Benjamin Bönisch
72093e5501
CI / detect-changes (push) Successful in 17s
CI / branch-name (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / build-sha-integrity (push) Successful in 13s
CI / validate-canonical-controls (push) Successful in 12s
CI / loc-budget (push) Successful in 25s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / test-go (push) Has been skipped
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 30s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
Punkt 2 (Coverage): semgrep/gdpr-Findings ohne CWE blieben unmapped (~21%). Der Mapper nutzt jetzt den scanner rule_id + gezielte Keywords (gdpr -> Datenminimierung CRA-AI-17, path-traversal/prototype-pollution -> CRA-AI-20, nginx-header/Docker-Hardening -> CRA-AI-1/4, insecure-websocket -> CRA-AI-15). Reale Scanner-Daten: unmapped 19/92 -> 0/92 (Coverage 100%). Punkt 3 (Latenz): enrich_findings_with_breadth lief ~6 Aggregat-Queries je (use_case,sub_topic)-Paar, nutzte aber nur die Liste. Jetzt EINE batched Query (breadth_controls_batch) fuer alle Paare + Prozess-Cache (TTL 1800s). macmini: cold 0,23s / warm 0,000s. Prod-Root-Cause: atom_classification ohne (use_case,sub_topic)-Index nach DB-Swap -> Index dem DB-Owner empfohlen. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
56 lines
2.1 KiB
Python
56 lines
2.1 KiB
Python
"""Pin the CRA-AI -> network_security sub_topic map (DB enrichment verified live)."""
|
|
from compliance.services import cra_use_case_controls
|
|
from compliance.services.cra_use_case_controls import (
|
|
enrich_findings_with_breadth,
|
|
subtopic_for,
|
|
)
|
|
from compliance.api.cra_annex_i_data import ANNEX_I_REQUIREMENTS
|
|
|
|
# Exact atom-grain sub_topic keys (verified against the live atom_classification).
|
|
_VALID = {
|
|
"access_control", "authentication", "cryptography", "network_segmentation",
|
|
"logging_monitoring", "supply_chain_security", "vulnerability_management",
|
|
"incident_response", "secure_development", "data_protection",
|
|
}
|
|
|
|
|
|
def test_every_requirement_maps_to_a_valid_subtopic():
|
|
for req in ANNEX_I_REQUIREMENTS:
|
|
st = subtopic_for(req["req_id"])
|
|
assert st in _VALID, "{} -> {}".format(req["req_id"], st)
|
|
|
|
|
|
class _FakeControlsService:
|
|
"""Stands in for UseCaseControlsService: returns one atom control per
|
|
(use_case, sub_topic) pair, carrying the legal anchor (source_article) the
|
|
real batched atom query now selects."""
|
|
|
|
def __init__(self, db):
|
|
pass
|
|
|
|
def breadth_controls_batch(self, pairs, per=3):
|
|
return {
|
|
(uc, st): [{
|
|
"control_id": "AI-{}-{}".format(uc, st),
|
|
"title": "Test obligation",
|
|
"source_regulation": "Cyber Resilience Act (CRA)",
|
|
"source_article": "Artikel 13",
|
|
"severity": "high",
|
|
"use_case": uc,
|
|
}]
|
|
for uc, st in pairs
|
|
}
|
|
|
|
|
|
def test_breadth_carries_source_article(monkeypatch):
|
|
cra_use_case_controls._BREADTH_CACHE.clear() # process cache — isolate the test
|
|
monkeypatch.setattr(
|
|
cra_use_case_controls, "UseCaseControlsService", _FakeControlsService,
|
|
)
|
|
mapped = [{"primary_requirement": "CRA-AI-8"}] # -> authentication sub_topic
|
|
enrich_findings_with_breadth(mapped, db=None)
|
|
breadth = mapped[0]["regulatory_breadth"]
|
|
assert breadth, "expected breadth controls"
|
|
assert all("source_article" in c for c in breadth)
|
|
assert any(c["source_article"] == "Artikel 13" for c in breadth)
|