Skip to main content

Annex I, Part II, Req 1: Identifying & Documenting Software Vulnerabilities & Components (SBOM)

A core part of ongoing security under the EU Cyber Resilience Act (CRA) is knowing what's in your software and tracking its weaknesses. Annex I, Part II, Point 1 requires manufacturers of products with digital elements to "identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products".

Identifying and Documenting Vulnerabilities

This involves having processes to:

  1. Discover Vulnerabilities: Through internal testing (security audits, penetration tests), external reports (security researchers, users), or monitoring public vulnerability databases for issues in components you use.
  2. Document Vulnerabilities: Maintain a record of discovered vulnerabilities, their severity, status, and remediation efforts.

Identifying and Documenting Components

You need to know the building blocks of your software. This means:

  1. Tracking Dependencies: List all third-party libraries, SDKs, and other components (both commercial and open-source) that are part of your software.
  2. Software Bill of Materials (SBOM): The CRA explicitly mandates drawing up an SBOM.
    • Content: It must cover "at the very least the top-level dependencies". This means direct dependencies your software uses. Deeper, transitive dependencies are good practice to track if feasible.
    • Format: It should be in a "commonly used and machine-readable format" (e.g., CycloneDX, SPDX). This allows for automation in processing SBOMs for vulnerability matching and other analyses.
    • The Commission may specify further details on SBOM format and elements via implementing acts (Article 13, Paragraph 24).

Why is an SBOM Important?

An SBOM helps you quickly identify if your software is affected when a new vulnerability is discovered in a component you use. It's crucial for efficient vulnerability management and transparency.

Key Takeway

Under Annex I, Part II, Point 1 of the CRA, you must have processes to identify and document vulnerabilities in your software. Critically, you must also identify and document its components, including creating and maintaining a Software Bill of Materials (SBOM) in a machine-readable format for at least your top-level dependencies.