From 188bb787d21b2f9c3c0ac6ed343abb08d761e323 Mon Sep 17 00:00:00 2001 From: Benjamin Admin Date: Thu, 25 Jun 2026 00:08:47 +0200 Subject: [PATCH] Add proposed CRA obligation relationships MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 11 human-reasoned Beziehungskanten in cra.json gemerged (dedupliziert gegen die Pipeline-Kanten), getaggt review_status=proposed / source=human_reasoned_preview / confidence=high. Nur die kleine Sprache depends_on / supports / produces_evidence_for; gerichtet. Cross-Family SBOM→Vuln-Kanten erlauben dem Advisor Ursachen-/Wirkungsketten. Damit ist der CRA-v1-Baustein vollständig: Obligations · legal_basis · guidance_basis · out_of_scope · relationships · pending citation anchors. Co-Authored-By: Claude Opus 4.7 --- obligations/cra.json | 87 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/obligations/cra.json b/obligations/cra.json index 8a6eeabf..8b21a6c6 100644 --- a/obligations/cra.json +++ b/obligations/cra.json @@ -1490,6 +1490,93 @@ 198 ], "note": "Adressieren NIS2-Einrichtungspflichten, CSIRT/ENISA-Behördenaufgaben, Konformitätsbewertungsstellen/EUCC-Zertifizierung, Distributor/Importeur-Pflichten, nationale Strategien, Secure-by-Design/Tooling oder Interoperabilität — keine herstellerseitige Vulnerability-Handling-Pflicht nach CRA Art. 13(8)/Annex I Part II" + }, + { + "type": "supports", + "from": "sbom_creation", + "to": "vuln_identification_inventory", + "cross_family": true, + "note": "SBOM macht enthaltene Komponenten für die Schwachstellensuche sichtbar", + "review_status": "proposed", + "source": "human_reasoned_preview", + "confidence": "high" + }, + { + "type": "supports", + "from": "sbom_dependency_coverage", + "to": "vuln_identification_inventory", + "cross_family": true, + "note": "transitive Abhängigkeiten ermöglichen Erkennung in Drittkomponenten", + "review_status": "proposed", + "source": "human_reasoned_preview", + "confidence": "high" + }, + { + "type": "supports", + "from": "sbom_maintenance_update", + "to": "vuln_identification_inventory", + "cross_family": true, + "note": "aktuelle SBOM hält das Komponenten-Inventar für Vuln-Scans aktuell", + "review_status": "proposed", + "source": "human_reasoned_preview", + "confidence": "high" + }, + { + "type": "depends_on", + "from": "vuln_assessment_prioritization", + "to": "vuln_identification_inventory", + "cross_family": false, + "note": "Bewertung setzt identifizierte Schwachstellen voraus", + "review_status": "proposed", + "source": "human_reasoned_preview", + "confidence": "high" + }, + { + "type": "depends_on", + "from": "vuln_info_dissemination_users", + "to": "vuln_remediation_patching", + "cross_family": false, + "note": "Nutzerinformation erfolgt nach Bereitstellung des Updates", + "review_status": "proposed", + "source": "human_reasoned_preview", + "confidence": "high" + }, + { + "type": "depends_on", + "from": "exploited_vuln_reporting_authorities", + "to": "vuln_identification_inventory", + "cross_family": false, + "note": "Meldung ausgenutzter Schwachstellen setzt deren Erkennung voraus", + "review_status": "proposed", + "source": "human_reasoned_preview", + "confidence": "high" + }, + { + "type": "depends_on", + "from": "coordinated_vulnerability_disclosure", + "to": "vuln_handling_process", + "cross_family": false, + "note": "CVD ist Bestandteil des Schwachstellenbehandlungsprozesses", + "review_status": "proposed", + "source": "human_reasoned_preview", + "confidence": "high" + }, + { + "type": "depends_on", + "from": "sbom_maintenance_update", + "to": "sbom_creation", + "cross_family": false, + "note": "Pflege setzt die initiale Erstellung voraus", + "review_status": "proposed", + "source": "human_reasoned_preview", + "confidence": "high" } + ], + "relationship_types": [ + "depends_on", + "supports", + "produces_evidence_for", + "implements", + "derived_from" ] } \ No newline at end of file