CRA Assessment Engine — Architecture

Overview

The CRA Assessment Engine is integrated into Fleet as a new product capability. It scans codebases against a structured catalog of CRA Annex I requirements, producing findings, evidence records, and compliance reports suitable for Module A technical documentation.

System Components

┌──────────────────────────────────────────────────────────────────┐
│                        Fleet Platform                             │
│                                                                   │
│  ┌─────────────┐   ┌──────────────┐   ┌───────────────────────┐ │
│  │  Catalog     │   │  Scanner     │   │  LLM Layer            │ │
│  │  Compiler    │──▶│  Engine      │──▶│  (Ollama/Claude/OAI)  │ │
│  │  (TS)        │   │  (Rust)      │   │                       │ │
│  └─────────────┘   └──────┬───────┘   └───────────┬───────────┘ │
│                           │                        │              │
│                    ┌──────▼────────────────────────▼──────┐      │
│                    │         Evidence Pipeline             │      │
│                    │  (hash, sign, attest, store)          │      │
│                    └──────────────┬───────────────────────┘      │
│                                  │                                │
│        ┌─────────────────────────┼──────────────────────┐       │
│        │                         │                       │       │
│  ┌─────▼─────┐   ┌──────────────▼──┐   ┌──────────────▼──┐    │
│  │  Axum API  │   │   PostgreSQL    │   │    S3 Storage   │    │
│  │  (REST)    │   │  (11 tables)    │   │   (evidence)    │    │
│  └─────┬─────┘   └─────────────────┘   └─────────────────┘    │
│        │                                                         │
└────────┼─────────────────────────────────────────────────────────┘
         │
    ┌─────▼────┐    ┌────────────┐    ┌───────────┐
    │Dashboard │    │ CI Actions │    │ MCP Tools │
    │(lit-html)│    │ (GH/GL/…)  │    │ (35 tools)│
    └──────────┘    └────────────┘    └───────────┘

Module Map

Module	Path	Purpose
Catalog compiler	`catalog/compiler/compile.ts`	Compiles `resources/structure.md` into `catalog/compiled/catalog.json`
Catalog loader	`src/assessment/catalog.rs`	Loads compiled JSON, provides O(1) indexed lookups by requirement/risk/feature ID
Detection engine	`src/assessment/detect.rs`	`Detector` trait, `DetectorRegistry`, project discovery, finding types
11 Detectors	`src/assessment/detectors/`	crypto, network, auth, input, storage, update, logging, supply_chain, config, vuln_handling, ai
AI Advisor	`src/advisor/`	`LlmBackend` trait, Ollama/Claude/OpenAI backends, secret redaction, CRA-tuned prompts
Evidence	`src/assessment/evidence.rs`	Evidence records, SHA-256 hashing, LLM provenance
Attestation	`src/assessment/attestation.rs`	HMAC-SHA256 signing, CI identity detection, attestation envelopes
Pipeline	`src/assessment/pipeline.rs`	Orchestrates: discovery -> detection -> LLM review -> evidence -> SBOM -> CBOM
Scoring	`src/assessment/scoring.rs`	Component criticality scoring (10-50 scale), 4 assessment tiers
Report	`src/assessment/report.rs`	Module A Markdown report generation
SBOM	`src/sbom.rs`	9-ecosystem SBOM generation, CycloneDX 1.6, diff, hashes, licenses
CBOM	`src/cbom.rs`	Cryptographic BOM — 30 crypto rules, compliance classification
Vuln enrichment	`src/vuln_enrich.rs`	OSV.dev batch API for vulnerability data
DB models	`src/db_assessment.rs`	PostgreSQL models and queries for all assessment tables
API	`src/api/assessment.rs`	25+ REST endpoints under `/api/v1/assessment/`
MCP tools	`src/mcp/tools.rs`	35 tools — assessment, AI advisor, distribution, licensing, admin, docs
Dashboard	`dashboard/`	Vite + lit-html + Sass SaaS dashboard
CI integrations	`integrations/`	GitHub Action, GitLab CI, Jenkins, Bitbucket, Azure DevOps, CircleCI, Drone, Woodpecker

Data Flow: Scan Pipeline

1. CLI: fleet scan --path ./repo
2. Load catalog (embedded catalog.json at compile time)
3. Project discovery: languages, manifests, lockfiles, configs, CI
4. Parallel detection: 11 detectors scan relevant files
   - Override suppression: skip requirement IDs with active false_positive/accepted_risk overrides
5. SBOM generation: parse lockfiles -> CycloneDX 1.6 JSON
6. CBOM generation: scan source for crypto primitives -> CycloneDX cryptography BOM
7. Vulnerability enrichment: query OSV.dev for CVEs by PURL (optional)
8. Finding assembly: map detector results to catalog requirements
9. LLM review: send NeedsReview findings to LLM for evidence generation (optional)
10. Evidence generation: hash each finding, create EvidenceRecord
11. Attestation: sign evidence bundle with HMAC-SHA256 (optional)
12. Output: JSON report + SBOM + CBOM + Module A Markdown report
13. Upload: POST results to Fleet API (optional, for dashboard)

Database Schema (migrations 004 + 005)

Table	Purpose	Records
`rulesets`	Catalog versions (draft/published/archived)	Immutable once published
`assessed_products`	Products under assessment, linked to Fleet apps	Per-product config
`scans`	CI/CLI scan runs with summary	One per pipeline execution
`findings`	Per-requirement assessment results	Linked to scan
`evidence_records`	Immutable evidence (append-only, no UPDATE)	10-year retention
`assessment_entries`	Current compliance status per requirement	Upserted on each scan
`finding_overrides`	False-positive/negative/accepted-risk/deferred	Auditable, revocable
`remediations`	Fix tracking (planned -> verified)	Linked to finding + scan
`questionnaire_sessions`	Interview/doc evidence sessions	Per-product
`questionnaire_answers`	Individual question responses	Linked to evidence
`sbom_records`	SBOM/CBOM storage references	Linked to scan + S3

Finding Lifecycle

   Scanner detects pattern
          │
          ▼
   Finding: pass / fail / needs_review / not_applicable
          │
          ├─── LLM Review (optional) ──▶ pass / fail / inconclusive
          │
          ▼
   Triage (API or dashboard)
          │
          ├── Accept (confirm compliant)
          ├── Reject (confirm non-compliant) ──▶ Create Remediation
          ├── False Positive (suppress) ──▶ Override created, skipped in future scans
          ├── Accepted Risk (document) ──▶ Override created, treated as compliant
          └── Defer (postpone) ──▶ Override created with review date

Evidence Immutability

Evidence records have no updated_at column. They are append-only by design:

Each scan creates new evidence records
Old records are never modified or deleted
Content integrity verified via SHA-256 hash
Optional HMAC-SHA256 attestation signature
Designed for the CRA 10-year retention obligation (Article 23)

Catalog Hierarchy

Feature Category (13)
  └── Feature (54)
       ├── Risk (163)
       │    └── Annex I Reference
       └── Requirement (401)
            ├── Assessment Method
            └── Evidence Type: Auto | Semi | Doc | Test

The catalog is authored in Markdown (resources/structure.md), compiled to JSON, and embedded in the Rust binary at compile time via include_bytes!.