|
| 1 | +.. _reference_3_cravex: |
| 2 | + |
| 3 | +======================================== |
| 4 | +Reference 3 - CRAVEX support in DejaCode |
| 5 | +======================================== |
| 6 | + |
| 7 | +This essay describes DejaCode features that support CRA compliance activities. |
| 8 | + |
| 9 | +The EU's Cyber Resilience Act (CRA) aims to enhance the cybersecurity of products |
| 10 | +with digital elements, ensuring that hardware and software sold in the EU are |
| 11 | +designed with strong security measures, and manufacturers remain responsible for |
| 12 | +cybersecurity throughout the product lifecycle. |
| 13 | + |
| 14 | +A VEX (Vulnerability Exploitability eXchange) document is a standardized format, part |
| 15 | +of the Cybersecurity and Infrastructure Security Agency (CISA) initiative, that provides |
| 16 | +a machine-readable way to share information about the exploitability of vulnerabilities |
| 17 | +in software products, helping organizations prioritize cybersecurity efforts. |
| 18 | + |
| 19 | +Key Objectives of the CRA |
| 20 | +------------------------- |
| 21 | + |
| 22 | +* **Enhanced Cybersecurity**: The CRA aims to improve the cybersecurity of products |
| 23 | + with digital elements, including both hardware and software. |
| 24 | +* **Manufacturer Responsibility**: The CRA places responsibility on manufacturers to |
| 25 | + ensure the cybersecurity of their products throughout the entire lifecycle, from design |
| 26 | + to end-of-life. |
| 27 | +* **EU-Wide Standardization**: The CRA aims to establish common cybersecurity rules and |
| 28 | + standards across the EU, facilitating compliance for manufacturers and developers. |
| 29 | +* **Consumer Protection**: The CRA aims to protect consumers and businesses from the |
| 30 | + risks posed by inadequate cybersecurity measures in digital products. |
| 31 | +* **Transparency**: The CRA aims to improve transparency about the cybersecurity |
| 32 | + properties of products, enabling users to make informed choices. |
| 33 | + |
| 34 | +Key Provisions of the CRA |
| 35 | +------------------------- |
| 36 | + |
| 37 | +* **Cybersecurity Requirements**: Manufacturers must ensure that products with digital |
| 38 | + elements meet essential cybersecurity requirements, including risk assessments, |
| 39 | + security-by-design practices, and vulnerability management. |
| 40 | +* **Vulnerability Reporting**: Manufacturers are required to report any actively |
| 41 | + exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) |
| 42 | + within 24 hours. |
| 43 | +* **Security Updates**: Manufacturers must provide timely and effective security updates |
| 44 | + to address vulnerabilities. |
| 45 | +* **Documentation and Certification**: Manufacturers must provide adequate documentation |
| 46 | + and certification to demonstrate compliance with the CRA's requirements. |
| 47 | +* **Enforcement**: The CRA includes provisions for enforcement, including penalties |
| 48 | + for non-compliance. |
| 49 | + |
| 50 | +Key Cybersecurity Features of DejaCode |
| 51 | +-------------------------------------- |
| 52 | + |
| 53 | +* **Create SBOMs for your products**: Use DejaCode to generate SBOMs (Software Bills of |
| 54 | + Materials) in CycloneDX or SPDX format directly from your Product definitions. This |
| 55 | + ensures that you identify exactly what is in your product in a machine-readable format |
| 56 | + since DejaCode uses the Package URL (PURL) industry standard to identify each software |
| 57 | + item (and its origin) in your product. |
| 58 | +* **Import SBOMs into your products**: Use DejaCode to import SBOMs in CycloneDX or |
| 59 | + SPDX format that you receive from your suppliers or from code that you have scanned |
| 60 | + using tools such as ScanCode.io. DejaCode interprets the SBOM details to create packages, |
| 61 | + enrich the package metadata, and assign them to your product. |
| 62 | +* **Get timely automatic updates from VulnerableCode**: Using the PURL as a reliable and |
| 63 | + accurate identifier, DejaCode routinely updates your data to identify known |
| 64 | + vulnerabilities, including a calculated Risk factor, and notifies you of new updates. |
| 65 | +* **Respond to vulnerabilities in your products**: Leverage the Vulnerability Risk factor |
| 66 | + to prioritize your cybersecurity reviews of the software in your products, as supported |
| 67 | + by the extensive details that DejaCode has gathered. Enter your status and comments |
| 68 | + regarding the reachability and exploitability of specific software vulnerabilities in |
| 69 | + the context of your product usage, as well as any actions that you are taking to address |
| 70 | + them. Generate VEX documents in a variety of industry-standard formats to communicate |
| 71 | + those conclusions to your organization, to your customers, and to ENISA. |
| 72 | +* **Track your vulnerability remediations in your products**: As you upgrade or patch |
| 73 | + the software in your products, track those updates in DejaCode to support accurate, |
| 74 | + up-to-date SBOM revisions that you can provide to interested parties. |
| 75 | + |
| 76 | +Additional Resources |
| 77 | +-------------------- |
| 78 | + |
| 79 | +Official texts and commentary for the Cyber Resilience Act: |
| 80 | + |
| 81 | +* Text: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847 |
| 82 | + |
| 83 | +* Commentary: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act |
| 84 | + |
| 85 | +Community discussions: |
| 86 | + |
| 87 | +* https://github.com/orcwg/cra-hub/blob/main/faq.md |
| 88 | + |
| 89 | +* https://orcwg.org/ |
0 commit comments