Benjamin Admin
8f169cbae3
Gap Analysis v2: statt 500 generische Gaps → nur die ECHTEN Lücken. Backend: - ProductProfile um 15 IST-Felder erweitert (Normen, Doku, Prozesse, CE) - assessGapStatus prüft: IACE-Mitigations → Zertifizierungen → Normen → IST-Felder - norm_mapping.go: 20 Normen → MC-Topic Mapping (ISO 12100, IEC 62443, etc.) - IACE-Integration: CheckIACECoverage() matcht verified Mitigations gegen MCs Frontend: - 2-Step Wizard: Produkt beschreiben → IST-Zustand erfassen - IstAssessment.tsx: CE-Jahr, Normen-Multiselect, Doku+Prozess Checkboxen - Step-Navigation mit visuellen Indikatoren Migration 025 erweitert um IST-Felder. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
174 lines
7.1 KiB
Go
174 lines
7.1 KiB
Go
// Package gap implements the Regulatory Gap Analysis Engine.
|
|
//
|
|
// Given a product profile, the engine determines which regulations apply,
|
|
// identifies gaps against Master Controls, and produces a prioritized
|
|
// action list.
|
|
package gap
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
// ── Product Profile ─────────────────────────────────────────────────
|
|
|
|
// ProductType classifies the product category.
|
|
type ProductType string
|
|
|
|
const (
|
|
ProductTypeSoftware ProductType = "software"
|
|
ProductTypeHardware ProductType = "hardware"
|
|
ProductTypeIoT ProductType = "iot"
|
|
ProductTypeSaaS ProductType = "saas"
|
|
ProductTypeExchange ProductType = "exchange"
|
|
ProductTypeMedicalDevice ProductType = "medical_device"
|
|
ProductTypeMachinery ProductType = "machinery"
|
|
ProductTypeOther ProductType = "other"
|
|
)
|
|
|
|
// ProductProfile describes a customer's product for gap analysis.
|
|
type ProductProfile struct {
|
|
ID uuid.UUID `json:"id" db:"id"`
|
|
TenantID uuid.UUID `json:"tenant_id" db:"tenant_id"`
|
|
Name string `json:"name" db:"name"`
|
|
Description string `json:"description" db:"description"`
|
|
ProductType ProductType `json:"product_type" db:"product_type"`
|
|
|
|
// Technology stack
|
|
Technologies []string `json:"technologies" db:"-"` // encryption, api, blockchain, ai, ota_updates, cloud
|
|
// Data processing categories
|
|
DataProcessing []string `json:"data_processing" db:"-"` // personal_data, health_data, financial_data, telemetry
|
|
// Target markets
|
|
Markets []string `json:"markets" db:"-"` // EU, DE, AT, CH, US
|
|
|
|
// Boolean flags (derived from technologies or set explicitly)
|
|
ConnectedToInternet bool `json:"connected_to_internet" db:"connected_to_internet"`
|
|
HasSoftwareUpdates bool `json:"has_software_updates" db:"has_software_updates"`
|
|
UsesAI bool `json:"uses_ai" db:"uses_ai"`
|
|
ProcessesPersonalData bool `json:"processes_personal_data" db:"processes_personal_data"`
|
|
IsCriticalInfraSupplier bool `json:"is_critical_infra_supplier" db:"is_critical_infra_supplier"`
|
|
|
|
// Existing certifications (reduces gap count)
|
|
ExistingCertifications []string `json:"existing_certifications" db:"-"` // ISO27001, CE, SOC2
|
|
|
|
// ── IST-Zustand (was hat der Hersteller bereits?) ──────────────
|
|
|
|
// Verbindung zu bestehendem IACE Projekt
|
|
IACEProjectID *uuid.UUID `json:"iace_project_id" db:"iace_project_id"`
|
|
|
|
// Angewandte Normen
|
|
AppliedNorms []string `json:"applied_norms" db:"-"` // ISO12100, EN61326, EN62368
|
|
|
|
// Bestehende Dokumentation
|
|
HasRiskAssessment bool `json:"has_risk_assessment" db:"has_risk_assessment"`
|
|
HasTechnicalFile bool `json:"has_technical_file" db:"has_technical_file"`
|
|
HasOperatingManual bool `json:"has_operating_manual" db:"has_operating_manual"`
|
|
HasSBOM bool `json:"has_sbom" db:"has_sbom"`
|
|
|
|
// Bestehende Prozesse
|
|
HasVulnManagement bool `json:"has_vuln_management" db:"has_vuln_management"`
|
|
HasUpdateMechanism bool `json:"has_update_mechanism" db:"has_update_mechanism"`
|
|
HasIncidentResponse bool `json:"has_incident_response" db:"has_incident_response"`
|
|
HasSupplyChainMgmt bool `json:"has_supply_chain_mgmt" db:"has_supply_chain_mgmt"`
|
|
|
|
// CE/Produktsicherheit
|
|
CEMarkingSince *string `json:"ce_marking_since" db:"ce_marking_since"`
|
|
ProductAge string `json:"product_age" db:"product_age"`
|
|
|
|
// Metadata
|
|
CreatedAt time.Time `json:"created_at" db:"created_at"`
|
|
UpdatedAt time.Time `json:"updated_at" db:"updated_at"`
|
|
}
|
|
|
|
// ── Regulation Classification ───────────────────────────────────────
|
|
|
|
// RegulationID identifies a regulation.
|
|
type RegulationID string
|
|
|
|
const (
|
|
RegCRA RegulationID = "cra"
|
|
RegAIAct RegulationID = "ai_act"
|
|
RegNIS2 RegulationID = "nis2"
|
|
RegDSGVO RegulationID = "dsgvo"
|
|
RegDataAct RegulationID = "data_act"
|
|
RegMiCA RegulationID = "mica"
|
|
RegPSD2 RegulationID = "psd2"
|
|
RegAML RegulationID = "aml"
|
|
RegMDR RegulationID = "mdr"
|
|
RegMachinery RegulationID = "machinery_regulation"
|
|
RegEAA RegulationID = "eaa"
|
|
RegTDDDG RegulationID = "tdddg"
|
|
RegLkSG RegulationID = "lksg"
|
|
)
|
|
|
|
// ApplicableRegulation describes a regulation that applies to a product.
|
|
type ApplicableRegulation struct {
|
|
ID RegulationID `json:"id"`
|
|
Name string `json:"name"`
|
|
Applicable bool `json:"applicable"`
|
|
Confidence float64 `json:"confidence"`
|
|
Reasoning string `json:"reasoning"`
|
|
Deadline *time.Time `json:"deadline,omitempty"`
|
|
RiskLevel string `json:"risk_level"` // high, medium, low
|
|
Requirements []string `json:"requirements,omitempty"`
|
|
}
|
|
|
|
// ── Gap Analysis ────────────────────────────────────────────────────
|
|
|
|
// GapStatus indicates how well a control is fulfilled.
|
|
type GapStatus string
|
|
|
|
const (
|
|
GapFulfilled GapStatus = "fulfilled"
|
|
GapPartial GapStatus = "partial"
|
|
GapMissing GapStatus = "missing"
|
|
GapUnclear GapStatus = "unclear"
|
|
)
|
|
|
|
// GapItem represents a single gap finding.
|
|
type GapItem struct {
|
|
MCID string `json:"mc_id"`
|
|
MCName string `json:"mc_name"`
|
|
Regulation RegulationID `json:"regulation"`
|
|
Status GapStatus `json:"status"`
|
|
Title string `json:"title"`
|
|
Description string `json:"description"`
|
|
Severity string `json:"severity"` // CRITICAL, HIGH, MEDIUM, LOW
|
|
Priority Priority `json:"priority"`
|
|
Recommendation string `json:"recommendation"`
|
|
ControlCount int `json:"control_count"`
|
|
}
|
|
|
|
// Priority determines the order of action.
|
|
type Priority struct {
|
|
Score float64 `json:"score"`
|
|
SeverityFactor float64 `json:"severity_factor"`
|
|
DeadlineFactor float64 `json:"deadline_factor"`
|
|
DependencyFactor float64 `json:"dependency_factor"`
|
|
Rank int `json:"rank"`
|
|
}
|
|
|
|
// ── Gap Report ──────────────────────────────────────────────────────
|
|
|
|
// GapReport is the full analysis result.
|
|
type GapReport struct {
|
|
ProfileID uuid.UUID `json:"profile_id"`
|
|
ProfileName string `json:"profile_name"`
|
|
Regulations []ApplicableRegulation `json:"regulations"`
|
|
Summary GapSummary `json:"summary"`
|
|
Gaps []GapItem `json:"gaps"`
|
|
CreatedAt time.Time `json:"created_at"`
|
|
}
|
|
|
|
// GapSummary provides aggregate statistics.
|
|
type GapSummary struct {
|
|
TotalApplicableRegulations int `json:"total_applicable_regulations"`
|
|
TotalGaps int `json:"total_gaps"`
|
|
GapsByStatus map[string]int `json:"gaps_by_status"`
|
|
GapsBySeverity map[string]int `json:"gaps_by_severity"`
|
|
GapsByRegulation map[string]int `json:"gaps_by_regulation"`
|
|
OverallCompliancePercent float64 `json:"overall_compliance_percent"`
|
|
EstimatedEffortWeeks float64 `json:"estimated_effort_weeks"`
|
|
}
|