Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
34a678caefc2541dccd174eb619f2e28426d2107
breakpilot-compliance/backend-compliance/compliance/services/cra_security_crosswalk.py
T
Benjamin Admin 43ae33975d feat(cra): NIST/OWASP security golden-set crosswalk + full measure texts in CRA tab 
Crosswalk (cra_security_crosswalk.py): deterministic, hand-curated CRA Annex I ->
NIST 800-53 Rev5 + OWASP Top 10:2021 mapping, the authoritative Security Golden
Set (no RAG; semantic breadth comes later via the shared Controls-API). Mapper
attaches NIST/OWASP refs per finding; golden-set completeness pinned by test
(every requirement has >=1 NIST ref). CRA tab now shows the NIST/OWASP best-
practice refs per finding and the full curated measure texts + norm references
(from measures_library_cra.go).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-13 21:24:53 +02:00

93 lines
4.6 KiB
Python
Raw Blame History

"""CRA Annex I -> NIST 800-53 Rev5 + OWASP Top 10:2021 crosswalk (Security Golden Set).
Deterministic, hand-curated mapping. It is the AUTHORITATIVE reference set that
the standalone CRA assessment uses to attach best-practice control IDs to each
CRA essential requirement. NOT a RAG search — semantic breadth comes later via
the shared Controls-API of the mapping session, NOT a second retrieval here.
Each entry maps a CRA-AI requirement to the well-established NIST 800-53 Rev5
control identifiers and the OWASP Top 10:2021 category that govern the same
control objective. Process-only requirements (disclosure/reporting) carry NIST
refs where defensible and no OWASP code (OWASP Top 10 addresses code-level
weaknesses, not disclosure processes) — left empty rather than invented.
"""
# OWASP Top 10:2021 category labels (for display).
OWASP_2021 = {
"A01:2021": "Broken Access Control",
"A02:2021": "Cryptographic Failures",
"A04:2021": "Insecure Design",
"A05:2021": "Security Misconfiguration",
"A06:2021": "Vulnerable and Outdated Components",
"A07:2021": "Identification and Authentication Failures",
"A08:2021": "Software and Data Integrity Failures",
"A09:2021": "Security Logging and Monitoring Failures",
}
# req_id -> {"nist": [800-53 control IDs], "owasp": [Top 10:2021 codes]}
CRA_SECURITY_CROSSWALK = {
"CRA-AI-1": {"nist": ["CM-6", "CM-7"], "owasp": ["A05:2021"]},
"CRA-AI-2": {"nist": ["CM-7", "SC-7"], "owasp": ["A05:2021"]},
"CRA-AI-3": {"nist": ["SA-8", "SC-7", "SC-39"], "owasp": ["A04:2021"]},
"CRA-AI-4": {"nist": ["AC-6"], "owasp": ["A01:2021"]},
"CRA-AI-5": {"nist": ["SI-7", "CM-5"], "owasp": ["A08:2021"]},
"CRA-AI-6": {"nist": ["SI-7"], "owasp": ["A08:2021"]},
"CRA-AI-7": {"nist": ["IA-2", "IA-2(1)"], "owasp": ["A07:2021"]},
"CRA-AI-8": {"nist": ["IA-5", "IA-5(1)"], "owasp": ["A07:2021"]},
"CRA-AI-9": {"nist": ["IA-5"], "owasp": ["A07:2021"]},
"CRA-AI-10": {"nist": ["AC-12", "SC-23"], "owasp": ["A07:2021"]},
"CRA-AI-11": {"nist": ["AC-7"], "owasp": ["A07:2021"]},
"CRA-AI-12": {"nist": ["AC-2", "AC-3", "AC-6"], "owasp": ["A01:2021"]},
"CRA-AI-13": {"nist": ["SC-13", "SC-28"], "owasp": ["A02:2021"]},
"CRA-AI-14": {"nist": ["SC-28"], "owasp": ["A02:2021"]},
"CRA-AI-15": {"nist": ["SC-8", "SC-8(1)"], "owasp": ["A02:2021"]},
"CRA-AI-16": {"nist": ["SC-12"], "owasp": ["A02:2021"]},
"CRA-AI-17": {"nist": ["SI-12"], "owasp": []},
"CRA-AI-18": {"nist": ["SA-3", "SA-8", "SA-15"], "owasp": ["A04:2021"]},
"CRA-AI-19": {"nist": ["SA-11", "SA-15"], "owasp": ["A04:2021"]},
"CRA-AI-20": {"nist": ["SA-11", "SA-11(1)"], "owasp": ["A04:2021"]},
"CRA-AI-21": {"nist": ["SR-3", "SR-5", "SR-6"], "owasp": ["A06:2021"]},
"CRA-AI-22": {"nist": ["RA-5", "SI-2", "SR-4"], "owasp": ["A06:2021"]},
"CRA-AI-23": {"nist": ["SR-4", "SR-3"], "owasp": ["A06:2021"]},
"CRA-AI-24": {"nist": ["AU-2", "AU-3"], "owasp": ["A09:2021"]},
"CRA-AI-25": {"nist": ["AU-6", "SI-4"], "owasp": ["A09:2021"]},
"CRA-AI-26": {"nist": ["SI-4"], "owasp": ["A09:2021"]},
"CRA-AI-27": {"nist": ["AU-9"], "owasp": ["A09:2021"]},
"CRA-AI-28": {"nist": ["SI-2", "SI-7"], "owasp": ["A08:2021"]},
"CRA-AI-29": {"nist": ["SI-7(15)", "SC-12"], "owasp": ["A08:2021"]},
"CRA-AI-30": {"nist": ["SI-7"], "owasp": ["A08:2021"]},
"CRA-AI-31": {"nist": ["SA-22"], "owasp": ["A06:2021"]},
"CRA-AI-32": {"nist": ["RA-5"], "owasp": ["A06:2021"]},
"CRA-AI-33": {"nist": ["RA-5", "SR-4"], "owasp": ["A06:2021"]},
"CRA-AI-34": {"nist": ["RA-5", "RA-7"], "owasp": []},
"CRA-AI-35": {"nist": ["SI-5"], "owasp": []},
"CRA-AI-36": {"nist": ["IR-4", "IR-6"], "owasp": []},
"CRA-AI-37": {"nist": ["IR-6"], "owasp": []},
"CRA-AI-38": {"nist": ["IR-6", "IR-8"], "owasp": []},
"CRA-AI-39": {"nist": ["SI-2"], "owasp": ["A06:2021"]},
"CRA-AI-40": {"nist": ["IR-5", "AU-11"], "owasp": []},
}
def security_refs_for(req_ids: list) -> dict:
"""Union of NIST + OWASP refs across the given CRA-AI requirement ids.
Returns {"nist": [...], "owasp": [{"code": .., "label": ..}]}, deduped,
order-stable. The golden set is the single source — no retrieval.
"""
nist: list = []
owasp: list = []
seen_owasp = set()
for rid in req_ids:
entry = CRA_SECURITY_CROSSWALK.get(rid)
if not entry:
continue
for n in entry["nist"]:
if n not in nist:
nist.append(n)
for code in entry["owasp"]:
if code not in seen_owasp:
seen_owasp.add(code)
owasp.append({"code": code, "label": OWASP_2021.get(code, "")})
return {"nist": nist, "owasp": owasp}
Reference in New Issue View Git Blame Copy Permalink