github.com/gemaraproj/gemara@v1.3.0

test/test-data/good-mapping-document.yaml raw

  1title: OSPS Baseline to EU Cyber Resilience Act (CRA) Annex I
  2metadata:
  3  id: OSPS-CRA-MAP-001
  4  version: "1.0.0"
  5  type: MappingDocument
  6  gemara-version: "1.1.0"
  7  description: >
  8    Maps OSPS Baseline controls to essential cybersecurity requirements
  9    in Annex I of the EU Cyber Resilience Act (Regulation 2024/2847).
 10    OSPS classifies all external guideline mappings as relates-to.
 11    Downstream consumers may refine the relationship type based on
 12    their applicability context.
 13  author:
 14    id: gemara-example
 15    name: Gemara Example Author
 16    type: Human
 17  applicability-groups:
 18    - id: manufacturer
 19      title: Manufacturer
 20      description: >
 21        Entity placing a product with digital elements on the EU market.
 22        Subject to full CRA Annex I obligations.
 23    - id: open-source-steward
 24      title: Open Source Software Steward
 25      description: >
 26        Entity systematically providing support for open source products
 27        intended for commercial use. Subject to reduced obligations
 28        under CRA Article 24.
 29    - id: ML1
 30      title: Maturity Level 1
 31      description: >
 32        OSPS Baseline entry-level maturity. Projects at this level
 33        satisfy foundational security requirements.
 34    - id: ML2
 35      title: Maturity Level 2
 36      description: >
 37        OSPS Baseline intermediate maturity. Projects at this level
 38        satisfy enhanced security requirements including vulnerability
 39        disclosure and release practices.
 40    - id: ML3
 41      title: Maturity Level 3
 42      description: >
 43        OSPS Baseline advanced maturity. Projects at this level satisfy
 44        the most rigorous security requirements including SBOM, VEX,
 45        and automated enforcement.
 46  mapping-references:
 47    - id: OSPS
 48      title: Open Source Project Security Baseline
 49      version: "2025.03.03"
 50      url: "https://baseline.openssf.org/"
 51    - id: CRA
 52      title: EU Cyber Resilience Act - Annex I
 53      version: "2024/2847"
 54      url: "https://eur-lex.europa.eu/eli/reg/2024/2847/oj"
 55
 56source-reference:
 57  reference-id: OSPS
 58  entry-type: Control
 59target-reference:
 60  reference-id: CRA
 61  entry-type: Guideline
 62remarks: >
 63  CRA Annex I Part I (1.x) covers security requirements for products
 64  with digital elements; Part II (2.x) covers vulnerability handling.
 65
 66mappings:
 67  - id: QA02-2.1-mfr
 68    source: OSPS-QA-02
 69    relationship: relates-to
 70    targets:
 71      - entry-id: "2.1"
 72        strength: 6
 73        confidence-level: Medium
 74        applicability:
 75          - "manufacturer"
 76        rationale: >
 77          OSPS-QA-02 requires dependency lists and SBOMs. CRA 2.1 requires
 78          identifying and documenting vulnerabilities and components. SBOMs
 79          address component identification but not the full manufacturer
 80          obligation.
 81
 82  - id: QA02-2.1-steward
 83    source: OSPS-QA-02
 84    relationship: implements
 85    targets:
 86      - entry-id: "2.1"
 87        strength: 9
 88        confidence-level: High
 89        applicability:
 90          - "open-source-steward"
 91        rationale: >
 92          For open-source stewards, CRA Article 24 narrows 2.1 to a
 93          best-effort duty around vulnerability facilitation. OSPS-QA-02
 94          dependency tracking and SBOM generation fulfills this
 95          scoped-down obligation.
 96
 97  - id: VM01-vuln-handling
 98    source: OSPS-VM-01
 99    relationship: relates-to
100    targets:
101      - entry-id: "2.5"
102        confidence-level: High
103        applicability:
104          - "ML2"
105          - "ML3"
106        rationale: >
107          OSPS-VM-01 requires a CVD policy with a clear timeframe for
108          response. CRA 2.5 requires timely remediation of
109          vulnerabilities.
110      - entry-id: "2.6"
111        confidence-level: High
112        applicability:
113          - "ML2"
114          - "ML3"
115        rationale: >
116          CRA 2.6 requires public disclosure of fixed vulnerabilities
117          with advisories. CVD policy scope overlaps.
118      - entry-id: "2.7"
119        confidence-level: High
120        applicability:
121          - "ML2"
122          - "ML3"
123        rationale: >
124          CRA 2.7 requires mechanisms for sharing information about
125          vulnerabilities. CVD policy facilitates this.
126
127  - id: VM04-2.4
128    source: OSPS-VM-04
129    relationship: relates-to
130    targets:
131      - entry-id: "2.4"
132        confidence-level: High
133        applicability:
134          - "ML3"
135        rationale: >
136          OSPS-VM-04 requires a VEX document for vulnerabilities in
137          components that do not affect the project. This Maturity Level 3
138          requirement strengthens the CRA 2.4 relationship by providing
139          machine-readable exploitability data beyond basic disclosure.
140
141  - id: GV01-no-match
142    source: OSPS-GV-01
143    relationship: no-match
144    remarks: >
145      OSPS-GV-01 requires publishing project roles and responsibilities.
146      CRA Annex I has no corresponding requirement for governance
147      documentation.