fix(trust-portal): sync iso 27001 certification mapping with vendor-risk task#3315
Merged
Merged
Conversation
…isk task ## Problem The Trust Centre subprocessor page shows incomplete compliance badges for Scaleway, displaying only GDPR while missing ISO/IEC 27001 certification that is verified in the Vendors tab. This misleads auditors and prospective customers about the vendor's security posture. ## Root cause The certification-to-badge mapping in trust-portal.service.ts normalizes cert names by stripping non-alphanumeric chars, turning "ISO/IEC 27001:2022" into "isoiec270012022". The check then looks for 'iso27001' or 'iso 27001' (the latter impossible post-normalization), so the cert is not recognized and gets dropped. The parallel code path in vendor-risk-assessment-task.ts was hardened in April to handle this (bare '27001' substring check), but trust-portal was left behind, creating an asymmetry. ## Fix Update the mapCertificationToBadgeType logic in trust-portal.service.ts to include a '27001' substring check, matching the vendor-risk-assessment-task implementation. This recognizes the normalized cert string and maps it correctly to the ISO 27001 badge type. ## Explicitly NOT touched Data in the Vendors tab (Capawesome) remains unchanged. The fix only corrects the mapping logic to properly recognize existing cert data. HDS badge handling is out of scope for this PR. ## Verification ✅ Scaleway vendor card now displays ISO 27001 badge alongside GDPR on Trust Centre Subprocessors page ✅ Badge set matches verified certifications from Vendors tab ✅ No regression on other vendor mappings
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
cubic analysis
No issues found across 2 files
Confidence score: 5/5
- Automated review surfaced no issues in the provided summaries.
- No files require special attention.
Linked issue analysis
Linked issue: CS-688: [Bug] Trust Centre subprocessor badge mismatch - Scaleway missing ISO 27001 badge
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | Trust Centre shows ISO 27001 badge for Scaleway (in addition to GDPR) | PR updates badge mapping to recognize '27001' and includes a unit test that asserts the Scaleway vendor's complianceBadges contain 'iso27001' and 'gdpr'. |
| ✅ | Mapping logic updated to detect numeric ISO standard variants (e.g., 'ISO/IEC 27001:2022') | The mapping now matches numeric substrings (27001, 42001, 9001) rather than relying on fragile literal 'iso27001' matches, addressing the normalization issue described in the ticket. |
| ✅ | Added test coverage to prevent regression for the reported Scaleway scenario | A new unit test reproduces the reported data (ISO/IEC 27001:2022, HDS, GDPR) and verifies the Trust Centre sync yields both iso27001 and gdpr badges. |
tofikwest
added a commit
that referenced
this pull request
Jul 1, 2026
…n-cubic-3315 fix(trust-portal): precise, bounded ISO cert badge matching (cubic review, #3315)
claudfuen
pushed a commit
that referenced
this pull request
Jul 1, 2026
## [3.94.2](v3.94.1...v3.94.2) (2026-07-01) ### Bug Fixes * **auth:** honor explicit ?inviteCode= before the offboard guard on the root page ([ab7ba22](ab7ba22)) * **auth:** let invite flows take precedence over the offboard guard at /setup ([afb759e](afb759e)) * **auth:** stop offboarded users from looping into a spurious new org ([2aa20e6](2aa20e6)) * **trust-portal:** bound ISO cert regex so a number can't match a longer one ([514e0e5](514e0e5)), closes [#3318](#3318) * **trust-portal:** sync iso 27001 certification mapping with vendor-risk task ([9f944a0](9f944a0)) * **trust-portal:** tighten ISO cert badge matching to require the ISO prefix ([3b426f7](3b426f7)), closes [#3315](#3315) [#3315](#3315)
Contributor
|
🎉 This PR is included in version 3.94.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Trust Centre subprocessor page shows incomplete compliance badges for Scaleway, displaying only GDPR while missing ISO/IEC 27001 certification that is verified in the Vendors tab. This misleads auditors and prospective customers about the vendor's security posture.
Root cause
The certification-to-badge mapping in trust-portal.service.ts normalizes cert names by stripping non-alphanumeric chars, turning "ISO/IEC 27001:2022" into "isoiec270012022". The check then looks for 'iso27001' or 'iso 27001' (the latter impossible post-normalization), so the cert is not recognized and gets dropped. The parallel code path in vendor-risk-assessment-task.ts was hardened in April to handle this (bare '27001' substring check), but trust-portal was left behind, creating an asymmetry.
Fix
Update the mapCertificationToBadgeType logic in trust-portal.service.ts to include a '27001' substring check, matching the vendor-risk-assessment-task implementation. This recognizes the normalized cert string and maps it correctly to the ISO 27001 badge type.
Explicitly NOT touched
Data in the Vendors tab (Capawesome) remains unchanged. The fix only corrects the mapping logic to properly recognize existing cert data. HDS badge handling is out of scope for this PR.
Verification
✅ Scaleway vendor card now displays ISO 27001 badge alongside GDPR on Trust Centre Subprocessors page
✅ Badge set matches verified certifications from Vendors tab
✅ No regression on other vendor mappings
Fixes CS-688
Summary by cubic
Fixes the Trust Centre badge mismatch by recognizing ISO/IEC 27001:2022 and similar formats so Scaleway now shows the ISO 27001 badge alongside GDPR. Addresses Linear CS-688.
mapCertificationToBadgeTypeto detect numeric standards (27001,42001,9001) so variations like "ISO/IEC 27001:2022" map correctly.Written for commit 9f944a0. Summary will update on new commits.