Add proposed CRA obligation relationships

11 human-reasoned Beziehungskanten in cra.json gemerged (dedupliziert gegen die
Pipeline-Kanten), getaggt review_status=proposed / source=human_reasoned_preview /
confidence=high. Nur die kleine Sprache depends_on / supports / produces_evidence_for;
gerichtet. Cross-Family SBOM→Vuln-Kanten erlauben dem Advisor Ursachen-/Wirkungsketten.

Damit ist der CRA-v1-Baustein vollständig: Obligations · legal_basis · guidance_basis ·
out_of_scope · relationships · pending citation anchors.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

obligations/cra.json

@@ -1490,6 +1490,93 @@
     198
    ],
    "note": "Adressieren NIS2-Einrichtungspflichten, CSIRT/ENISA-Behördenaufgaben, Konformitätsbewertungsstellen/EUCC-Zertifizierung, Distributor/Importeur-Pflichten, nationale Strategien, Secure-by-Design/Tooling oder Interoperabilität — keine herstellerseitige Vulnerability-Handling-Pflicht nach CRA Art. 13(8)/Annex I Part II"
+  },
+  {
+   "type": "supports",
+   "from": "sbom_creation",
+   "to": "vuln_identification_inventory",
+   "cross_family": true,
+   "note": "SBOM macht enthaltene Komponenten für die Schwachstellensuche sichtbar",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "supports",
+   "from": "sbom_dependency_coverage",
+   "to": "vuln_identification_inventory",
+   "cross_family": true,
+   "note": "transitive Abhängigkeiten ermöglichen Erkennung in Drittkomponenten",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "supports",
+   "from": "sbom_maintenance_update",
+   "to": "vuln_identification_inventory",
+   "cross_family": true,
+   "note": "aktuelle SBOM hält das Komponenten-Inventar für Vuln-Scans aktuell",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "vuln_assessment_prioritization",
+   "to": "vuln_identification_inventory",
+   "cross_family": false,
+   "note": "Bewertung setzt identifizierte Schwachstellen voraus",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "vuln_info_dissemination_users",
+   "to": "vuln_remediation_patching",
+   "cross_family": false,
+   "note": "Nutzerinformation erfolgt nach Bereitstellung des Updates",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "exploited_vuln_reporting_authorities",
+   "to": "vuln_identification_inventory",
+   "cross_family": false,
+   "note": "Meldung ausgenutzter Schwachstellen setzt deren Erkennung voraus",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "coordinated_vulnerability_disclosure",
+   "to": "vuln_handling_process",
+   "cross_family": false,
+   "note": "CVD ist Bestandteil des Schwachstellenbehandlungsprozesses",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
+  },
+  {
+   "type": "depends_on",
+   "from": "sbom_maintenance_update",
+   "to": "sbom_creation",
+   "cross_family": false,
+   "note": "Pflege setzt die initiale Erstellung voraus",
+   "review_status": "proposed",
+   "source": "human_reasoned_preview",
+   "confidence": "high"
   }
+ ],
+ "relationship_types": [
+  "depends_on",
+  "supports",
+  "produces_evidence_for",
+  "implements",
+  "derived_from"
  ]
 }