vaspera 2.5.0

package/dist/compliance/mapper.js

@@ -0,0 +1,269 @@
+/**
+ * Compliance Mapper
+ *
+ * Maps security findings to compliance framework controls.
+ *
+ * @module compliance/mapper
+ */
+import { SOC2_CONTROLS } from "./soc2.js";
+import { ISO27001_CONTROLS } from "./iso27001.js";
+import { PCI_DSS_CONTROLS } from "./pci-dss.js";
+import { HIPAA_CONTROLS } from "./hipaa.js";
+import { CIS_CONTROLS } from "./cis.js";
+import { GDPR_CONTROLS } from "./gdpr.js";
+// M6: AI compliance frameworks
+import { OWASP_LLM_CONTROLS } from "./frameworks/owasp-llm.js";
+import { NIST_AI_RMF_CONTROLS } from "./frameworks/nist-ai-rmf.js";
+import { MITRE_ATLAS_CONTROLS } from "./frameworks/mitre-atlas.js";
+import { EU_AI_ACT_CONTROLS } from "./frameworks/eu-ai-act.js";
+import { ISO_42001_CONTROLS } from "./frameworks/iso-42001.js";
+import { randomUUID } from "crypto";
+/**
+ * Severity weight for scoring
+ */
+const SEVERITY_WEIGHT = {
+    critical: 100,
+    high: 75,
+    medium: 50,
+    low: 25,
+    info: 10,
+};
+/**
+ * Severity threshold check
+ */
+const SEVERITY_ORDER = {
+    critical: 4,
+    high: 3,
+    medium: 2,
+    low: 1,
+    info: 0,
+};
+/**
+ * Get controls for a framework
+ */
+export function getControlsForFramework(framework) {
+    switch (framework) {
+        case "SOC2":
+            return SOC2_CONTROLS;
+        case "ISO27001":
+            return ISO27001_CONTROLS;
+        case "PCI-DSS":
+            return PCI_DSS_CONTROLS;
+        case "HIPAA":
+            return HIPAA_CONTROLS;
+        case "CIS":
+            return CIS_CONTROLS;
+        case "GDPR":
+            return GDPR_CONTROLS;
+        case "NIST-800-53":
+            // TODO: Implement NIST 800-53 framework
+            return [];
+        // M6: AI compliance frameworks
+        case "OWASP-LLM":
+            return OWASP_LLM_CONTROLS;
+        case "NIST-AI-RMF":
+            return NIST_AI_RMF_CONTROLS;
+        case "MITRE-ATLAS":
+            return MITRE_ATLAS_CONTROLS;
+        case "EU-AI-ACT":
+            return EU_AI_ACT_CONTROLS;
+        case "ISO-42001":
+            return ISO_42001_CONTROLS;
+        default:
+            return [];
+    }
+}
+/**
+ * Check if a finding matches a control
+ */
+export function findingMatchesControl(finding, control) {
+    // Check category match
+    if (control.findingCategories.includes(finding.category)) {
+        return true;
+    }
+    // Check CWE match if available
+    if (control.cweIds && finding.cwe_ids && finding.cwe_ids.length > 0) {
+        if (control.cweIds.some((cwe) => finding.cwe_ids.some((fCwe) => fCwe.includes(cwe) || cwe.includes(fCwe)))) {
+            return true;
+        }
+    }
+    // Check keyword match in description
+    const descLower = finding.description.toLowerCase();
+    if (control.keywords.some((kw) => descLower.includes(kw.toLowerCase()))) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if finding severity meets control threshold
+ */
+export function meetsSeverityThreshold(finding, control) {
+    if (!control.severityThreshold)
+        return true;
+    return SEVERITY_ORDER[finding.severity] >= SEVERITY_ORDER[control.severityThreshold];
+}
+/**
+ * Map findings to controls for a framework
+ */
+export function mapFindingsToControls(findings, framework) {
+    const controls = getControlsForFramework(framework);
+    const result = [];
+    for (const control of controls) {
+        const matchedFindings = findings.filter((f) => findingMatchesControl(f, control) && meetsSeverityThreshold(f, control));
+        // Determine status based on findings
+        let status = "compliant";
+        let riskLevel = "low";
+        if (matchedFindings.length > 0) {
+            const maxSeverity = matchedFindings.reduce((max, f) => {
+                return SEVERITY_ORDER[f.severity] > SEVERITY_ORDER[max] ? f.severity : max;
+            }, "info");
+            if (maxSeverity === "critical" || maxSeverity === "high") {
+                status = "non_compliant";
+                riskLevel = maxSeverity === "critical" ? "critical" : "high";
+            }
+            else {
+                status = "at_risk";
+                riskLevel = maxSeverity === "medium" ? "medium" : "low";
+            }
+        }
+        result.push({
+            control,
+            findings: matchedFindings,
+            status,
+            riskLevel,
+        });
+    }
+    return result;
+}
+/**
+ * Calculate compliance status from control mappings
+ */
+export function calculateComplianceStatus(framework, controlMappings) {
+    const totalControls = controlMappings.length;
+    const compliant = controlMappings.filter((c) => c.status === "compliant").length;
+    const atRisk = controlMappings.filter((c) => c.status === "at_risk").length;
+    const nonCompliant = controlMappings.filter((c) => c.status === "non_compliant").length;
+    // Calculate compliance score (percentage of controls not non-compliant)
+    const complianceScore = Math.round(((compliant + atRisk) / totalControls) * 100);
+    // Calculate risk score based on findings severity
+    let totalRisk = 0;
+    let maxRisk = 0;
+    for (const mapping of controlMappings) {
+        maxRisk += SEVERITY_WEIGHT.critical;
+        if (mapping.findings.length > 0) {
+            const maxFindingSeverity = mapping.findings.reduce((max, f) => {
+                return SEVERITY_WEIGHT[f.severity] > SEVERITY_WEIGHT[max] ? f.severity : max;
+            }, "info");
+            totalRisk += SEVERITY_WEIGHT[maxFindingSeverity];
+        }
+    }
+    const riskScore = maxRisk > 0 ? Math.round((totalRisk / maxRisk) * 100) : 0;
+    return {
+        framework,
+        totalControls,
+        controlsCovered: compliant,
+        controlsAtRisk: atRisk,
+        controlsNonCompliant: nonCompliant,
+        complianceScore,
+        riskScore,
+    };
+}
+/**
+ * Generate recommendations from control mappings
+ */
+export function generateRecommendations(controlMappings) {
+    const recommendations = [];
+    // Sort by risk level
+    const sorted = [...controlMappings]
+        .filter((c) => c.status !== "compliant")
+        .sort((a, b) => {
+        const riskOrder = { critical: 4, high: 3, medium: 2, low: 1 };
+        return riskOrder[b.riskLevel] - riskOrder[a.riskLevel];
+    });
+    for (const mapping of sorted) {
+        const priority = mapping.riskLevel;
+        // Group findings by category for remediation steps
+        const categories = [...new Set(mapping.findings.map((f) => f.category))];
+        const remediationSteps = categories.map((cat) => {
+            const count = mapping.findings.filter((f) => f.category === cat).length;
+            return `Address ${count} ${cat} finding(s) affecting this control`;
+        });
+        if (remediationSteps.length === 0) {
+            remediationSteps.push("Review and implement control requirements");
+        }
+        const effort = mapping.riskLevel === "critical" || mapping.findings.length > 5
+            ? "weeks"
+            : mapping.riskLevel === "high" || mapping.findings.length > 2
+                ? "days"
+                : "hours";
+        recommendations.push({
+            controlId: mapping.control.id,
+            priority,
+            title: `Remediate ${mapping.control.title}`,
+            description: `Control ${mapping.control.id} has ${mapping.findings.length} finding(s) that put it at ${mapping.status === "non_compliant" ? "non-compliance" : "risk"}.`,
+            remediationSteps,
+            estimatedEffort: effort,
+        });
+    }
+    return recommendations;
+}
+/**
+ * Generate a compliance report for a framework
+ */
+export function generateComplianceReport(findings, framework, projectPath, certificationId) {
+    const controlMappings = mapFindingsToControls(findings, framework);
+    const status = calculateComplianceStatus(framework, controlMappings);
+    const recommendations = generateRecommendations(controlMappings);
+    const compliantControls = controlMappings
+        .filter((c) => c.status === "compliant")
+        .map((c) => c.control);
+    const atRiskControls = controlMappings.filter((c) => c.status === "at_risk");
+    const nonCompliantControls = controlMappings.filter((c) => c.status === "non_compliant");
+    return {
+        id: `compliance-${randomUUID().slice(0, 8)}`,
+        generatedAt: new Date().toISOString(),
+        projectPath,
+        certificationId,
+        framework,
+        status,
+        controls: controlMappings,
+        compliantControls,
+        atRiskControls,
+        nonCompliantControls,
+        recommendations,
+    };
+}
+/**
+ * Generate a multi-framework compliance report
+ */
+export function generateMultiFrameworkReport(findings, frameworks, projectPath, certificationId) {
+    const frameworkStatuses = {};
+    const allRecommendations = [];
+    for (const framework of frameworks) {
+        const controlMappings = mapFindingsToControls(findings, framework);
+        frameworkStatuses[framework] = calculateComplianceStatus(framework, controlMappings);
+        allRecommendations.push(...generateRecommendations(controlMappings));
+    }
+    // Deduplicate and prioritize recommendations
+    const seenControls = new Set();
+    const prioritizedRecommendations = allRecommendations
+        .sort((a, b) => {
+        const priorityOrder = { critical: 4, high: 3, medium: 2, low: 1 };
+        return priorityOrder[b.priority] - priorityOrder[a.priority];
+    })
+        .filter((r) => {
+        if (seenControls.has(r.controlId))
+            return false;
+        seenControls.add(r.controlId);
+        return true;
+    });
+    return {
+        id: `multi-compliance-${randomUUID().slice(0, 8)}`,
+        generatedAt: new Date().toISOString(),
+        projectPath,
+        certificationId,
+        frameworks: frameworkStatuses,
+        prioritizedRecommendations,
+    };
+}
+//# sourceMappingURL=mapper.js.map

package/dist/compliance/mapper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mapper.js","sourceRoot":"","sources":["../../src/compliance/mapper.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAYH,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC1C,+BAA+B;AAC/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC;;GAEG;AACH,MAAM,eAAe,GAA6B;IAChD,QAAQ,EAAE,GAAG;IACb,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,EAAE;IACV,GAAG,EAAE,EAAE;IACP,IAAI,EAAE,EAAE;CACT,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAA6B;IAC/C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,SAA8B;IACpE,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,aAAa,CAAC;QACvB,KAAK,UAAU;YACb,OAAO,iBAAiB,CAAC;QAC3B,KAAK,SAAS;YACZ,OAAO,gBAAgB,CAAC;QAC1B,KAAK,OAAO;YACV,OAAO,cAAc,CAAC;QACxB,KAAK,KAAK;YACR,OAAO,YAAY,CAAC;QACtB,KAAK,MAAM;YACT,OAAO,aAAa,CAAC;QACvB,KAAK,aAAa;YAChB,wCAAwC;YACxC,OAAO,EAAE,CAAC;QACZ,+BAA+B;QAC/B,KAAK,WAAW;YACd,OAAO,kBAAkB,CAAC;QAC5B,KAAK,aAAa;YAChB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,aAAa;YAChB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,WAAW;YACd,OAAO,kBAAkB,CAAC;QAC5B,KAAK,WAAW;YACd,OAAO,kBAAkB,CAAC;QAC5B;YACE,OAAO,EAAE,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAgB,EAAE,OAA0B;IAChF,uBAAuB;IACvB,IAAI,OAAO,CAAC,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+BAA+B;IAC/B,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,OAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5G,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;IACpD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAgB,EAAE,OAA0B;IACjF,IAAI,CAAC,OAAO,CAAC,iBAAiB;QAAE,OAAO,IAAI,CAAC;IAC5C,OAAO,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;AACvF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAmB,EACnB,SAA8B;IAE9B,MAAM,QAAQ,GAAG,uBAAuB,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,MAAM,GAA0B,EAAE,CAAC;IAEzC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,CAAC,EAAE,OAAO,CAAC,IAAI,sBAAsB,CAAC,CAAC,EAAE,OAAO,CAAC,CAC/E,CAAC;QAEF,qCAAqC;QACrC,IAAI,MAAM,GAAkC,WAAW,CAAC;QACxD,IAAI,SAAS,GAAqC,KAAK,CAAC;QAExD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;gBACpD,OAAO,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC;YAC7E,CAAC,EAAE,MAAkB,CAAC,CAAC;YAEvB,IAAI,WAAW,KAAK,UAAU,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;gBACzD,MAAM,GAAG,eAAe,CAAC;gBACzB,SAAS,GAAG,WAAW,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;YAC/D,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,SAAS,CAAC;gBACnB,SAAS,GAAG,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC;YACV,OAAO;YACP,QAAQ,EAAE,eAAe;YACzB,MAAM;YACN,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,SAA8B,EAC9B,eAAsC;IAEtC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAC;IAC7C,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,MAAM,CAAC;IACjF,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;IAC5E,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,eAAe,CAAC,CAAC,MAAM,CAAC;IAExF,wEAAwE;IACxE,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,GAAG,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;IAEjF,kDAAkD;IAClD,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,OAAO,IAAI,eAAe,CAAC,QAAQ,CAAC;QACpC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,kBAAkB,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;gBAC5D,OAAO,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC;YAC/E,CAAC,EAAE,MAAkB,CAAC,CAAC;YACvB,SAAS,IAAI,eAAe,CAAC,kBAAkB,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAE5E,OAAO;QACL,SAAS;QACT,aAAa;QACb,eAAe,EAAE,SAAS;QAC1B,cAAc,EAAE,MAAM;QACtB,oBAAoB,EAAE,YAAY;QAClC,eAAe;QACf,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,eAAsC;IAEtC,MAAM,eAAe,GAA+B,EAAE,CAAC;IAEvD,qBAAqB;IACrB,MAAM,MAAM,GAAG,CAAC,GAAG,eAAe,CAAC;SAChC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC;SACvC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,MAAM,SAAS,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC9D,OAAO,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEL,KAAK,MAAM,OAAO,IAAI,MAAM,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAmD,CAAC;QAE7E,mDAAmD;QACnD,MAAM,UAAU,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAEzE,MAAM,gBAAgB,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC;YACxE,OAAO,WAAW,KAAK,IAAI,GAAG,oCAAoC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClC,gBAAgB,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,MAAM,GACV,OAAO,CAAC,SAAS,KAAK,UAAU,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;YAC7D,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,OAAO,CAAC,SAAS,KAAK,MAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAC3D,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,OAAO,CAAC;QAEhB,eAAe,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE;YAC7B,QAAQ;YACR,KAAK,EAAE,aAAa,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE;YAC3C,WAAW,EAAE,WAAW,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,OAAO,CAAC,QAAQ,CAAC,MAAM,8BAA8B,OAAO,CAAC,MAAM,KAAK,eAAe,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,GAAG;YACxK,gBAAgB;YAChB,eAAe,EAAE,MAAM;SACxB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CACtC,QAAmB,EACnB,SAA8B,EAC9B,WAAmB,EACnB,eAAwB;IAExB,MAAM,eAAe,GAAG,qBAAqB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IACnE,MAAM,MAAM,GAAG,yBAAyB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IACrE,MAAM,eAAe,GAAG,uBAAuB,CAAC,eAAe,CAAC,CAAC;IAEjE,MAAM,iBAAiB,GAAG,eAAe;SACtC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CAAC;SACvC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAEzB,MAAM,cAAc,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;IAE7E,MAAM,oBAAoB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,eAAe,CAAC,CAAC;IAEzF,OAAO;QACL,EAAE,EAAE,cAAc,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;QAC5C,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,WAAW;QACX,eAAe;QACf,SAAS;QACT,MAAM;QACN,QAAQ,EAAE,eAAe;QACzB,iBAAiB;QACjB,cAAc;QACd,oBAAoB;QACpB,eAAe;KAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,4BAA4B,CAC1C,QAAmB,EACnB,UAAiC,EACjC,WAAmB,EACnB,eAAwB;IAExB,MAAM,iBAAiB,GAA2D,EAAE,CAAC;IACrF,MAAM,kBAAkB,GAA+B,EAAE,CAAC;IAE1D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,eAAe,GAAG,qBAAqB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACnE,iBAAiB,CAAC,SAAS,CAAC,GAAG,yBAAyB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QACrF,kBAAkB,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,eAAe,CAAC,CAAC,CAAC;IACvE,CAAC;IAED,6CAA6C;IAC7C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,MAAM,0BAA0B,GAAG,kBAAkB;SAClD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAClE,OAAO,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC/D,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACZ,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QAChD,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEL,OAAO;QACL,EAAE,EAAE,oBAAoB,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;QAClD,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,WAAW;QACX,eAAe;QACf,UAAU,EAAE,iBAAiB;QAC7B,0BAA0B;KAC3B,CAAC;AACJ,CAAC"}

package/dist/compliance/mapper.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Tests for compliance mapper
+ */
+export {};
+//# sourceMappingURL=mapper.test.d.ts.map

package/dist/compliance/mapper.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mapper.test.d.ts","sourceRoot":"","sources":["../../src/compliance/mapper.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/compliance/mapper.test.js

@@ -0,0 +1,360 @@
+/**
+ * Tests for compliance mapper
+ */
+import { describe, it, expect } from "vitest";
+import { getControlsForFramework, findingMatchesControl, meetsSeverityThreshold, mapFindingsToControls, calculateComplianceStatus, generateRecommendations, generateComplianceReport, generateMultiFrameworkReport, } from "./mapper.js";
+import { SOC2_CONTROLS } from "./soc2.js";
+describe("compliance mapper", () => {
+    describe("getControlsForFramework", () => {
+        it("returns SOC 2 controls", () => {
+            const controls = getControlsForFramework("SOC2");
+            expect(controls.length).toBeGreaterThan(0);
+            expect(controls[0].framework).toBe("SOC2");
+        });
+        it("returns ISO 27001 controls", () => {
+            const controls = getControlsForFramework("ISO27001");
+            expect(controls.length).toBeGreaterThan(0);
+            expect(controls[0].framework).toBe("ISO27001");
+        });
+        it("returns empty array for unsupported framework", () => {
+            const controls = getControlsForFramework("UNKNOWN");
+            expect(controls).toEqual([]);
+        });
+    });
+    describe("findingMatchesControl", () => {
+        const mockControl = {
+            id: "CC6.8",
+            framework: "SOC2",
+            category: "Logical and Physical Access",
+            title: "Malicious Software Prevention",
+            description: "Prevention of malicious software",
+            keywords: ["injection", "xss", "malware"],
+            findingCategories: ["xss", "sql-injection"],
+            cweIds: ["CWE-79", "CWE-89"],
+        };
+        it("matches by finding category", () => {
+            const finding = {
+                id: "sec-001",
+                severity: "high",
+                category: "xss",
+                description: "Cross-site scripting vulnerability",
+                evidence: "Test evidence for XSS finding",
+                confidence: 90,
+                verifications: [],
+                created_at: new Date().toISOString(),
+            };
+            expect(findingMatchesControl(finding, mockControl)).toBe(true);
+        });
+        it("matches by CWE ID", () => {
+            const finding = {
+                id: "sec-002",
+                severity: "high",
+                category: "other",
+                description: "Some vulnerability",
+                evidence: "Test evidence",
+                confidence: 90,
+                cwe_ids: ["CWE-79"],
+                verifications: [],
+                created_at: new Date().toISOString(),
+            };
+            expect(findingMatchesControl(finding, mockControl)).toBe(true);
+        });
+        it("matches by keyword in description", () => {
+            const finding = {
+                id: "sec-003",
+                severity: "high",
+                category: "other",
+                description: "Potential XSS injection vulnerability found",
+                evidence: "Test evidence",
+                confidence: 90,
+                verifications: [],
+                created_at: new Date().toISOString(),
+            };
+            expect(findingMatchesControl(finding, mockControl)).toBe(true);
+        });
+        it("does not match unrelated finding", () => {
+            const finding = {
+                id: "sec-004",
+                severity: "medium",
+                category: "type-safety",
+                description: "Using any type",
+                evidence: "Test evidence",
+                confidence: 90,
+                verifications: [],
+                created_at: new Date().toISOString(),
+            };
+            expect(findingMatchesControl(finding, mockControl)).toBe(false);
+        });
+    });
+    describe("meetsSeverityThreshold", () => {
+        const controlWithThreshold = {
+            id: "test",
+            framework: "SOC2",
+            category: "test",
+            title: "Test",
+            description: "Test",
+            keywords: [],
+            findingCategories: [],
+            severityThreshold: "medium",
+        };
+        it("returns true when severity meets threshold", () => {
+            const finding = {
+                id: "test",
+                severity: "high",
+                category: "test",
+                description: "Test",
+                evidence: "Test",
+                confidence: 90,
+                verifications: [],
+                created_at: new Date().toISOString(),
+            };
+            expect(meetsSeverityThreshold(finding, controlWithThreshold)).toBe(true);
+        });
+        it("returns true when severity equals threshold", () => {
+            const finding = {
+                id: "test",
+                severity: "medium",
+                category: "test",
+                description: "Test",
+                evidence: "Test",
+                confidence: 90,
+                verifications: [],
+                created_at: new Date().toISOString(),
+            };
+            expect(meetsSeverityThreshold(finding, controlWithThreshold)).toBe(true);
+        });
+        it("returns false when severity is below threshold", () => {
+            const finding = {
+                id: "test",
+                severity: "low",
+                category: "test",
+                description: "Test",
+                evidence: "Test",
+                confidence: 90,
+                verifications: [],
+                created_at: new Date().toISOString(),
+            };
+            expect(meetsSeverityThreshold(finding, controlWithThreshold)).toBe(false);
+        });
+        it("returns true when control has no threshold", () => {
+            const controlNoThreshold = {
+                id: "test",
+                framework: "SOC2",
+                category: "test",
+                title: "Test",
+                description: "Test",
+                keywords: [],
+                findingCategories: [],
+            };
+            const finding = {
+                id: "test",
+                severity: "info",
+                category: "test",
+                description: "Test",
+                evidence: "Test",
+                confidence: 90,
+                verifications: [],
+                created_at: new Date().toISOString(),
+            };
+            expect(meetsSeverityThreshold(finding, controlNoThreshold)).toBe(true);
+        });
+    });
+    describe("mapFindingsToControls", () => {
+        it("maps findings to SOC 2 controls", () => {
+            const findings = [
+                {
+                    id: "sec-001",
+                    severity: "critical",
+                    category: "sql-injection",
+                    description: "SQL injection vulnerability",
+                    evidence: "Test evidence",
+                    confidence: 90,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                },
+            ];
+            const mappings = mapFindingsToControls(findings, "SOC2");
+            expect(mappings.length).toBe(SOC2_CONTROLS.length);
+            // Find the control that should have the finding
+            const cc68 = mappings.find((m) => m.control.id === "CC6.8");
+            expect(cc68).toBeDefined();
+            expect(cc68.findings.length).toBeGreaterThan(0);
+            expect(cc68.status).toBe("non_compliant");
+        });
+        it("marks controls as compliant when no findings", () => {
+            const mappings = mapFindingsToControls([], "SOC2");
+            expect(mappings.every((m) => m.status === "compliant")).toBe(true);
+        });
+        it("marks controls as at_risk for medium severity findings", () => {
+            // Use security-misconfiguration which has a medium severity threshold (CC7.1)
+            const findings = [
+                {
+                    id: "sec-001",
+                    severity: "medium",
+                    category: "security-misconfiguration",
+                    description: "Security misconfiguration detected",
+                    evidence: "Test evidence for security misconfiguration",
+                    confidence: 90,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                },
+            ];
+            const mappings = mapFindingsToControls(findings, "SOC2");
+            const hasAtRisk = mappings.some((m) => m.status === "at_risk");
+            expect(hasAtRisk).toBe(true);
+        });
+    });
+    describe("calculateComplianceStatus", () => {
+        it("calculates compliance score", () => {
+            const mappings = mapFindingsToControls([], "SOC2");
+            const status = calculateComplianceStatus("SOC2", mappings);
+            expect(status.framework).toBe("SOC2");
+            expect(status.complianceScore).toBe(100);
+            expect(status.riskScore).toBe(0);
+            expect(status.controlsCovered).toBe(SOC2_CONTROLS.length);
+            expect(status.controlsAtRisk).toBe(0);
+            expect(status.controlsNonCompliant).toBe(0);
+        });
+        it("calculates risk score based on findings", () => {
+            const findings = [
+                {
+                    id: "sec-001",
+                    severity: "critical",
+                    category: "sql-injection",
+                    description: "SQL injection",
+                    evidence: "Test evidence",
+                    confidence: 90,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                },
+            ];
+            const mappings = mapFindingsToControls(findings, "SOC2");
+            const status = calculateComplianceStatus("SOC2", mappings);
+            expect(status.riskScore).toBeGreaterThan(0);
+            expect(status.controlsNonCompliant).toBeGreaterThan(0);
+        });
+    });
+    describe("generateRecommendations", () => {
+        it("generates recommendations for non-compliant controls", () => {
+            const findings = [
+                {
+                    id: "sec-001",
+                    severity: "critical",
+                    category: "sql-injection",
+                    description: "SQL injection",
+                    evidence: "Test evidence",
+                    confidence: 90,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                },
+            ];
+            const mappings = mapFindingsToControls(findings, "SOC2");
+            const recommendations = generateRecommendations(mappings);
+            expect(recommendations.length).toBeGreaterThan(0);
+            expect(recommendations[0].priority).toBe("critical");
+        });
+        it("returns empty array when all controls compliant", () => {
+            const mappings = mapFindingsToControls([], "SOC2");
+            const recommendations = generateRecommendations(mappings);
+            expect(recommendations).toEqual([]);
+        });
+        it("prioritizes recommendations by risk", () => {
+            const findings = [
+                {
+                    id: "sec-001",
+                    severity: "critical",
+                    category: "sql-injection",
+                    description: "SQL injection",
+                    evidence: "Test evidence",
+                    confidence: 90,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                },
+                {
+                    id: "sec-002",
+                    severity: "low",
+                    category: "type-safety",
+                    description: "Type issue",
+                    evidence: "Test evidence",
+                    confidence: 90,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                },
+            ];
+            const mappings = mapFindingsToControls(findings, "SOC2");
+            const recommendations = generateRecommendations(mappings);
+            // First recommendation should be critical
+            if (recommendations.length > 1) {
+                const priorities = ["critical", "high", "medium", "low"];
+                const firstIndex = priorities.indexOf(recommendations[0].priority);
+                const secondIndex = priorities.indexOf(recommendations[1].priority);
+                expect(firstIndex).toBeLessThanOrEqual(secondIndex);
+            }
+        });
+    });
+    describe("generateComplianceReport", () => {
+        it("generates a complete compliance report", () => {
+            const findings = [
+                {
+                    id: "sec-001",
+                    severity: "high",
+                    category: "xss",
+                    description: "XSS vulnerability",
+                    evidence: "Test evidence",
+                    confidence: 90,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                },
+            ];
+            const report = generateComplianceReport(findings, "SOC2", "/test/path", "cert-123");
+            expect(report.id).toBeDefined();
+            expect(report.framework).toBe("SOC2");
+            expect(report.projectPath).toBe("/test/path");
+            expect(report.certificationId).toBe("cert-123");
+            expect(report.status).toBeDefined();
+            expect(report.controls.length).toBe(SOC2_CONTROLS.length);
+            expect(report.recommendations.length).toBeGreaterThan(0);
+        });
+    });
+    describe("generateMultiFrameworkReport", () => {
+        it("generates report for multiple frameworks", () => {
+            const findings = [
+                {
+                    id: "sec-001",
+                    severity: "high",
+                    category: "sql-injection",
+                    description: "SQL injection",
+                    evidence: "Test evidence",
+                    confidence: 90,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                },
+            ];
+            const report = generateMultiFrameworkReport(findings, ["SOC2", "ISO27001"], "/test/path");
+            expect(report.id).toBeDefined();
+            expect(report.frameworks.SOC2).toBeDefined();
+            expect(report.frameworks.ISO27001).toBeDefined();
+            expect(report.prioritizedRecommendations.length).toBeGreaterThan(0);
+        });
+        it("deduplicates recommendations across frameworks", () => {
+            const findings = [
+                {
+                    id: "sec-001",
+                    severity: "critical",
+                    category: "sql-injection",
+                    description: "SQL injection",
+                    evidence: "Test evidence",
+                    confidence: 90,
+                    verifications: [],
+                    created_at: new Date().toISOString(),
+                },
+            ];
+            const report = generateMultiFrameworkReport(findings, ["SOC2", "ISO27001"], "/test/path");
+            // Check for no duplicate control IDs in recommendations
+            const controlIds = report.prioritizedRecommendations.map((r) => r.controlId);
+            const uniqueIds = new Set(controlIds);
+            expect(uniqueIds.size).toBe(controlIds.length);
+        });
+    });
+});
+//# sourceMappingURL=mapper.test.js.map