Benjamin Admin
2645b5b043
Erstes belastbares Registry-Artefakt (obligation_registry_v1) aus den validierten SBOM+Vuln-Candidates der Obligation Discovery Pipeline. - 18 Obligations (11 SBOM + 7 Vuln) - 14 LEGAL_MINIMUM, alle mit legal_basis (harte Tier-Regel) - 4 BEST_PRACTICE korrekt herabgestuft (source_role GUIDANCE/IMPLEMENTATION) - 70 OUT_OF_SCOPE-Cluster getrennt; member_controls vollständig - legal_basis (CRA-Primärrecht) ⊥ guidance_basis (BSI/ENISA/NIST/...) - citation_status=pending_span_anchor (span_id folgt mit Asset 2), review_status=draft Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1495 lines
34 KiB
JSON
1495 lines
34 KiB
JSON
{
|
|
"schema_version": "obligation_registry_v1",
|
|
"regulation": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"generated_by": "obl_registry_build/claude-opus-4-8",
|
|
"citation_status": "pending_span_anchor",
|
|
"obligations": [
|
|
{
|
|
"id": "sbom_creation",
|
|
"name": "SBOM erstellen",
|
|
"description": "Hersteller von Produkten mit digitalen Elementen müssen eine Software Bill of Materials erstellen.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "sbom",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Annex I Part II (1)",
|
|
"citation": "SBOM in gängigem maschinenlesbarem Format, mind. Top-Level-Abhängigkeiten"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "BSI",
|
|
"anchor": "TR-03183",
|
|
"role": "implementation_guidance"
|
|
},
|
|
{
|
|
"source": "ENISA",
|
|
"anchor": "",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AI-1246",
|
|
"AI-1246-A01",
|
|
"AI-528-A06",
|
|
"AI-528-A13",
|
|
"AUTH-006-A10",
|
|
"AUTH-2111-A08",
|
|
"AUTH-2962-A05",
|
|
"AUTH-3664-A07",
|
|
"AUTH-4033-A02",
|
|
"AUTH-4042-A03",
|
|
"AUTH-4061-A04",
|
|
"COMP-2335-A05",
|
|
"COMP-2782-A06",
|
|
"COMP-3363-A07",
|
|
"COMP-4052",
|
|
"COMP-511-A04",
|
|
"COMP-511-A10",
|
|
"COMP-705-A11",
|
|
"CRYP-030-A04",
|
|
"GOV-306-A02",
|
|
"GOV-306-A08",
|
|
"GOV-356-A02",
|
|
"GOV-3850",
|
|
"GOV-3850-A01",
|
|
"HLT-062",
|
|
"INC-066-A21",
|
|
"LOG-1185",
|
|
"LOG-1185-A02",
|
|
"LOG-1191-A05",
|
|
"LOG-1208-A03",
|
|
"LOG-1759-A08",
|
|
"LOG-2075-A03",
|
|
"LOG-2076-A01",
|
|
"LOG-2076-A02",
|
|
"LOG-2079",
|
|
"LOG-2079-A01",
|
|
"LOG-2079-A02",
|
|
"LOG-211",
|
|
"LOG-211-A01",
|
|
"LOG-211-A03",
|
|
"LOG-211-A09",
|
|
"LOG-211-A10",
|
|
"LOG-211-A11",
|
|
"LOG-543-A03",
|
|
"LOG-543-A08",
|
|
"NET-246-A03",
|
|
"NET-246-A09",
|
|
"SEC-020-A06",
|
|
"SEC-020-A15",
|
|
"SEC-020-A28",
|
|
"SEC-027",
|
|
"SEC-027-A02",
|
|
"SEC-027-A03",
|
|
"SEC-027-A11",
|
|
"SEC-027-A23",
|
|
"SEC-027-A24",
|
|
"SEC-096-A02",
|
|
"SEC-096-A10",
|
|
"SEC-347",
|
|
"SEC-347-A01",
|
|
"SEC-347-A02",
|
|
"SEC-347-A11",
|
|
"SEC-347-A12",
|
|
"SEC-430-A20",
|
|
"SEC-430-A21",
|
|
"SEC-481-A01",
|
|
"SEC-4981-A01",
|
|
"SEC-4981-A02",
|
|
"SEC-5516",
|
|
"SEC-5516-A04",
|
|
"SEC-5897-A01",
|
|
"SEC-5906",
|
|
"SEC-669",
|
|
"SEC-669-A02",
|
|
"SEC-669-A07",
|
|
"SEC-669-A08",
|
|
"SEC-708-A13",
|
|
"SEC-7117-A01",
|
|
"SEC-7128-A04",
|
|
"SEC-7128-A12",
|
|
"SEC-9045-A04",
|
|
"SEC-9107-A05",
|
|
"SUP-001-A06",
|
|
"SUP-001-A11",
|
|
"SUP-001-A12"
|
|
],
|
|
"member_count": 85,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_dependency_coverage",
|
|
"name": "Abhängigkeiten in SBOM abdecken",
|
|
"description": "Die SBOM muss direkte und (kritische) indirekte/transitive Abhängigkeiten samt Metadaten dokumentieren.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "sbom",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": false,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Art. 3(36) i.V.m. Annex I Part II (1)",
|
|
"citation": "SBOM-Definition: formale Aufzeichnung enthaltener Komponenten und Abhängigkeiten"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "OWASP",
|
|
"anchor": "CycloneDX",
|
|
"role": "implementation_guidance"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AI-1246-A02",
|
|
"AI-1246-A03",
|
|
"AI-1246-A04",
|
|
"AI-1246-A05",
|
|
"AUTH-4033-A06",
|
|
"AUTH-4062-A01",
|
|
"COMP-4072-A03",
|
|
"COMP-705-A03",
|
|
"GOV-3108-A11",
|
|
"GOV-3850-A02",
|
|
"LOG-1185-A03",
|
|
"LOG-1191-A08",
|
|
"LOG-1191-A09",
|
|
"SEC-100-A02",
|
|
"SEC-100-A03",
|
|
"SEC-100-A14",
|
|
"SEC-100-A15",
|
|
"SEC-340-A03",
|
|
"SEC-340-A12",
|
|
"SEC-481",
|
|
"SEC-5897-A03",
|
|
"SEC-7067-A12",
|
|
"SEC-9027-A07",
|
|
"SEC-9027-A08"
|
|
],
|
|
"member_count": 24,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_format_standard",
|
|
"name": "SBOM-Format nach anerkannten Standards",
|
|
"description": "Die SBOM muss in einem maschinenlesbaren Format gemäß anerkannten internationalen/EU-Normen (CycloneDX, SPDX) erstellt werden.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "sbom",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": false
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Annex I Part II (1)",
|
|
"citation": "gängiges, maschinenlesbares Format"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "BSI",
|
|
"anchor": "TR-03183 Abschnitt 5",
|
|
"role": "implementation_guidance"
|
|
},
|
|
{
|
|
"source": "OWASP",
|
|
"anchor": "CycloneDX/SPDX",
|
|
"role": "implementation_guidance"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AUTH-4033-A01",
|
|
"AUTH-4033-A09",
|
|
"COMP-2342",
|
|
"COMP-4072",
|
|
"COMP-4072-A01",
|
|
"COMP-4072-A02",
|
|
"COMP-4072-A04",
|
|
"GOV-3850-A04",
|
|
"GOV-3850-A10",
|
|
"LOG-1191-A06",
|
|
"LOG-1208-A04",
|
|
"LOG-1208-A05",
|
|
"LOG-2076-A04",
|
|
"SEC-347-A03",
|
|
"SEC-347-A13",
|
|
"SEC-669-A09",
|
|
"SEC-9027-A04",
|
|
"SEC-9027-A06",
|
|
"SEC-9047-A01"
|
|
],
|
|
"member_count": 19,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_maintenance_update",
|
|
"name": "SBOM pflegen und aktualisieren",
|
|
"description": "Die SBOM muss bei Versionen, Patches und Dependency-Änderungen aktualisiert und mit der Produktversion synchron gehalten werden.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "sbom",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Annex I Part II (1)",
|
|
"citation": "SBOM während Support-Zeitraum führen"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "NIST SSDF",
|
|
"anchor": "PS.3",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AI-1050-A07",
|
|
"AI-1246-A06",
|
|
"AI-929-A29",
|
|
"AI-929-A30",
|
|
"AI-929-A40",
|
|
"AI-929-A41",
|
|
"AI-929-A51",
|
|
"AI-929-A52",
|
|
"AUTH-3664-A08",
|
|
"AUTH-4033-A04",
|
|
"AUTH-4033-A07",
|
|
"GOV-3850-A05",
|
|
"GOV-3850-A11",
|
|
"INC-066-A22",
|
|
"LOG-2076-A05",
|
|
"NET-246-A04",
|
|
"NET-246-A10",
|
|
"SEC-020-A07",
|
|
"SEC-020-A16",
|
|
"SEC-020-A29",
|
|
"SEC-027-A20",
|
|
"SEC-304-A06",
|
|
"SEC-304-A16",
|
|
"SEC-347-A10",
|
|
"SEC-5516-A03",
|
|
"SEC-5897-A06",
|
|
"SEC-5897-A09",
|
|
"SEC-669-A12",
|
|
"SEC-7067-A05",
|
|
"SEC-9027-A02",
|
|
"SEC-9027-A10"
|
|
],
|
|
"member_count": 31,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_completeness_verification",
|
|
"name": "SBOM-Vollständigkeit verifizieren",
|
|
"description": "Die Vollständigkeit und Aktualität der SBOM ist gegen tatsächlich eingesetzte Komponenten zu prüfen und zu auditieren.",
|
|
"tier": "BEST_PRACTICE",
|
|
"family": "sbom",
|
|
"applicability": "conditional:sbom_creation",
|
|
"evidence_facets": {
|
|
"governance": false,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "GUIDANCE",
|
|
"legal_basis": [],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "OWASP",
|
|
"anchor": "Dependency-Check",
|
|
"role": "implementation_guidance"
|
|
},
|
|
{
|
|
"source": "NIST SSDF",
|
|
"anchor": "PS.3.2",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AUTH-2603-A09",
|
|
"AUTH-2924-A06",
|
|
"AUTH-2924-A07",
|
|
"AUTH-4033-A03",
|
|
"AUTH-4033-A10",
|
|
"GOV-3850-A07",
|
|
"GOV-3850-A08",
|
|
"LOG-2079-A04",
|
|
"LOG-211-A08",
|
|
"LOG-211-A16",
|
|
"NET-470-A20",
|
|
"NET-470-A31",
|
|
"SEC-1170-A10",
|
|
"SEC-1170-A26",
|
|
"SEC-1170-A42",
|
|
"SEC-1170-A58",
|
|
"SEC-1252-A04",
|
|
"SEC-5516-A05",
|
|
"SEC-5897-A07",
|
|
"SEC-9027-A05",
|
|
"SEC-9049-A05"
|
|
],
|
|
"member_count": 21,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_tooling_automation",
|
|
"name": "SBOM-Tooling in Build-Pipeline",
|
|
"description": "SBOM-Generierung wird automatisiert in die Build-/Toolchain integriert und die Tools selbst werden auf Schwachstellen gescannt.",
|
|
"tier": "BEST_PRACTICE",
|
|
"family": "sbom",
|
|
"applicability": "conditional:sbom_creation",
|
|
"evidence_facets": {
|
|
"governance": false,
|
|
"capability": true,
|
|
"evidence": false
|
|
},
|
|
"source_role": "IMPLEMENTATION",
|
|
"legal_basis": [],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "OWASP",
|
|
"anchor": "CycloneDX Tooling",
|
|
"role": "implementation_guidance"
|
|
},
|
|
{
|
|
"source": "NIST SSDF",
|
|
"anchor": "PO.3",
|
|
"role": "implementation_guidance"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AUTH-2924-A02",
|
|
"AUTH-3667-A08",
|
|
"NET-1487-A14",
|
|
"SEC-7078-A09",
|
|
"SEC-7114-A01",
|
|
"SEC-7114-A02"
|
|
],
|
|
"member_count": 6,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_access_provision",
|
|
"name": "SBOM zugänglich machen",
|
|
"description": "Die SBOM muss für Kunden/Stakeholder über definierte Kanäle zugänglich gemacht und der Zugriffspfad dokumentiert werden.",
|
|
"tier": "BEST_PRACTICE",
|
|
"family": "sbom",
|
|
"applicability": "conditional:sbom_creation",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "GUIDANCE",
|
|
"legal_basis": [],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "ENISA",
|
|
"anchor": "",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AI-1246-A07",
|
|
"AUTH-4033-A05",
|
|
"AUTH-4033-A08",
|
|
"GOV-3850-A12",
|
|
"LOG-1191-A07",
|
|
"NET-1842-A02",
|
|
"SEC-027-A09",
|
|
"SEC-027-A18",
|
|
"SEC-027-A21",
|
|
"SEC-1252-A05",
|
|
"SEC-212-A10",
|
|
"SEC-212-A17",
|
|
"SEC-347-A04",
|
|
"SEC-347-A14",
|
|
"SEC-5897-A02",
|
|
"SEC-5897-A08"
|
|
],
|
|
"member_count": 16,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_authority_provision",
|
|
"name": "SBOM an Marktüberwachungsbehörde bereitstellen",
|
|
"description": "Die SBOM muss auf begründetes Verlangen der Marktüberwachungsbehörde vertraulich vorgelegt werden.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "sbom",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": false,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Art. 31 / Annex I Part II (1)",
|
|
"citation": "Vorlage der SBOM auf begründetes Verlangen der Marktüberwachungsbehörde"
|
|
}
|
|
],
|
|
"guidance_basis": [],
|
|
"member_controls": [
|
|
"AUTH-006-A28",
|
|
"AUTH-4061-A01",
|
|
"LOG-1185-A01",
|
|
"LOG-2076-A03",
|
|
"LOG-2079-A03",
|
|
"LOG-543-A04",
|
|
"LOG-543-A09",
|
|
"SEC-669-A10"
|
|
],
|
|
"member_count": 8,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_confidentiality",
|
|
"name": "Vertraulichkeit der SBOM schützen",
|
|
"description": "SBOM-Daten und Abhängigkeitsinformationen sind vertraulich zu behandeln und durch Zugriffskontrollen zu schützen.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "sbom",
|
|
"applicability": "universal",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": false
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Art. 31(4)",
|
|
"citation": "Marktüberwachungsbehörden wahren Vertraulichkeit der erhaltenen Informationen"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "ISO",
|
|
"anchor": "ISO/IEC 27001",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"LOG-1185-A06",
|
|
"LOG-211-A05",
|
|
"LOG-211-A13",
|
|
"LOG-543",
|
|
"LOG-543-A01",
|
|
"LOG-543-A05",
|
|
"LOG-543-A06",
|
|
"LOG-543-A10",
|
|
"SEC-1126-A13",
|
|
"SEC-1126-A31"
|
|
],
|
|
"member_count": 10,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_supply_chain_contracts",
|
|
"name": "SBOM-Anforderungen in Lieferantenmanagement",
|
|
"description": "SBOM-Anforderungen werden vertraglich in Lieferanten-/Kundenverträgen und im Supplier-Onboarding verankert.",
|
|
"tier": "BEST_PRACTICE",
|
|
"family": "sbom",
|
|
"applicability": "conditional:third_party_software_used",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": false,
|
|
"evidence": true
|
|
},
|
|
"source_role": "GUIDANCE",
|
|
"legal_basis": [],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "NIST SSDF",
|
|
"anchor": "PW.4 / PO.1",
|
|
"role": "best_practice"
|
|
},
|
|
{
|
|
"source": "ENISA",
|
|
"anchor": "Supply Chain",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"DATA-4672-A04",
|
|
"GOV-3850-A03",
|
|
"GOV-3850-A06",
|
|
"GOV-3850-A09",
|
|
"SEC-8994-A03",
|
|
"SEC-8994-A09"
|
|
],
|
|
"member_count": 6,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "sbom_technical_documentation",
|
|
"name": "SBOM in technischer Dokumentation/Konformitätsbewertung",
|
|
"description": "Die SBOM ist Teil der technischen Dokumentation und der Konformitätsbewertung (inkl. EUCC/ST-Nachweise).",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "sbom",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": false,
|
|
"capability": false,
|
|
"evidence": true
|
|
},
|
|
"source_role": "EVIDENCE",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Art. 31 i.V.m. Annex VII",
|
|
"citation": "technische Dokumentation muss SBOM-relevante Nachweise enthalten"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "ISO",
|
|
"anchor": "EUCC ALC_SBM",
|
|
"role": "implementation_guidance"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AUTH-004",
|
|
"AUTH-006",
|
|
"AUTH-154-A02",
|
|
"AUTH-154-A08",
|
|
"AUTH-4042",
|
|
"AUTH-4042-A05",
|
|
"AUTH-4061-A02",
|
|
"AUTH-4061-A03",
|
|
"AUTH-4062",
|
|
"NET-1842-A03",
|
|
"SEC-9027-A03",
|
|
"SEC-9047",
|
|
"SEC-9049"
|
|
],
|
|
"member_count": 13,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "vuln_identification_inventory",
|
|
"name": "Schwachstellen identifizieren & Komponenten erfassen",
|
|
"description": "Hersteller müssen Schwachstellen in Produkten und enthaltenen (Dritt-)Komponenten kontinuierlich identifizieren und über ein SBOM/Asset-Inventar nachvollziehbar erfassen.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "vuln",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Annex I Part II (1)",
|
|
"citation": "Komponenten identifizieren und dokumentieren, einschl. SBOM"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "NIST SSDF",
|
|
"anchor": "PW.4 / RV.1",
|
|
"role": "implementation_guidance"
|
|
},
|
|
{
|
|
"source": "ISO",
|
|
"anchor": "ISO/IEC 27002:2022 8.8",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AI-012-A14",
|
|
"AI-012-A28",
|
|
"AI-1214-A11",
|
|
"AUTH-154",
|
|
"AUTH-458-A04",
|
|
"AUTH-725-A10",
|
|
"COMP-418-A03",
|
|
"COMP-705-A04",
|
|
"COMP-707-A08",
|
|
"COMP-917-A10",
|
|
"COMP-917-A20",
|
|
"CRYP-031-A06",
|
|
"DATA-4697",
|
|
"GOV-206-A04",
|
|
"GOV-206-A13",
|
|
"INC-016-A02",
|
|
"INC-016-A42",
|
|
"LOG-029-A13",
|
|
"LOG-1509-A06",
|
|
"LOG-2028-A10",
|
|
"LOG-2076",
|
|
"NET-246",
|
|
"NET-246-A01",
|
|
"NET-246-A07",
|
|
"NET-551-A04",
|
|
"SEC-027",
|
|
"SEC-027-A17",
|
|
"SEC-027-A19",
|
|
"SEC-027-A30",
|
|
"SEC-100",
|
|
"SEC-195-A06",
|
|
"SEC-195-A12",
|
|
"SEC-238-A03",
|
|
"SEC-238-A14",
|
|
"SEC-298-A18",
|
|
"SEC-298-A19",
|
|
"SEC-298-A46",
|
|
"SEC-298-A47",
|
|
"SEC-347",
|
|
"SEC-443",
|
|
"SEC-5516",
|
|
"SEC-615",
|
|
"SEC-6229",
|
|
"SEC-708",
|
|
"SEC-9045-A04",
|
|
"SEC-9080",
|
|
"SEC-9080-A01",
|
|
"SEC-994-A06"
|
|
],
|
|
"member_count": 48,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "vuln_assessment_prioritization",
|
|
"name": "Schwachstellen bewerten & priorisieren",
|
|
"description": "Identifizierte Schwachstellen müssen anhand standardisierter Kriterien (Schweregrad, Ausnutzbarkeit, Impact) bewertet und für die Behebung priorisiert werden.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "vuln",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Annex I Part II (1)",
|
|
"citation": "Schwachstellen behandeln und beheben"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "OWASP",
|
|
"anchor": "CVSS / Risk Rating",
|
|
"role": "best_practice"
|
|
},
|
|
{
|
|
"source": "NIST SSDF",
|
|
"anchor": "RV.2",
|
|
"role": "implementation_guidance"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"ACC-261-A08",
|
|
"ACC-261-A19",
|
|
"ACC-588-A05",
|
|
"AUTH-2172-A02",
|
|
"AUTH-2187-A03",
|
|
"AUTH-4018",
|
|
"AUTH-4018-A01",
|
|
"COMP-1131-A10",
|
|
"COMP-1131-A11",
|
|
"COMP-1557-A05",
|
|
"COMP-705-A04",
|
|
"CRYP-1586-A03",
|
|
"CRYP-1586-A04",
|
|
"DATA-4697-A08",
|
|
"DATA-703-A06",
|
|
"HLT-109-A44",
|
|
"INC-013-A07",
|
|
"INC-013-A18",
|
|
"LOG-1470-A04",
|
|
"LOG-1547-A03",
|
|
"LOG-510-A03",
|
|
"LOG-510-A09",
|
|
"NET-0738-A10",
|
|
"NET-0738-A22",
|
|
"NET-1834-A01",
|
|
"NET-551-A04",
|
|
"SEC-001-A03",
|
|
"SEC-005-A02",
|
|
"SEC-005-A09",
|
|
"SEC-005-A31",
|
|
"SEC-100-A05",
|
|
"SEC-100-A17",
|
|
"SEC-194-A18",
|
|
"SEC-295-A02",
|
|
"SEC-295-A17",
|
|
"SEC-302-A01",
|
|
"SEC-302-A10",
|
|
"SEC-302-A20",
|
|
"SEC-302-A21",
|
|
"SEC-417-A18",
|
|
"SEC-4558-A03",
|
|
"SEC-465",
|
|
"SEC-517",
|
|
"SEC-5269-A10",
|
|
"SEC-5283-A03",
|
|
"SEC-5532-A01",
|
|
"SEC-5889-A01",
|
|
"SEC-5930-A03",
|
|
"SEC-5988-A01",
|
|
"SEC-6058-A04",
|
|
"SEC-6213",
|
|
"SEC-6213-A01",
|
|
"SEC-6213-A02",
|
|
"SEC-6233-A01",
|
|
"SEC-640-A07",
|
|
"SEC-8387-A02",
|
|
"SEC-8580-A06",
|
|
"SEC-9063",
|
|
"SEC-9148-A01",
|
|
"VUL-002-A02",
|
|
"VUL-002-A07"
|
|
],
|
|
"member_count": 61,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "vuln_remediation_patching",
|
|
"name": "Schwachstellen beheben & Sicherheitsupdates bereitstellen",
|
|
"description": "Schwachstellen müssen unverzüglich, risikobasiert und innerhalb des Unterstützungszeitraums durch Patches oder Gegenmaßnahmen behoben werden.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "vuln",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Annex I Part II (2) & (8)",
|
|
"citation": "Schwachstellen unverzüglich beheben, kostenlose Sicherheitsupdates"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "NIST SSDF",
|
|
"anchor": "RV.3",
|
|
"role": "implementation_guidance"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"ACC-099-A16",
|
|
"ACC-218-A08",
|
|
"ACC-218-A16",
|
|
"ACC-218-A24",
|
|
"ACC-218-A32",
|
|
"ACC-218-A40",
|
|
"AI-054-A15",
|
|
"AI-248-A13",
|
|
"AI-748-A06",
|
|
"AI-748-A16",
|
|
"AI-748-A32",
|
|
"AI-748-A49",
|
|
"AI-773-A36",
|
|
"AI-773-A45",
|
|
"AI-778-A14",
|
|
"AI-778-A23",
|
|
"AI-799-A08",
|
|
"AI-799-A19",
|
|
"AUTH-130-A02",
|
|
"AUTH-132",
|
|
"AUTH-183",
|
|
"AUTH-480-A05",
|
|
"AUTH-524-A04",
|
|
"AUTH-632-A05",
|
|
"AUTH-647-A08",
|
|
"AUTH-718-A08",
|
|
"AUTH-725-A10",
|
|
"AUTH-831-A08",
|
|
"AUTH-831-A17",
|
|
"AUTH-871-A26",
|
|
"COMP-001-A59",
|
|
"COMP-1107-A03",
|
|
"COMP-1107-A12",
|
|
"COMP-1107-A22",
|
|
"COMP-1107-A31",
|
|
"COMP-1107-A43",
|
|
"COMP-1107-A48",
|
|
"COMP-1135-A03",
|
|
"COMP-150-A08",
|
|
"COMP-4063-A04",
|
|
"COMP-996-A02",
|
|
"CRYP-024-A08",
|
|
"CRYP-031-A07",
|
|
"CRYP-035-A04",
|
|
"CRYP-087-A06",
|
|
"CRYP-409-A06",
|
|
"CRYP-431-A67",
|
|
"CRYP-438-A39",
|
|
"DATA-874-A04",
|
|
"DATA-874-A09",
|
|
"DATA-874-A19",
|
|
"FIN-092-A05",
|
|
"FIN-092-A19",
|
|
"FIN-092-A32",
|
|
"FIN-092-A46",
|
|
"FIN-092-A60",
|
|
"FIN-092-A73",
|
|
"GOV-385-A12",
|
|
"INC-013-A20",
|
|
"INC-016-A27",
|
|
"INC-044-A02",
|
|
"INC-071-A16",
|
|
"INC-092-A17",
|
|
"INC-227-A59",
|
|
"LOG-359-A12",
|
|
"LOG-600-A05",
|
|
"LOG-681-A02",
|
|
"LOG-845-A13",
|
|
"LOG-845-A23",
|
|
"LOG-845-A39",
|
|
"LOG-845-A50",
|
|
"NET-072-A08",
|
|
"NET-072-A10",
|
|
"NET-122-A09",
|
|
"NET-122-A17",
|
|
"NET-1266",
|
|
"NET-294-A05",
|
|
"SEC-005-A04",
|
|
"SEC-005-A05",
|
|
"SEC-1136-A04",
|
|
"SEC-1136-A12",
|
|
"SEC-1136-A20",
|
|
"SEC-1136-A28",
|
|
"SEC-1158-A05",
|
|
"SEC-1158-A14",
|
|
"SEC-1158-A23",
|
|
"SEC-1158-A32",
|
|
"SEC-1158-A41",
|
|
"SEC-1158-A48",
|
|
"SEC-132",
|
|
"SEC-132-A02",
|
|
"SEC-132-A09",
|
|
"SEC-195-A07",
|
|
"SEC-195-A13",
|
|
"SEC-256-A09",
|
|
"SEC-289-A06",
|
|
"SEC-289-A18",
|
|
"SEC-298-A02",
|
|
"SEC-298-A30",
|
|
"SEC-342-A14",
|
|
"SEC-342-A30",
|
|
"SEC-349-A03",
|
|
"SEC-349-A15",
|
|
"SEC-393-A13",
|
|
"SEC-393-A14",
|
|
"SEC-554-A08",
|
|
"SEC-554-A24",
|
|
"SEC-5930-A04",
|
|
"SEC-708-A15",
|
|
"SEC-994-A06"
|
|
],
|
|
"member_count": 110,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "vuln_handling_process",
|
|
"name": "Schwachstellenbehandlungsverfahren dokumentieren & etablieren",
|
|
"description": "Ein dokumentierter Vulnerability-Handling-Prozess mit definierten Rollen, Schritten und Zeithorizonten muss etabliert und über die technische Dokumentation nachweisbar sein.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "vuln",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Article 13(8) & Annex VII",
|
|
"citation": "Schwachstellenbehandlungsprozesse einrichten und in technischer Doku belegen"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "NIST SSDF",
|
|
"anchor": "RV",
|
|
"role": "implementation_guidance"
|
|
},
|
|
{
|
|
"source": "ISO",
|
|
"anchor": "ISO/IEC 30111",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AI-010-A17",
|
|
"AI-748-A04",
|
|
"AI-748-A14",
|
|
"AI-748-A30",
|
|
"AI-748-A47",
|
|
"AI-773-A25",
|
|
"AI-773-A34",
|
|
"AI-773-A43",
|
|
"AI-778-A12",
|
|
"AI-778-A21",
|
|
"AI-799-A06",
|
|
"AI-799-A17",
|
|
"AUTH-076-A22",
|
|
"AUTH-132-A09",
|
|
"AUTH-143-A02",
|
|
"AUTH-154",
|
|
"AUTH-154-A02",
|
|
"AUTH-154-A08",
|
|
"AUTH-183-A09",
|
|
"AUTH-2105-A02",
|
|
"AUTH-2112-A04",
|
|
"AUTH-2113-A05",
|
|
"AUTH-2117-A03",
|
|
"AUTH-2117-A04",
|
|
"AUTH-2117-A07",
|
|
"AUTH-2298-A06",
|
|
"AUTH-3473-A08",
|
|
"AUTH-4026-A02",
|
|
"AUTH-4115",
|
|
"AUTH-718-A06",
|
|
"AUTH-871-A24",
|
|
"COMP-001-A57",
|
|
"COMP-150-A06",
|
|
"COMP-4114-A08",
|
|
"COMP-4114-A09",
|
|
"COMP-910",
|
|
"COMP-910-A01",
|
|
"COMP-910-A02",
|
|
"CRYP-031-A05",
|
|
"CRYP-760-A02",
|
|
"GOV-2632-A09",
|
|
"INC-092-A15",
|
|
"LOG-2075-A02",
|
|
"LOG-222-A02",
|
|
"LOG-222-A08",
|
|
"LOG-222-A11",
|
|
"LOG-222-A12",
|
|
"NET-1196-A11",
|
|
"NET-240-A06",
|
|
"NET-240-A07",
|
|
"NET-240-A13",
|
|
"NET-240-A14",
|
|
"SDL-009",
|
|
"SDL-009-A01",
|
|
"SDL-009-A06",
|
|
"SEC-027-A07",
|
|
"SEC-027-A15",
|
|
"SEC-027-A28",
|
|
"SEC-1158-A03",
|
|
"SEC-1158-A04",
|
|
"SEC-1158-A12",
|
|
"SEC-1158-A13",
|
|
"SEC-1158-A21",
|
|
"SEC-1158-A22",
|
|
"SEC-1158-A30",
|
|
"SEC-1158-A31",
|
|
"SEC-1158-A39",
|
|
"SEC-1158-A40",
|
|
"SEC-1158-A46",
|
|
"SEC-1158-A47",
|
|
"SEC-118-A04",
|
|
"SEC-118-A08",
|
|
"SEC-132-A03",
|
|
"SEC-132-A04",
|
|
"SEC-132-A10",
|
|
"SEC-132-A11",
|
|
"SEC-171-A11",
|
|
"SEC-171-A29",
|
|
"SEC-171-A42",
|
|
"SEC-194-A17",
|
|
"SEC-279",
|
|
"SEC-279-A01",
|
|
"SEC-279-A06",
|
|
"SEC-443-A08",
|
|
"SEC-443-A09",
|
|
"SEC-492",
|
|
"SEC-4944-A04",
|
|
"SEC-4944-A05",
|
|
"SEC-4953-A02",
|
|
"SEC-4953-A03",
|
|
"SEC-4957-A06",
|
|
"SEC-4970-A14",
|
|
"SEC-5952",
|
|
"SEC-5958-A04",
|
|
"SEC-655-A11",
|
|
"SEC-691-A01",
|
|
"SEC-8566-A02",
|
|
"SEC-8789-A07",
|
|
"SEC-8968-A01",
|
|
"SEC-8987-A05",
|
|
"SEC-9045-A01",
|
|
"SEC-9046-A01",
|
|
"SEC-925-A01",
|
|
"SEC-994",
|
|
"SEC-994-A02"
|
|
],
|
|
"member_count": 105,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "coordinated_vulnerability_disclosure",
|
|
"name": "Coordinated Vulnerability Disclosure Policy & Meldekanal",
|
|
"description": "Eine öffentliche CVD-Richtlinie und ein zugänglicher, vertraulicher Meldekanal für externe Schwachstellenmeldungen müssen bereitgestellt werden.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "vuln",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Annex I Part II (5)",
|
|
"citation": "Coordinated Vulnerability Disclosure Policy einrichten"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "ISO",
|
|
"anchor": "ISO/IEC 29147",
|
|
"role": "best_practice"
|
|
},
|
|
{
|
|
"source": "ENISA",
|
|
"anchor": "CVD Good Practice Guide",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"AUTH-2298-A07",
|
|
"AUTH-241-A02",
|
|
"AUTH-4018-A05",
|
|
"AUTH-4019-A01",
|
|
"AUTH-4026-A01",
|
|
"COMP-3615-A10",
|
|
"CRYP-2322-A06",
|
|
"CRYP-2323-A02",
|
|
"CRYP-2325-A01",
|
|
"CRYP-2325-A02",
|
|
"DATA-4673",
|
|
"DATA-4674-A02",
|
|
"DATA-4697-A01",
|
|
"GOV-3493",
|
|
"GOV-3847",
|
|
"GOV-3847-A01",
|
|
"GOV-3847-A02",
|
|
"GOV-3851",
|
|
"INC-063-A01",
|
|
"INC-063-A08",
|
|
"INC-063-A09",
|
|
"INC-063-A10",
|
|
"LOG-1527-A05",
|
|
"LOG-2068-A11",
|
|
"LOG-2075-A01",
|
|
"LOG-623-A04",
|
|
"LOG-623-A05",
|
|
"NET-1824",
|
|
"SEC-027-A04",
|
|
"SEC-027-A08",
|
|
"SEC-027-A12",
|
|
"SEC-027-A16",
|
|
"SEC-027-A25",
|
|
"SEC-027-A29",
|
|
"SEC-132-A06",
|
|
"SEC-132-A13",
|
|
"SEC-277-A04",
|
|
"SEC-277-A13",
|
|
"SEC-347-A08",
|
|
"SEC-347-A18",
|
|
"SEC-446",
|
|
"SEC-4995-A03",
|
|
"SEC-4995-A08",
|
|
"SEC-4996-A02",
|
|
"SEC-4996-A08",
|
|
"SEC-5969-A09",
|
|
"SEC-8938-A01",
|
|
"SEC-8943-A15",
|
|
"SEC-8948-A06",
|
|
"SEC-8948-A07",
|
|
"SEC-8950-A01",
|
|
"SEC-8950-A02",
|
|
"SEC-8950-A07",
|
|
"SEC-8950-A09",
|
|
"SEC-8950-A10",
|
|
"SEC-8951-A01",
|
|
"SEC-8959-A01",
|
|
"SEC-8963",
|
|
"SEC-8963-A02",
|
|
"SEC-8963-A06",
|
|
"SEC-8963-A10",
|
|
"SEC-8967-A02",
|
|
"SEC-8971-A13",
|
|
"SEC-8973-A01",
|
|
"SEC-8974",
|
|
"SEC-8974-A13",
|
|
"SEC-8974-A14",
|
|
"SEC-8974-A16",
|
|
"SEC-8976",
|
|
"SEC-8983-A05",
|
|
"SEC-8984-A08",
|
|
"SEC-9003-A03",
|
|
"SEC-9006-A01",
|
|
"SEC-9006-A04",
|
|
"SEC-9045-A02",
|
|
"SEC-9107-A07",
|
|
"SEC-925-A03",
|
|
"SEC-938-A09"
|
|
],
|
|
"member_count": 78,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "exploited_vuln_reporting_authorities",
|
|
"name": "Meldung aktiv ausgenutzter Schwachstellen an CSIRT/ENISA",
|
|
"description": "Aktiv ausgenutzte Schwachstellen müssen fristgerecht (Frühwarnung 24h, vollständige Meldung 72h) an das koordinierende CSIRT und ENISA über die Single-Reporting-Plattform gemeldet werden.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "vuln",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Article 14 & Article 16",
|
|
"citation": "Meldepflicht aktiv ausgenutzter Schwachstellen über Single Reporting Platform"
|
|
}
|
|
],
|
|
"guidance_basis": [],
|
|
"member_controls": [
|
|
"AUTH-186",
|
|
"COMP-1243-A08",
|
|
"COMP-1243-A14",
|
|
"COMP-1243-A20",
|
|
"COMP-1243-A26",
|
|
"COMP-1243-A32",
|
|
"LOG-510-A06",
|
|
"LOG-510-A07",
|
|
"LOG-510-A12",
|
|
"NET-023-A07",
|
|
"NET-023-A20",
|
|
"SEC-112",
|
|
"SEC-112-A01",
|
|
"SEC-118-A01",
|
|
"SEC-118-A05",
|
|
"SEC-124-A02",
|
|
"SEC-142-A01",
|
|
"SEC-142-A03",
|
|
"SEC-142-A09",
|
|
"SEC-142-A11",
|
|
"SEC-142-A19",
|
|
"SEC-168",
|
|
"SEC-171-A14",
|
|
"SEC-171-A32",
|
|
"SEC-195-A11",
|
|
"SEC-195-A20",
|
|
"SEC-273-A02",
|
|
"SEC-273-A10",
|
|
"SEC-4991-A03",
|
|
"SEC-603-A08",
|
|
"SEC-9148-A01"
|
|
],
|
|
"member_count": 31,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
},
|
|
{
|
|
"id": "vuln_info_dissemination_users",
|
|
"name": "Nutzerinformation über behobene Schwachstellen",
|
|
"description": "Nach Behebung müssen Nutzer über die Schwachstelle, das Sicherheitsupdate und ggf. CVE-Einträge transparent informiert werden.",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"family": "vuln",
|
|
"applicability": "domain:products_with_digital_elements",
|
|
"evidence_facets": {
|
|
"governance": true,
|
|
"capability": true,
|
|
"evidence": true
|
|
},
|
|
"source_role": "LEGAL_BASIS",
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"regulation_code": "eu_2024_2847",
|
|
"anchor": "Annex I Part II (4) & (6)",
|
|
"citation": "Informationen über behobene Schwachstellen teilen und offenlegen"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "ISO",
|
|
"anchor": "ISO/IEC 29147 (Disclosure)",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"member_controls": [
|
|
"CRYP-031-A01",
|
|
"CRYP-031-A04",
|
|
"NET-1829-A05",
|
|
"SEC-349-A04",
|
|
"SEC-349-A16"
|
|
],
|
|
"member_count": 5,
|
|
"relationships": [],
|
|
"citation_anchor_ids": [],
|
|
"citation_status": "pending_span_anchor",
|
|
"review_status": "draft"
|
|
}
|
|
],
|
|
"relationships": [
|
|
{
|
|
"type": "depends_on",
|
|
"from": "sbom_dependency_coverage",
|
|
"to": "sbom_creation",
|
|
"note": "Inhaltsanforderung setzt SBOM-Erstellung voraus"
|
|
},
|
|
{
|
|
"type": "depends_on",
|
|
"from": "sbom_format_standard",
|
|
"to": "sbom_creation",
|
|
"note": "Format gilt für die erstellte SBOM"
|
|
},
|
|
{
|
|
"type": "supports",
|
|
"from": "sbom_tooling_automation",
|
|
"to": "sbom_creation",
|
|
"note": "Tooling automatisiert Erstellung"
|
|
},
|
|
{
|
|
"type": "produces_evidence_for",
|
|
"from": "sbom_completeness_verification",
|
|
"to": "sbom_dependency_coverage",
|
|
"note": "Verifikation belegt Vollständigkeit"
|
|
},
|
|
{
|
|
"type": "produces_evidence_for",
|
|
"from": "sbom_technical_documentation",
|
|
"to": "sbom_creation",
|
|
"note": "Doku als Konformitätsnachweis"
|
|
},
|
|
{
|
|
"type": "supports",
|
|
"from": "sbom_access_provision",
|
|
"to": "sbom_authority_provision",
|
|
"note": "Zugänglichkeit unterstützt Behördenvorlage"
|
|
},
|
|
{
|
|
"type": "depends_on",
|
|
"from": "sbom_supply_chain_contracts",
|
|
"to": "sbom_dependency_coverage",
|
|
"note": "Third-Party-Daten via Verträge beschaffen"
|
|
},
|
|
{
|
|
"type": "out_of_scope",
|
|
"clusters": [
|
|
10,
|
|
11,
|
|
19,
|
|
35,
|
|
32,
|
|
37,
|
|
76
|
|
],
|
|
"note": "Material-/Batterie-Stücklisten, CO₂-/Energiemix-Berechnung und Sicherheitskomponentenlisten (Türverriegelung) sind keine Software-SBOM, sondern Ökodesign/Maschinenrichtlinie/Batterieverordnung"
|
|
},
|
|
{
|
|
"type": "supports",
|
|
"from": "vuln_identification_inventory",
|
|
"to": "vuln_assessment_prioritization",
|
|
"note": "Inventar liefert Basis für Bewertung"
|
|
},
|
|
{
|
|
"type": "depends_on",
|
|
"from": "vuln_remediation_patching",
|
|
"to": "vuln_assessment_prioritization",
|
|
"note": "Priorisierung steuert Behebungsreihenfolge"
|
|
},
|
|
{
|
|
"type": "produces_evidence_for",
|
|
"from": "vuln_handling_process",
|
|
"to": "vuln_remediation_patching",
|
|
"note": "Prozessdoku belegt Behebung"
|
|
},
|
|
{
|
|
"type": "supports",
|
|
"from": "coordinated_vulnerability_disclosure",
|
|
"to": "exploited_vuln_reporting_authorities",
|
|
"note": "Meldungseingang speist Behörden-Reporting"
|
|
},
|
|
{
|
|
"type": "produces_evidence_for",
|
|
"from": "vuln_remediation_patching",
|
|
"to": "vuln_info_dissemination_users",
|
|
"note": "Behebung Voraussetzung für Nutzerinfo"
|
|
},
|
|
{
|
|
"type": "out_of_scope",
|
|
"clusters": [
|
|
5,
|
|
22,
|
|
24,
|
|
25,
|
|
26,
|
|
31,
|
|
33,
|
|
35,
|
|
36,
|
|
43,
|
|
50,
|
|
53,
|
|
54,
|
|
61,
|
|
64,
|
|
65,
|
|
74,
|
|
83,
|
|
87,
|
|
88,
|
|
92,
|
|
97,
|
|
98,
|
|
100,
|
|
101,
|
|
102,
|
|
106,
|
|
107,
|
|
110,
|
|
117,
|
|
118,
|
|
121,
|
|
126,
|
|
127,
|
|
131,
|
|
134,
|
|
135,
|
|
136,
|
|
139,
|
|
140,
|
|
141,
|
|
145,
|
|
146,
|
|
151,
|
|
153,
|
|
154,
|
|
156,
|
|
163,
|
|
164,
|
|
165,
|
|
166,
|
|
168,
|
|
169,
|
|
170,
|
|
171,
|
|
175,
|
|
176,
|
|
177,
|
|
187,
|
|
190,
|
|
194,
|
|
197,
|
|
198
|
|
],
|
|
"note": "Adressieren NIS2-Einrichtungspflichten, CSIRT/ENISA-Behördenaufgaben, Konformitätsbewertungsstellen/EUCC-Zertifizierung, Distributor/Importeur-Pflichten, nationale Strategien, Secure-by-Design/Tooling oder Interoperabilität — keine herstellerseitige Vulnerability-Handling-Pflicht nach CRA Art. 13(8)/Annex I Part II"
|
|
}
|
|
]
|
|
} |