Skip to content

Commit 7812ca7

Browse files
spoorccclaude
andauthored
Remove Track B terminology from compliance docs; move control register to own page (#1273)
Track A/B is not standard CRA terminology, so replace with plain language (risk-driven / compliance-only). The Final Control Register table moves to a dedicated control_register.rst page to keep the compliance page focused. The compliance page gains a status-key rubric and horizontal rules between sections for readability. https://claude.ai/code/session_01TzCDwHkJbD5jNtRXBXYT2a Co-authored-by: Claude <noreply@anthropic.com>
1 parent 0c54e11 commit 7812ca7

3 files changed

Lines changed: 191 additions & 158 deletions

File tree

doc/explanation/compliance_track.rst

Lines changed: 35 additions & 154 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
.. _compliance_track:
22

3-
CRA Compliance Track B
4-
======================
3+
CRA Compliance
4+
==============
55

66
.. note::
77

@@ -11,7 +11,9 @@ CRA Compliance Track B
1111
downstream integrators who must account for open-source components in
1212
their own conformity assessments.
1313

14-
Three-tier traceability::
14+
This page provides three-tier traceability from the CRA Annex I essential
15+
requirements through the prEN 40000-1-4 Security Objectives to the
16+
concrete dfetch controls or documented gaps::
1517

1618
CRA Annex I Essential Requirement (ECR-a … ECR-m)
1719
@@ -24,6 +26,22 @@ Machine-readable OSCAL 1.1.2 artifacts are kept alongside the source:
2426
- ``security/cra_pren_4000014_oscal_catalog.json`` — prEN 40000-1-4 catalog
2527
- ``security/dfetch.component-definition.json`` — dfetch Component Definition
2628

29+
The full list of all controls is available on the :doc:`control_register` page.
30+
31+
.. rubric:: Status key
32+
33+
.. list-table::
34+
:widths: 10 90
35+
36+
* - ✓
37+
- Implemented — control satisfies the objective fully.
38+
* - ⚠
39+
- Partial — control exists but a gap remains (see Gaps column).
40+
* - N/A
41+
- Not applicable — the objective does not apply to dfetch.
42+
43+
----
44+
2745
Classification Decision
2846
-----------------------
2947

@@ -42,7 +60,9 @@ Classification Decision
4260
* - Mandatory obligations
4361
- None — not a commercial product; no CE marking required
4462
* - Voluntary alignment
45-
- This Track B document is produced voluntarily under Article 13(5) to support downstream integrators who must account for open-source components in their own CRA conformity assessments.
63+
- This compliance document is produced voluntarily under Article 13(5) to support downstream integrators who must account for open-source components in their own CRA conformity assessments.
64+
65+
----
4666

4767
Applicable Standards
4868
--------------------
@@ -59,7 +79,7 @@ Applicable Standards
5979
* - prEN 40000-1-2
6080
- Cyber Resilience Principles and Risk Management
6181
- Yes
62-
- Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in :doc:`security`. Track A threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6.
82+
- Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in :doc:`security`. The threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6.
6383
- —
6484
* - prEN 40000-1-3
6585
- Vulnerability Handling Requirements
@@ -82,8 +102,10 @@ Applicable Standards
82102
- IoT-specific standard. dfetch is a developer CLI tool with no IoT device functionality, physical interfaces, or consumer IoT use case.
83103
- —
84104

105+
----
106+
85107
Part I — Product Security Requirements (ECR-a to ECR-m)
86-
-------------------------------------------------------
108+
--------------------------------------------------------
87109

88110
The table below summarises dfetch's implementation of each prEN 40000-1-4 Security Objective per CRA essential requirement.
89111

@@ -272,6 +294,8 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
272294
- —
273295
- — N/A
274296

297+
----
298+
275299
Part II — Vulnerability Handling (prEN 40000-1-3)
276300
-------------------------------------------------
277301

@@ -322,10 +346,12 @@ Part II requirements are addressed via prEN 40000-1-3. pii-04 is not applicable
322346
- —
323347
- ✓ Implemented
324348

349+
----
350+
325351
Gap Analysis — Compliance-Only Controls
326-
---------------------------------------
352+
----------------------------------------
327353

328-
3 compliance-only controls address CRA requirements not independently covered by the Track A risk models.
354+
Three compliance-only controls address CRA requirements not independently covered by the risk models.
329355

330356
**C-043 — Release-gate CVE check (ECR-a, SO.VulnerabilityManagementProcess → GEC-1)**
331357

@@ -347,151 +373,7 @@ prEN 40000-1-4 ECR-k requires documenting applicable exploit mitigation techniqu
347373
- **Static analysis** (C-015, C-017): CodeQL and bandit gate every commit.
348374
- CFI, sandboxing, and signed-execution policies are not applicable to a pure-Python tool.
349375

350-
Final Control Register
351-
----------------------
352-
353-
All controls from Track A (risk-driven) and Track B (regulatory) merged and sorted. Track B controls (C-043, C-044, and C-046) are marked accordingly.
354-
355-
.. list-table::
356-
:header-rows: 1
357-
:widths: 8 40 10 42
358-
359-
* - ID
360-
- Name
361-
- Track
362-
- Reference
363-
* - C-001
364-
- Path-traversal prevention
365-
- Track A
366-
- dfetch/util/util.py
367-
* - C-002
368-
- Decompression-bomb protection
369-
- Track A
370-
- dfetch/vcs/archive.py
371-
* - C-003
372-
- Archive symlink validation
373-
- Track A
374-
- dfetch/vcs/archive.py
375-
* - C-004
376-
- Archive member type checks
377-
- Track A
378-
- dfetch/vcs/archive.py
379-
* - C-005
380-
- Integrity hash verification
381-
- Track A
382-
- dfetch/vcs/integrity_hash.py
383-
* - C-006
384-
- Non-interactive VCS
385-
- Track A
386-
- dfetch/vcs/git.py, dfetch/vcs/svn.py
387-
* - C-007
388-
- Subprocess safety
389-
- Track A
390-
- dfetch/util/cmdline.py
391-
* - C-008
392-
- Manifest input validation
393-
- Track A
394-
- dfetch/manifest/schema.py
395-
* - C-009
396-
- Actions commit-SHA pinning
397-
- Track A
398-
- .github/workflows/\*.yml
399-
* - C-010
400-
- OIDC trusted publishing
401-
- Track A
402-
- .github/workflows/python-publish.yml
403-
* - C-011
404-
- Minimal workflow permissions
405-
- Track A
406-
- .github/workflows/\*.yml
407-
* - C-012
408-
- persist-credentials: false
409-
- Track A
410-
- .github/workflows/\*.yml
411-
* - C-013
412-
- Harden-runner (egress block)
413-
- Track A
414-
- .github/workflows/\*.yml
415-
* - C-015
416-
- CodeQL static analysis
417-
- Track A
418-
- .github/workflows/codeql-analysis.yml
419-
* - C-016
420-
- Dependency review
421-
- Track A
422-
- .github/workflows/dependency-review.yml
423-
* - C-017
424-
- bandit security linter
425-
- Track A
426-
- pyproject.toml
427-
* - C-021
428-
- Sigstore SBOM attestation
429-
- Track A
430-
- —
431-
* - C-022
432-
- CycloneDX SBOM on PyPI
433-
- Track A
434-
- —
435-
* - C-024
436-
- ``secrets: inherit`` scope
437-
- Track A
438-
- —
439-
* - C-026
440-
- Consumer-side package provenance verification
441-
- Track A
442-
- doc/howto/verify-integrity.rst
443-
* - C-032
444-
- Consumer attestation verification pins to release tag ref
445-
- Track A
446-
- doc/howto/verify-integrity.rst
447-
* - C-033
448-
- Ref-scoped build cache keys isolate PR and release builds
449-
- Track A
450-
- .github/workflows/build.yml
451-
* - C-034
452-
- Hash algorithm allowlist (SHA-256/384/512 only)
453-
- Track A
454-
- dfetch/vcs/integrity_hash.py
455-
* - C-036
456-
- Persisted-metadata credential redaction
457-
- Track A
458-
- dfetch/project/metadata.py
459-
* - C-037
460-
- SLSA Source Provenance Attestation of repository governance controls
461-
- Track A
462-
- .github/workflows/source-provenance.yml
463-
* - C-038
464-
- Ancestry enforcement on dfetch main branch
465-
- Track A
466-
- .github/workflows/
467-
* - C-039
468-
- Source build provenance and VSA attestations
469-
- Track A
470-
- doc/howto/verify-integrity.rst
471-
* - C-040
472-
- Test result attestation on source archive
473-
- Track A
474-
- .github/workflows/test.yml
475-
* - C-041
476-
- Winget manifest PRs reviewed by community maintainers
477-
- Track A
478-
- .github/workflows/winget-publish.yml
479-
* - C-042
480-
- WINGET_TOKEN scoped to dedicated Winget environment
481-
- Track A
482-
- .github/workflows/winget-publish.yml
483-
* - C-043
484-
- Release-gate CVE check on runtime dependencies
485-
- Track B
486-
- .github/workflows/python-publish.yml (planned CI addition)
487-
* - C-044
488-
- Data minimisation policy
489-
- Track B
490-
- doc/explanation/compliance_track.rst (this document)
491-
* - C-046
492-
- Exploit mitigation inventory
493-
- Track B
494-
- doc/explanation/compliance_track.rst (this document)
376+
----
495377

496378
OSCAL Artifacts
497379
---------------
@@ -503,5 +385,4 @@ regenerated with:
503385
504386
python -m security.compliance \\
505387
--component security/dfetch.component-definition.json \\
506-
--track-b-only \\
507388
--rst > doc/explanation/compliance_track.rst

0 commit comments

Comments
 (0)