Skip to content

Commit bb1c171

Browse files
spoorccclaude
andauthored
Add navigation links to compliance docs (#1275)
All control IDs (C-001..C-046) in compliance_track.rst now link to their anchored entries in control_register.rst. File paths in the Reference column of control_register.rst link to their source on GitHub. Doc paths use :doc: cross-references. SECURITY.md and OSCAL artefact references throughout compliance_track.rst and security.rst link directly to the relevant GitHub pages. https://claude.ai/code/session_01DhTruTejopMJeFWfBKUtud Co-authored-by: Claude <noreply@anthropic.com>
1 parent 7812ca7 commit bb1c171

3 files changed

Lines changed: 181 additions & 113 deletions

File tree

doc/explanation/compliance_track.rst

Lines changed: 44 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,8 @@ concrete dfetch controls or documented gaps::
2323

2424
Machine-readable OSCAL 1.1.2 artifacts are kept alongside the source:
2525

26-
- ``security/cra_pren_4000014_oscal_catalog.json`` — prEN 40000-1-4 catalog
27-
- ``security/dfetch.component-definition.json`` — dfetch Component Definition
26+
- `security/cra_pren_4000014_oscal_catalog.json <https://github.com/dfetch-org/dfetch/blob/main/security/cra_pren_4000014_oscal_catalog.json>`_ — prEN 40000-1-4 catalog
27+
- `security/dfetch.component-definition.json <https://github.com/dfetch-org/dfetch/blob/main/security/dfetch.component-definition.json>`_ — dfetch Component Definition
2828

2929
The full list of all controls is available on the :doc:`control_register` page.
3030

@@ -79,17 +79,17 @@ Applicable Standards
7979
* - prEN 40000-1-2
8080
- Cyber Resilience Principles and Risk Management
8181
- Yes
82-
- Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in :doc:`security`. The threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6.
82+
- Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in :doc:`security`. The threat models (`tm_supply_chain.py <https://github.com/dfetch-org/dfetch/blob/main/security/tm_supply_chain.py>`_, `tm_usage.py <https://github.com/dfetch-org/dfetch/blob/main/security/tm_usage.py>`_) implement §6.3–§6.6.
8383
- —
8484
* - prEN 40000-1-3
8585
- Vulnerability Handling Requirements
8686
- Yes
87-
- Covers CRA Annex I Part II vulnerability handling obligations. Addressed in the Part II table below via SECURITY.md, SBOM (C-022), and dependency-review CI (C-016).
87+
- Covers CRA Annex I Part II vulnerability handling obligations. Addressed in the Part II table below via `SECURITY.md <https://github.com/dfetch-org/dfetch/blob/main/SECURITY.md>`_, SBOM (:ref:`C-022 <c-022>`), and dependency-review CI (:ref:`C-016 <c-016>`).
8888
- No formal patch SLA or LTS backport policy defined.
8989
* - prEN 40000-1-4
9090
- Generic Security Requirements (draft, indicative publication October 2027)
9191
- Yes
92-
- Primary standard for this document. Maps CRA Annex I Part I Art. 2(a)–(m) to Security Objectives (SO.\*) and Technical Controls (GEC-\*, SUM-\*, etc.). The catalog is included as security/cra_pren_4000014_oscal_catalog.json.
92+
- Primary standard for this document. Maps CRA Annex I Part I Art. 2(a)–(m) to Security Objectives (SO.\*) and Technical Controls (GEC-\*, SUM-\*, etc.). The catalog is included as `security/cra_pren_4000014_oscal_catalog.json <https://github.com/dfetch-org/dfetch/blob/main/security/cra_pren_4000014_oscal_catalog.json>`_.
9393
- Standard is in draft; final clause numbering may change.
9494
* - EN 18031-1/2:2024
9595
- Common security requirements for radio equipment (basis of prEN 40000-1-4)
@@ -120,12 +120,12 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
120120
- Status
121121
* - **ECR-A** — Be made available on the market without known exploitable vulnerabilities.
122122
- SO.VulnerabilityManagementProcess
123-
- C-015, C-016, C-017, C-022
124-
- No CVE gate at release time (→ C-043 planned)
123+
- :ref:`C-015 <c-015>`, :ref:`C-016 <c-016>`, :ref:`C-017 <c-017>`, :ref:`C-022 <c-022>`
124+
- No CVE gate at release time (→ :ref:`C-043 <c-043>` planned)
125125
- ⚠ Partial
126126
* - **ECR-B** — Be made available on the market with a secure by default configuration, including the possibility to reset the product to its original state.
127127
- SO.SecureDefaultConfiguration
128-
- C-001, C-002
128+
- :ref:`C-001 <c-001>`, :ref:`C-002 <c-002>`
129129
- —
130130
- ⚠ Partial
131131
* -
@@ -150,7 +150,7 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
150150
- — N/A
151151
* -
152152
- SO.UserUpdateNotification
153-
- C-040
153+
- :ref:`C-040 <c-040>`
154154
- —
155155
- ✓ Implemented
156156
* -
@@ -160,62 +160,62 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
160160
- — N/A
161161
* - **ECR-D** — Ensure protection from unauthorised access by appropriate control mechanisms including authentication, identity or access management systems, and report on possible unauthorised access.
162162
- SO.AccessControl
163-
- C-006, C-036
163+
- :ref:`C-006 <c-006>`, :ref:`C-036 <c-036>`
164164
- —
165165
- ⚠ Partial
166166
* -
167167
- SO.AccessControlReport
168-
- C-009
168+
- :ref:`C-009 <c-009>`
169169
- No persistent log of unauthorised access attempts
170170
- ⚠ Partial
171171
* - **ECR-E** — Protect the confidentiality of stored, transmitted or otherwise processed data by state-of-the-art mechanisms such as encryption at rest and in transit.
172172
- SO.DataStoredConfidentiality
173-
- C-036
173+
- :ref:`C-036 <c-036>`
174174
- —
175175
- ✓ Implemented
176176
* -
177177
- SO.DataProcessedConfidentiality
178-
- C-005, C-034
178+
- :ref:`C-005 <c-005>`, :ref:`C-034 <c-034>`
179179
- —
180180
- ✓ Implemented
181181
* -
182182
- SO.DataTransmittedConfidentiality
183-
- C-005, C-009
183+
- :ref:`C-005 <c-005>`, :ref:`C-009 <c-009>`
184184
- —
185185
- ✓ Implemented
186186
* -
187187
- SO.ComAuth
188-
- C-003, C-004, C-009
188+
- :ref:`C-003 <c-003>`, :ref:`C-004 <c-004>`, :ref:`C-009 <c-009>`
189189
- —
190190
- ✓ Implemented
191191
* -
192192
- SO.SecureProvisioning
193-
- C-005
193+
- :ref:`C-005 <c-005>`
194194
- —
195195
- ⚠ Partial
196196
* - **ECR-F** — Protect the integrity of stored, transmitted or otherwise processed data, commands, programs and configuration against unauthorised manipulation or modification, and report on corruptions.
197197
- SO.DataStoredIntegrity
198-
- C-005
198+
- :ref:`C-005 <c-005>`
199199
- Integrity hash opt-in only; not enforced by default for git/svn
200200
- ⚠ Partial
201201
* -
202202
- SO.DataProcessedIntegrity
203-
- C-005, C-034
203+
- :ref:`C-005 <c-005>`, :ref:`C-034 <c-034>`
204204
- —
205205
- ✓ Implemented
206206
* -
207207
- SO.DataTransmittedIntegrity
208-
- C-003, C-004
208+
- :ref:`C-003 <c-003>`, :ref:`C-004 <c-004>`
209209
- No end-to-end hash for git/svn transport beyond TLS/SSH channel integrity
210210
- ⚠ Partial
211211
* -
212212
- SO.IntegrityReport
213-
- C-009
213+
- :ref:`C-009 <c-009>`
214214
- No persistent integrity-violation log
215215
- ⚠ Partial
216216
* - **ECR-G** — Process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation).
217217
- SO.DataMinimization
218-
- C-044
218+
- :ref:`C-044 <c-044>`
219219
- —
220220
- ✓ Implemented
221221
* - **ECR-H** — Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks.
@@ -225,17 +225,17 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
225225
- — N/A
226226
* -
227227
- SO.IncidentResilience
228-
- C-002, C-007
228+
- :ref:`C-002 <c-002>`, :ref:`C-007 <c-007>`
229229
- No timeout on VCS operations (potential resource exhaustion)
230230
- ⚠ Partial
231231
* - **ECR-I** — Minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks.
232232
- SO.LimitExternalImpact
233-
- C-001, C-007
233+
- :ref:`C-001 <c-001>`, :ref:`C-007 <c-007>`
234234
- —
235235
- ⚠ Partial
236236
* -
237237
- SO.PreventAttackPropagation
238-
- C-001, C-008
238+
- :ref:`C-001 <c-001>`, :ref:`C-008 <c-008>`
239239
- —
240240
- ✓ Implemented
241241
* -
@@ -245,22 +245,22 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
245245
- — N/A
246246
* - **ECR-J** — Be designed, developed and produced to limit attack surfaces, including external interfaces.
247247
- SO.ReduceAttackSurface
248-
- C-001, C-003, C-004, C-007, C-008
248+
- :ref:`C-001 <c-001>`, :ref:`C-003 <c-003>`, :ref:`C-004 <c-004>`, :ref:`C-007 <c-007>`, :ref:`C-008 <c-008>`
249249
- —
250250
- ⚠ Partial
251251
* - **ECR-K** — Be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.
252252
- SO.ReduceImpactOfIncident
253-
- C-005, C-007, C-015, C-017, C-046
253+
- :ref:`C-005 <c-005>`, :ref:`C-007 <c-007>`, :ref:`C-015 <c-015>`, :ref:`C-017 <c-017>`, :ref:`C-046 <c-046>`
254254
- —
255255
- ✓ Implemented
256256
* - **ECR-L** — Provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user.
257257
- SO.LogSecurityRelevantActivities
258-
- C-036
258+
- :ref:`C-036 <c-036>`
259259
- No persistent security event log (LGM-2/3/4 gap); No opt-out for logging — dfetch does not log by default
260260
- ⚠ Partial
261261
* -
262262
- SO.MonitorSecurityRelevantActivities
263-
- C-009
263+
- :ref:`C-009 <c-009>`
264264
- —
265265
- ⚠ Partial
266266
* -
@@ -312,17 +312,17 @@ Part II requirements are addressed via prEN 40000-1-3. pii-04 is not applicable
312312
- Status
313313
* - Part II §1
314314
- Identify and document vulnerabilities and components (SBOM).
315-
- C-021, C-022
315+
- :ref:`C-021 <c-021>`, :ref:`C-022 <c-022>`
316316
- —
317317
- ✓ Implemented
318318
* - Part II §2
319319
- Address vulnerabilities without delay; provide free security updates.
320-
- C-015, C-016, SECURITY.md
321-
- No LTS backport policy (latest release only — documented in SECURITY.md)
320+
- :ref:`C-015 <c-015>`, :ref:`C-016 <c-016>`, `SECURITY.md <https://github.com/dfetch-org/dfetch/blob/main/SECURITY.md>`_
321+
- No LTS backport policy (latest release only — documented in `SECURITY.md <https://github.com/dfetch-org/dfetch/blob/main/SECURITY.md>`_)
322322
- ⚠ Partial
323323
* - Part II §3
324324
- Apply effective coordinated vulnerability disclosure (CVD) policy.
325-
- SECURITY.md
325+
- `SECURITY.md <https://github.com/dfetch-org/dfetch/blob/main/SECURITY.md>`_
326326
- —
327327
- ✓ Implemented
328328
* - Part II §4
@@ -332,17 +332,17 @@ Part II requirements are addressed via prEN 40000-1-3. pii-04 is not applicable
332332
- — N/A
333333
* - Part II §5
334334
- Publish coordinated vulnerability disclosure policy.
335-
- SECURITY.md
335+
- `SECURITY.md <https://github.com/dfetch-org/dfetch/blob/main/SECURITY.md>`_
336336
- —
337337
- ✓ Implemented
338338
* - Part II §6
339339
- Share information on vulnerabilities in integrated components.
340-
- C-022, C-016
340+
- :ref:`C-022 <c-022>`, :ref:`C-016 <c-016>`
341341
- No proactive downstream notification process
342342
- ⚠ Partial
343343
* - Part II §7
344344
- Provide security updates free of charge for the support period.
345-
- MIT licence, PyPI, SECURITY.md
345+
- MIT licence, PyPI, `SECURITY.md <https://github.com/dfetch-org/dfetch/blob/main/SECURITY.md>`_
346346
- —
347347
- ✓ Implemented
348348

@@ -353,24 +353,24 @@ Gap Analysis — Compliance-Only Controls
353353

354354
Three compliance-only controls address CRA requirements not independently covered by the risk models.
355355

356-
**C-043 — Release-gate CVE check (ECR-a, SO.VulnerabilityManagementProcess → GEC-1)**
356+
**:ref:`C-043 <c-043>` — Release-gate CVE check (ECR-a, SO.VulnerabilityManagementProcess → GEC-1)**
357357

358-
dfetch's CI detects vulnerabilities at commit time (C-015, C-016, C-017) but does not gate the release publish on a CVE scan of runtime dependencies. C-043 (planned) adds ``pip-audit`` or ``osv-scanner`` to the publish workflow.
358+
dfetch's CI detects vulnerabilities at commit time (:ref:`C-015 <c-015>`, :ref:`C-016 <c-016>`, :ref:`C-017 <c-017>`) but does not gate the release publish on a CVE scan of runtime dependencies. :ref:`C-043 <c-043>` (planned) adds ``pip-audit`` or ``osv-scanner`` to the publish workflow.
359359

360-
**C-044 — Data minimisation policy (ECR-g, SO.DataMinimization → DTM-1)**
360+
**:ref:`C-044 <c-044>` — Data minimisation policy (ECR-g, SO.DataMinimization → DTM-1)**
361361

362-
dfetch processes dependency metadata only. The ``.dfetch_data.yaml`` file stores: ``remote_url`` (credentials stripped by C-036), ``revision``, optional ``integrity.hash``, and ``last_fetch`` timestamp. Each field is functionally necessary for ``dfetch check`` and ``dfetch freeze``. No personal data is collected; no telemetry is sent. C-044 formalises this assertion as a documented policy.
362+
dfetch processes dependency metadata only. The ``.dfetch_data.yaml`` file stores: ``remote_url`` (credentials stripped by :ref:`C-036 <c-036>`), ``revision``, optional ``integrity.hash``, and ``last_fetch`` timestamp. Each field is functionally necessary for ``dfetch check`` and ``dfetch freeze``. No personal data is collected; no telemetry is sent. :ref:`C-044 <c-044>` formalises this assertion as a documented policy.
363363

364-
**C-046 — Exploit mitigation inventory (ECR-k, SO.ReduceImpactOfIncident → GEC-11)**
364+
**:ref:`C-046 <c-046>` — Exploit mitigation inventory (ECR-k, SO.ReduceImpactOfIncident → GEC-11)**
365365

366366
prEN 40000-1-4 ECR-k requires documenting applicable exploit mitigation techniques. For dfetch (pure Python):
367367

368368
- **ASLR / DEP / stack canaries**: provided by CPython and the OS; not in dfetch's control but inherited.
369369
- **No eval/exec of remote content**: dfetch never evaluates fetched content as code.
370-
- **Constant-time comparison** (C-005): HMAC-based integrity hash uses ``hmac.compare_digest``.
371-
- **No shell injection** (C-007): all subprocess calls use ``shell=False``.
372-
- **Input validation** (C-008): URL scheme, path, and revision inputs are validated.
373-
- **Static analysis** (C-015, C-017): CodeQL and bandit gate every commit.
370+
- **Constant-time comparison** (:ref:`C-005 <c-005>`): HMAC-based integrity hash uses ``hmac.compare_digest``.
371+
- **No shell injection** (:ref:`C-007 <c-007>`): all subprocess calls use ``shell=False``.
372+
- **Input validation** (:ref:`C-008 <c-008>`): URL scheme, path, and revision inputs are validated.
373+
- **Static analysis** (:ref:`C-015 <c-015>`, :ref:`C-017 <c-017>`): CodeQL and bandit gate every commit.
374374
- CFI, sandboxing, and signed-execution policies are not applicable to a pure-Python tool.
375375

376376
----

0 commit comments

Comments
 (0)