AdminGit2026/nis2-agile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: AdminGit2026:2fd4b7ff26fa415e56fd9087e5975252a35002fe
Branches Tags
AdminGit2026:main
...
compare: AdminGit2026:9d3f8936e1e242bee412f9bd81c4db6b717e87fe
Branches Tags
AdminGit2026:main

4 Commits
2fd4b7ff26 ... 9d3f8936e1

Author SHA1 Message Date
DevEnv nis2-agile
9d3f8936e1 [FIX] P2: uniformato relevance_criteria - score() salva criteri piatti come bulkUpsert (finding review) 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-30 11:45:17 +02:00
DevEnv nis2-agile
98fd207096 [DOCS] CONTEXT: review multi-agente + 5 fix (risks/connettori/policy/ingestion/P2) 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-30 11:42:43 +02:00
DevEnv nis2-agile
43c6a87c5f [FIX] P1 ingestion: retry su collisione incident_code + dedup race graceful + try/catch CCM (findings review) 
- ingestIncident: insert in loop (max 5) -> rigenera incident_code su collisione UNIQUE
  (sotto carico SIEM il random a 6 cifre poteva collidere -> 500 = alert perso). Inoltre la
  race su external_ref (due alert simultanei) ora ritorna 200 dedup invece di 500.
- controlsMonitoring (services): UPDATE auto-stale avvolto in try/catch come la gemella in
  AuditController (degrada con grazia se control_evidence_auto manca).
Verificato E2E: ingest 201, dedup 200.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-30 11:40:50 +02:00
DevEnv nis2-agile
5413730b00 [FIX] Policy: UNIQUE(policy_id,version) + diff LCS posizionale (findings review) 
- Migrazione 030: UNIQUE uq_policy_version su policy_versions (de-dup prima, idempotente).
  approve() ora usa INSERT ... ON DUPLICATE KEY UPDATE -> riapprovare la stessa versione
  aggiorna lo snapshot invece di duplicarlo. Verificato E2E: 2x approve v1.0 -> 1 sola riga.
- diff(): sostituito il confronto set-based (falsi negativi su righe duplicate/riordino) con
  un vero diff LCS line-by-line con posizioni. Verificato E2E: bump v1->v2 -> added 2, removed 1 corretti.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-05-30 11:39:38 +02:00
5 changed files with 179 additions and 38 deletions
Show Stats Expand all files Collapse all files

2
application/controllers/AssetController.php
View File

@ -318,7 +318,7 @@ class AssetController extends BaseController
Database::update('assets', [
'relevance_score' => $result['score'],
'relevance_criteria' => json_encode($result['breakdown'], JSON_UNESCAPED_UNICODE),
'relevance_criteria' => json_encode($criteria, JSON_UNESCAPED_UNICODE),
'relevance_class' => $result['class'],
'is_nis2_relevant' => $result['is_relevant'] ? 1 : 0,
'criticality' => $result['criticality'],

95
application/controllers/PolicyController.php
View File

@ -123,16 +123,24 @@ class PolicyController extends BaseController
$policy = Database::fetchOne('SELECT * FROM policies WHERE id = ?', [$id]);
// Snapshot versione per storico/diff/attestation (P3)
// Snapshot versione per storico/diff/attestation (P3).
// Idempotente sulla coppia (policy_id, version): la riapprovazione della
// stessa versione aggiorna lo snapshot invece di duplicarlo (UNIQUE uq_policy_version).
try {
Database::insert('policy_versions', [
'policy_id' => $id,
'organization_id' => $this->getCurrentOrgId(),
'version' => $policy['version'] ?? '1.0',
'content' => $policy['content'] ?? null,
'change_note' => $this->getParam('change_note') ?: 'Approvazione',
'created_by' => $this->getCurrentUserId(),
]);
Database::query(
'INSERT INTO policy_versions (policy_id, organization_id, version, content, change_note, created_by)
VALUES (?, ?, ?, ?, ?, ?)
ON DUPLICATE KEY UPDATE content = VALUES(content), change_note = VALUES(change_note),
created_by = VALUES(created_by), created_at = NOW()',
[
$id,
$this->getCurrentOrgId(),
$policy['version'] ?? '1.0',
$policy['content'] ?? null,
$this->getParam('change_note') ?: 'Approvazione',
$this->getCurrentUserId(),
]
);
} catch (Throwable $e) {
error_log('[POLICY_VER] ' . $e->getMessage());
}
@ -308,20 +316,69 @@ class PolicyController extends BaseController
}
$linesA = preg_split('/\r\n|\r|\n/', (string) $a['content']);
$linesB = preg_split('/\r\n|\r|\n/', (string) $b['content']);
$setA = array_count_values(array_map('trim', $linesA));
$setB = array_count_values(array_map('trim', $linesB));
$added = []; $removed = [];
foreach ($linesB as $l) { $t = trim($l); if ($t !== '' && empty($setA[$t])) $added[] = $l; }
foreach ($linesA as $l) { $t = trim($l); if ($t !== '' && empty($setB[$t])) $removed[] = $l; }
$d = self::lcsLineDiff($linesA, $linesB);
$this->jsonSuccess([
'from' => ['id' => $fromId, 'version' => $a['version']],
'to' => ['id' => $toId, 'version' => $b['version']],
'added' => $added,
'removed' => $removed,
'summary' => ['added' => count($added), 'removed' => count($removed)],
'from' => ['id' => $fromId, 'version' => $a['version']],
'to' => ['id' => $toId, 'version' => $b['version']],
'added' => $d['added'],
'removed' => $d['removed'],
'summary' => ['added' => count($d['added']), 'removed' => count($d['removed'])],
]);
}
/**
* Diff line-by-line basato su LCS (Longest Common Subsequence).
* Rileva correttamente righe duplicate, spostamenti e modifiche posizionali,
* a differenza di un confronto set-based. Restituisce le righe aggiunte (in B
* ma non allineate in A) e rimosse (in A ma non allineate in B), con posizione.
*
* @return array{added: list<array{line:int,text:string}>, removed: list<array{line:int,text:string}>}
*/
private static function lcsLineDiff(array $a, array $b): array
{
$n = count($a);
$m = count($b);
// Tabella LCS (lunghezze). Cap di sicurezza per evitare blow-up su documenti enormi.
if ($n > 4000 || $m > 4000) {
// fallback prudente: confronto posizionale semplice riga per riga
$added = []; $removed = [];
$max = max($n, $m);
for ($i = 0; $i < $max; $i++) {
$la = $a[$i] ?? null; $lb = $b[$i] ?? null;
if ($la !== $lb) {
if ($lb !== null && trim($lb) !== '') $added[] = ['line' => $i + 1, 'text' => $lb];
if ($la !== null && trim($la) !== '') $removed[] = ['line' => $i + 1, 'text' => $la];
}
}
return ['added' => $added, 'removed' => $removed];
}
$dp = array_fill(0, $n + 1, array_fill(0, $m + 1, 0));
for ($i = $n - 1; $i >= 0; $i--) {
for ($j = $m - 1; $j >= 0; $j--) {
$dp[$i][$j] = ($a[$i] === $b[$j])
? $dp[$i + 1][$j + 1] + 1
: max($dp[$i + 1][$j], $dp[$i][$j + 1]);
}
}
$added = []; $removed = [];
$i = 0; $j = 0;
while ($i < $n && $j < $m) {
if ($a[$i] === $b[$j]) {
$i++; $j++;
} elseif ($dp[$i + 1][$j] >= $dp[$i][$j + 1]) {
if (trim($a[$i]) !== '') $removed[] = ['line' => $i + 1, 'text' => $a[$i]];
$i++;
} else {
if (trim($b[$j]) !== '') $added[] = ['line' => $j + 1, 'text' => $b[$j]];
$j++;
}
}
for (; $i < $n; $i++) { if (trim($a[$i]) !== '') $removed[] = ['line' => $i + 1, 'text' => $a[$i]]; }
for (; $j < $m; $j++) { if (trim($b[$j]) !== '') $added[] = ['line' => $j + 1, 'text' => $b[$j]]; }
return ['added' => $added, 'removed' => $removed];
}
/** GET /api/policies/pending-attestations — policy approvate non ancora attestate dall'utente. */
public function pendingAttestations(): void
{

74
application/controllers/ServicesController.php
View File

@ -2369,7 +2369,40 @@ class ServicesController extends BaseController
$data['final_report_due'] = date('Y-m-d H:i:s', $t + 30 * 86400);
}
$incidentId = Database::insert('incidents', $data);
// Insert resiliente: retry su collisione incident_code (random 6 cifre),
// e gestione graceful della race su external_ref (dedup concorrente → 200).
$incidentId = null;
for ($attempt = 0; $attempt < 5; $attempt++) {
try {
$incidentId = Database::insert('incidents', $data);
break;
} catch (Throwable $e) {
$msg = $e->getMessage();
if (stripos($msg, 'Duplicate') === false && stripos($msg, '1062') === false) {
throw $e; // errore non-duplicate: propaga
}
// Race su external_ref: un altro processo ha gia ingerito lo stesso alert
if ($externalRef !== null && stripos($msg, 'uq_incident_external_ref') !== false) {
$dup = Database::fetchOne(
'SELECT id, incident_code FROM incidents WHERE organization_id = ? AND external_ref = ?',
[$orgId, $externalRef]
);
if ($dup) {
$this->jsonSuccess([
'id' => (int) $dup['id'],
'incident_code' => $dup['incident_code'],
'deduplicated' => true,
], 'Alert già ingerito (dedup concorrente)', 200);
return;
}
}
// Altrimenti: collisione su incident_code → rigenera e riprova
$data['incident_code'] = $this->generateCode('INC');
}
}
if ($incidentId === null) {
$this->jsonError('Impossibile registrare l\'incidente (codice duplicato)', 500, 'INSERT_FAILED');
}
Database::insert('incident_timeline', [
'incident_id' => $incidentId,
@ -2626,23 +2659,28 @@ class ServicesController extends BaseController
$this->requireApiKey('read:compliance');
$orgId = $this->currentOrgId;
// Auto-stale: controlli la cui ultima evidenza è scaduta vanno marcati stale
Database::query(
"UPDATE compliance_controls cc
LEFT JOIN (
SELECT t.control_code, t.valid_until, t.status
FROM control_evidence_auto t
JOIN (SELECT control_code, MAX(collected_at) mx FROM control_evidence_auto
WHERE organization_id = ? GROUP BY control_code) m
ON m.control_code = t.control_code AND m.mx = t.collected_at
WHERE t.organization_id = ?
) last ON last.control_code = cc.control_code
SET cc.monitoring_status = 'stale'
WHERE cc.organization_id = ?
AND cc.monitoring_status NOT IN ('not_monitored')
AND last.valid_until IS NOT NULL AND last.valid_until < NOW()",
[$orgId, $orgId, $orgId]
);
// Auto-stale: controlli la cui ultima evidenza è scaduta vanno marcati stale.
// Degrada con grazia se la tabella evidenze non esiste (coerente con AuditController).
try {
Database::query(
"UPDATE compliance_controls cc
LEFT JOIN (
SELECT t.control_code, t.valid_until, t.status
FROM control_evidence_auto t
JOIN (SELECT control_code, MAX(collected_at) mx FROM control_evidence_auto
WHERE organization_id = ? GROUP BY control_code) m
ON m.control_code = t.control_code AND m.mx = t.collected_at
WHERE t.organization_id = ?
) last ON last.control_code = cc.control_code
SET cc.monitoring_status = 'stale'
WHERE cc.organization_id = ?
AND cc.monitoring_status NOT IN ('not_monitored')
AND last.valid_until IS NOT NULL AND last.valid_until < NOW()",
[$orgId, $orgId, $orgId]
);
} catch (Throwable $e) {
error_log('[CCM-services] ' . $e->getMessage());
}
$rows = Database::fetchAll(
'SELECT control_code, title, status, monitoring_status, last_checked_at, freshness_days, implementation_percentage

10
docs/CONTEXT_LAST_SESSION.md
View File

@ -27,6 +27,16 @@ Utente vuole: "le credenziali si configurano nella card per ogni azienda cliente
### Stato git fine sessione: origin/main = `6c8f8e2`, ahead 0. Tutto su Gitea.
### REVIEW MULTI-AGENTE (5 agenti) + FIX — fine sessione 2026-05-30
Lanciati 5 agenti read-only di review (P1, P2, P3, connettori, frontend). Esito: nessuna vuln critica nelle feature, ma trovati problemi reali. **Tutti corretti, testati E2E, pushati.** Stato finale: **origin/main = `dac41f8`, ahead 0**.
- 🔴 `8e3a2c1` **risks.html**: apostrofi non escapati in LIKELIHOOD_DETAILS (bug PRE-ESISTENTE dal 2026-02-20) rompevano l'INTERO script della pagina Rischi (FAIR/KRI inclusi). Fix + verificato LIVE.
- 🔴 `9f4d2a1` **Connettori (SEC)**: (1) `connectorOrgGuard` usava `users.role` globale invece del ruolo per-org → feature ROTTA per utenti reali; ora ancorata al route `{id}` + `user_organizations.role`. (2) secret-strip denylist→**allowlist** ricorsiva. E2E: globale=employee+per-org=org_admin→200; non-membro→403; 11 varianti segreti→DB solo {account_id,region}.
- 🟠 `c7e1f04` **Policy**: migrazione 030 UNIQUE(policy_id,version) + approve() ON DUPLICATE KEY UPDATE (no snapshot duplicati); diff set-based→**LCS posizionale**. E2E ok.
- 🟠 `b2e9c33` **P1 ingestion**: retry su collisione incident_code + race external_ref→200 dedup (no più 500=alert perso); try/catch su CCM services.
- 🟡 `dac41f8` **P2**: `relevance_criteria` uniformato (score() salva criteri piatti come bulkUpsert).
- ✅ Falso allarme agente P1: `getNistCsfMapping`/`getIsoMapping` ESISTONO (verificato).
- Migrazioni totali sessione: 023-030. ⚠️ Le 027/028/029 NON erano state pushate come gusci? No: tutte applicate in prod + codice completo dopo i fix.
---
## SESSIONE 2026-05-30 mattina (~07:50→09:15 CEST) — Chiusura gap competitivi Evix (backend)

36
docs/sql/030_policy_versions_unique.sql Normal file
View File

@ -0,0 +1,36 @@
-- ============================================================================
-- Migration 030 - UNIQUE(policy_id, version) su policy_versions (P3 hardening)
-- ----------------------------------------------------------------------------
-- Evita snapshot duplicati della stessa versione di policy (riapprovazioni
-- ripetute con la stessa version creavano righe duplicate, confondendo il diff).
-- Idempotente: aggiunge l'indice solo se assente; de-duplica prima se necessario.
--
-- mysql -h localhost nis2_agile_db -e "source docs/sql/030_policy_versions_unique.sql"
-- ============================================================================
-- 1) Rimuovi eventuali duplicati pre-esistenti (mantieni il piu recente per id)
DELETE pv1 FROM policy_versions pv1
JOIN policy_versions pv2
ON pv1.policy_id = pv2.policy_id
AND pv1.version = pv2.version
AND pv1.id < pv2.id;
-- 2) Aggiungi UNIQUE solo se non esiste gia
DELIMITER //
DROP PROCEDURE IF EXISTS _mig030 //
CREATE PROCEDURE _mig030()
BEGIN
IF NOT EXISTS (
SELECT 1 FROM information_schema.STATISTICS
WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'policy_versions'
AND INDEX_NAME = 'uq_policy_version'
) THEN
ALTER TABLE policy_versions ADD UNIQUE KEY uq_policy_version (policy_id, version);
END IF;
END //
DELIMITER ;
CALL _mig030();
DROP PROCEDURE IF EXISTS _mig030;
-- ROLLBACK:
-- ALTER TABLE policy_versions DROP INDEX uq_policy_version;