CUE Central Registry

github.com/gemaraproj/gemara@v0.23.0

test/test-data/good-mapping-document.yaml raw

  1title: OSPS Baseline to EU Cyber Resilience Act (CRA) Annex I
  2metadata:
  3  id: OSPS-CRA-MAP-001
  4  version: "1.0.0"
  5  type: MappingDocument
  6  gemara-version: "0.20.0"
  7  description: >
  8    Maps OSPS Baseline controls to essential cybersecurity requirements
  9    in Annex I of the EU Cyber Resilience Act (Regulation 2024/2847).
 10    OSPS classifies all external guideline mappings as relates-to.
 11    Downstream consumers may refine the relationship type based on
 12    their applicability context.
 13  author:
 14    id: gemara-example
 15    name: Gemara Example Author
 16    type: Human
 17  applicability-groups:
 18    - id: manufacturer
 19      title: Manufacturer
 20      description: >
 21        Entity placing a product with digital elements on the EU market.
 22        Subject to full CRA Annex I obligations.
 23    - id: open-source-steward
 24      title: Open Source Software Steward
 25      description: >
 26        Entity systematically providing support for open source products
 27        intended for commercial use. Subject to reduced obligations
 28        under CRA Article 24.
 29    - id: ML1
 30      title: Maturity Level 1
 31      description: >
 32        OSPS Baseline entry-level maturity. Projects at this level
 33        satisfy foundational security requirements.
 34    - id: ML2
 35      title: Maturity Level 2
 36      description: >
 37        OSPS Baseline intermediate maturity. Projects at this level
 38        satisfy enhanced security requirements including vulnerability
 39        disclosure and release practices.
 40    - id: ML3
 41      title: Maturity Level 3
 42      description: >
 43        OSPS Baseline advanced maturity. Projects at this level satisfy
 44        the most rigorous security requirements including SBOM, VEX,
 45        and automated enforcement.
 46  mapping-references:
 47    - id: OSPS
 48      title: Open Source Project Security Baseline
 49      version: "2025.03.03"
 50      url: "https://baseline.openssf.org/"
 51    - id: CRA
 52      title: EU Cyber Resilience Act - Annex I
 53      version: "2024/2847"
 54      url: "https://eur-lex.europa.eu/eli/reg/2024/2847/oj"
 55
 56source-reference:
 57  reference-id: OSPS
 58target-reference:
 59  reference-id: CRA
 60remarks: >
 61  CRA Annex I Part I (1.x) covers security requirements for products
 62  with digital elements; Part II (2.x) covers vulnerability handling.
 63
 64mappings:
 65  - id: QA02-2.1-mfr
 66    source:
 67      entry-id: OSPS-QA-02
 68      entry-type: Control
 69    target:
 70      entry-id: "2.1"
 71      entry-type: Guideline
 72    relationship: relates-to
 73    strength: 6
 74    confidence-level: Medium
 75    applicability:
 76      - "manufacturer"
 77    rationale: >
 78      OSPS-QA-02 requires dependency lists and SBOMs. CRA 2.1 requires
 79      identifying and documenting vulnerabilities and components. SBOMs
 80      address component identification but not the full manufacturer
 81      obligation.
 82
 83  - id: QA02-2.1-steward
 84    source:
 85      entry-id: OSPS-QA-02
 86      entry-type: Control
 87    target:
 88      entry-id: "2.1"
 89      entry-type: Guideline
 90    relationship: implements
 91    strength: 9
 92    confidence-level: High
 93    applicability:
 94      - "open-source-steward"
 95    rationale: >
 96      For open-source stewards, CRA Article 24 narrows 2.1 to a
 97      best-effort duty around vulnerability facilitation. OSPS-QA-02
 98      dependency tracking and SBOM generation fulfills this
 99      scoped-down obligation.
100
101  - id: VM01.01-2.5
102    source:
103      entry-id: OSPS-VM-01.01
104      entry-type: AssessmentRequirement
105    target:
106      entry-id: "2.5"
107      entry-type: Guideline
108    relationship: relates-to
109    confidence-level: High
110    applicability:
111      - "ML2"
112      - "ML3"
113    rationale: >
114      OSPS-VM-01.01 requires a CVD policy with a clear timeframe for
115      response. This assessment requirement activates at Maturity
116      Level 2. At Level 1, no CVD policy is required, so the CRA 2.5
117      relationship does not hold.
118
119  - id: VM04.02-2.4
120    source:
121      entry-id: OSPS-VM-04.02
122      entry-type: AssessmentRequirement
123    target:
124      entry-id: "2.4"
125      entry-type: Guideline
126    relationship: relates-to
127    confidence-level: High
128    applicability:
129      - "ML3"
130    rationale: >
131      OSPS-VM-04.02 requires a VEX document for vulnerabilities in
132      components that do not affect the project. This Maturity Level 3
133      requirement strengthens the CRA 2.4 relationship by providing
134      machine-readable exploitability data beyond basic disclosure.
135
136  - id: GV01-no-match
137    source:
138      entry-id: OSPS-GV-01
139      entry-type: Control
140    relationship: no-match
141    confidence-level: High
142    rationale: >
143      OSPS-GV-01 requires publishing project roles and responsibilities.
144      CRA Annex I has no corresponding requirement for governance
145      documentation.