und transitive Abhaengigkeiten enthalten"
|
||||
],
|
||||
"evidence": ["sbom.cyclonedx.json", "Format-Validierungs-Log", "Build-/Toolchain-Konfiguration"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"sbom.cyclonedx.json",
|
||||
"Format-Validierungs-Log",
|
||||
"Build-/Toolchain-Konfiguration"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
{
|
||||
"procedure_id": "sbom_update_process",
|
||||
"name": "SBOM-Aktualisierungsprozess",
|
||||
"description": "Halten der SBOM aktuell ueber den Produktlebenszyklus bei Komponenten-, Versions- und Patch-Aenderungen.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["sbom_maintenance_update"],
|
||||
"fulfills_obligations": [
|
||||
"sbom_maintenance_update"
|
||||
],
|
||||
"steps": [
|
||||
"Komponentenaenderung erkennen (Dependency-/Patch-/Versionsaenderung)",
|
||||
"SBOM neu generieren",
|
||||
@@ -45,15 +57,24 @@
|
||||
"SBOM-Version passt zum Release",
|
||||
"Supplier-Komponenten enthalten"
|
||||
],
|
||||
"evidence": ["sbom.json", "CI-Log", "Release-Artefakt", "Supplier-SBOM"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"sbom.json",
|
||||
"CI-Log",
|
||||
"Release-Artefakt",
|
||||
"Supplier-SBOM"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
{
|
||||
"procedure_id": "sbom_supplier_integration_process",
|
||||
"name": "Lieferanten-SBOM-Integration",
|
||||
"description": "Beschaffen und Einarbeiten von Lieferanten-/Drittkomponenten-SBOMs in die Produkt-SBOM.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["sbom_supply_chain_contracts", "sbom_dependency_coverage"],
|
||||
"fulfills_obligations": [
|
||||
"sbom_supply_chain_contracts",
|
||||
"sbom_dependency_coverage"
|
||||
],
|
||||
"steps": [
|
||||
"SBOM-Anforderung in Lieferantenvertraege aufnehmen",
|
||||
"Lieferanten-SBOMs einsammeln",
|
||||
@@ -65,15 +86,24 @@
|
||||
"Lieferanten-SBOMs eingegangen",
|
||||
"Drittkomponenten in der SBOM gelistet"
|
||||
],
|
||||
"evidence": ["Lieferantenvertrag-Klausel", "eingegangene Supplier-SBOMs", "gemergte SBOM"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"Lieferantenvertrag-Klausel",
|
||||
"eingegangene Supplier-SBOMs",
|
||||
"gemergte SBOM"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
{
|
||||
"procedure_id": "sbom_provision_process",
|
||||
"name": "SBOM-Bereitstellungsprozess",
|
||||
"description": "Zugaenglichmachen der SBOM fuer berechtigte Parteien (Nutzer, Behoerde) unter Wahrung der Vertraulichkeit.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["sbom_access_provision", "sbom_authority_provision", "sbom_confidentiality"],
|
||||
"fulfills_obligations": [
|
||||
"sbom_access_provision",
|
||||
"sbom_authority_provision",
|
||||
"sbom_confidentiality"
|
||||
],
|
||||
"steps": [
|
||||
"Zugangskanal definieren (Portal/API/dokumentierter Pfad)",
|
||||
"Nutzer ueber den Zugangsweg informieren",
|
||||
@@ -85,15 +115,23 @@
|
||||
"Zugriffskontrolle/Vertraulichkeit umgesetzt",
|
||||
"Behoerden-Bereitstellungsprozess definiert"
|
||||
],
|
||||
"evidence": ["Zugangskanal-Dokumentation", "Behoerden-Anfrage-Log", "Zugriffskontroll-Konfiguration"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"Zugangskanal-Dokumentation",
|
||||
"Behoerden-Anfrage-Log",
|
||||
"Zugriffskontroll-Konfiguration"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
{
|
||||
"procedure_id": "sbom_conformity_documentation_process",
|
||||
"name": "SBOM in technischer Dokumentation/Konformitaet",
|
||||
"description": "Aufnehmen der SBOM in die technische Dokumentation und Verifizieren der Vollstaendigkeit fuer die Konformitaetsbewertung.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["sbom_technical_documentation", "sbom_completeness_verification"],
|
||||
"fulfills_obligations": [
|
||||
"sbom_technical_documentation",
|
||||
"sbom_completeness_verification"
|
||||
],
|
||||
"steps": [
|
||||
"SBOM in die technische Dokumentation aufnehmen",
|
||||
"Vollstaendigkeit gegen die real eingesetzte Softwarekomposition pruefen",
|
||||
@@ -104,16 +142,22 @@
|
||||
"Vollstaendigkeit verifiziert",
|
||||
"Konformitaetsnachweis vorhanden"
|
||||
],
|
||||
"evidence": ["technische Dokumentation", "Vollstaendigkeits-Pruefbericht", "Konformitaetsnachweis"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"technische Dokumentation",
|
||||
"Vollstaendigkeits-Pruefbericht",
|
||||
"Konformitaetsnachweis"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
|
||||
{
|
||||
"procedure_id": "vuln_handling_process_setup",
|
||||
"name": "Schwachstellenbehandlungsprozess einrichten",
|
||||
"description": "Dokumentierten Prozess und Meldekanal (CVD) fuer die Schwachstellenbehandlung etablieren.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["vuln_handling_process"],
|
||||
"fulfills_obligations": [
|
||||
"vuln_handling_process"
|
||||
],
|
||||
"steps": [
|
||||
"dokumentierten Schwachstellenbehandlungsprozess definieren",
|
||||
"Coordinated-Vulnerability-Disclosure-Richtlinie und Meldekanal veroeffentlichen",
|
||||
@@ -124,15 +168,22 @@
|
||||
"Meldekanal/Kontaktstelle auffindbar (z.B. security.txt)",
|
||||
"Triage-Verfahren vorhanden"
|
||||
],
|
||||
"evidence": ["Prozessdokument", "security.txt / Kontaktstelle", "Triage-Log"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"Prozessdokument",
|
||||
"security.txt / Kontaktstelle",
|
||||
"Triage-Log"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
{
|
||||
"procedure_id": "vuln_identification_process",
|
||||
"name": "Schwachstellen-Identifikation",
|
||||
"description": "Bekannte Schwachstellen in eingesetzten Komponenten erkennen und inventarisieren.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["vuln_identification_inventory"],
|
||||
"fulfills_obligations": [
|
||||
"vuln_identification_inventory"
|
||||
],
|
||||
"steps": [
|
||||
"Advisories/CVE-Feeds beobachten",
|
||||
"gegen die SBOM-Komponenten abgleichen",
|
||||
@@ -143,15 +194,21 @@
|
||||
"SBOM-zu-CVE-Abgleich durchgefuehrt",
|
||||
"Schwachstellen-Inventar gepflegt"
|
||||
],
|
||||
"evidence": ["CVE-Abgleich-Report", "Schwachstellen-Register"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"CVE-Abgleich-Report",
|
||||
"Schwachstellen-Register"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
{
|
||||
"procedure_id": "vuln_assessment_process",
|
||||
"name": "Schwachstellen-Bewertung/Priorisierung",
|
||||
"description": "Identifizierte Schwachstellen nach Schweregrad, Ausnutzbarkeit und Exposition bewerten und priorisieren.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["vuln_assessment_prioritization"],
|
||||
"fulfills_obligations": [
|
||||
"vuln_assessment_prioritization"
|
||||
],
|
||||
"steps": [
|
||||
"Schweregrad bewerten (z.B. CVSS)",
|
||||
"Ausnutzbarkeit/Exposition einschaetzen",
|
||||
@@ -161,15 +218,21 @@
|
||||
"Schweregrad standardisiert bewertet",
|
||||
"risikobasierte Priorisierung vorhanden"
|
||||
],
|
||||
"evidence": ["Bewertungsdatensatz (CVSS)", "Prioritaetenliste"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"Bewertungsdatensatz (CVSS)",
|
||||
"Prioritaetenliste"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
{
|
||||
"procedure_id": "vuln_remediation_process",
|
||||
"name": "Schwachstellen-Behebung",
|
||||
"description": "Bekannte Schwachstellen fristgerecht durch Patches/Gegenmassnahmen beheben und Sicherheitsupdates bereitstellen.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["vuln_remediation_patching"],
|
||||
"fulfills_obligations": [
|
||||
"vuln_remediation_patching"
|
||||
],
|
||||
"steps": [
|
||||
"Fix/Gegenmassnahme entwickeln",
|
||||
"testen",
|
||||
@@ -181,15 +244,23 @@
|
||||
"Sicherheitsupdate bereitgestellt",
|
||||
"Follow-up bis Closure"
|
||||
],
|
||||
"evidence": ["Patch/Release", "Behebungs-Zeitleiste", "Follow-up-Log"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"Patch/Release",
|
||||
"Behebungs-Zeitleiste",
|
||||
"Follow-up-Log"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
{
|
||||
"procedure_id": "vuln_disclosure_process",
|
||||
"name": "Offenlegung + Nutzerinformation",
|
||||
"description": "Koordinierte Offenlegung behobener Schwachstellen und Information der Nutzer ueber Schutzmassnahmen.",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["coordinated_vulnerability_disclosure", "vuln_info_dissemination_users"],
|
||||
"fulfills_obligations": [
|
||||
"coordinated_vulnerability_disclosure",
|
||||
"vuln_info_dissemination_users"
|
||||
],
|
||||
"steps": [
|
||||
"Offenlegungszeitpunkt koordinieren",
|
||||
"Security Advisory / CVE-Eintrag veroeffentlichen",
|
||||
@@ -199,15 +270,22 @@
|
||||
"Advisory veroeffentlicht",
|
||||
"Nutzer informiert"
|
||||
],
|
||||
"evidence": ["Security Advisory", "CVE-Eintrag", "Nutzer-Benachrichtigung"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"Security Advisory",
|
||||
"CVE-Eintrag",
|
||||
"Nutzer-Benachrichtigung"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
},
|
||||
{
|
||||
"procedure_id": "vuln_authority_reporting_process",
|
||||
"name": "Behoerdenmeldung aktiv ausgenutzter Schwachstellen",
|
||||
"description": "Aktiv ausgenutzte Schwachstellen fristgerecht an CSIRT/ENISA melden (CRA Art. 14-Kaskade).",
|
||||
"source_role": "procedural_requirement",
|
||||
"fulfills_obligations": ["exploited_vuln_reporting_authorities"],
|
||||
"fulfills_obligations": [
|
||||
"exploited_vuln_reporting_authorities"
|
||||
],
|
||||
"applicability_note": "bedingt: nur bei aktiv ausgenutzter Schwachstelle",
|
||||
"steps": [
|
||||
"aktive Ausnutzung erkennen",
|
||||
@@ -220,8 +298,19 @@
|
||||
"72h-Meldung erfolgt",
|
||||
"14d-Abschlussbericht erfolgt"
|
||||
],
|
||||
"evidence": ["CSIRT/ENISA-Meldungsbelege", "Zeitstempel der Kaskade"],
|
||||
"citation_spans": [], "citation_status": "pending_span_anchor"
|
||||
"evidence": [
|
||||
"CSIRT/ENISA-Meldungsbelege",
|
||||
"Zeitstempel der Kaskade"
|
||||
],
|
||||
"citation_spans": [],
|
||||
"citation_status": "pending_span_anchor"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"norm_id_contract": {
|
||||
"convention": "EU-<ACT>-Anhang<ROM> (Annex-Ebene) / EU-<ACT>-Art<N> (verify) — KB-v2 bp_compliance_kb_2026_1_build",
|
||||
"act_naming": "EU-MaschVO-* (NICHT MaschinenVO)",
|
||||
"granularity": "annex-grob — 'Annex I Part II (1)' -> EU-CRA-AnhangI; Part/Punkt = KB-Enhancement TBD",
|
||||
"article_status": "EU-<ACT>-Art<N> in KB-v2 noch zu verifizieren; Annex-IDs confirmed",
|
||||
"source": "Board Compliance/KB-v2 2026-07-01"
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user