You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All control IDs (C-001..C-046) in compliance_track.rst now link to their
anchored entries in control_register.rst. File paths in the Reference
column of control_register.rst link to their source on GitHub. Doc
paths use :doc: cross-references. SECURITY.md and OSCAL artefact
references throughout compliance_track.rst and security.rst link
directly to the relevant GitHub pages.
https://claude.ai/code/session_01DhTruTejopMJeFWfBKUtud
Co-authored-by: Claude <noreply@anthropic.com>
The full list of all controls is available on the :doc:`control_register` page.
30
30
@@ -79,17 +79,17 @@ Applicable Standards
79
79
* - prEN 40000-1-2
80
80
- Cyber Resilience Principles and Risk Management
81
81
- Yes
82
-
- Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in :doc:`security`. The threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6.
82
+
- Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in :doc:`security`. The threat models (`tm_supply_chain.py<https://github.com/dfetch-org/dfetch/blob/main/security/tm_supply_chain.py>`_, `tm_usage.py<https://github.com/dfetch-org/dfetch/blob/main/security/tm_usage.py>`_) implement §6.3–§6.6.
83
83
- —
84
84
* - prEN 40000-1-3
85
85
- Vulnerability Handling Requirements
86
86
- Yes
87
-
- Covers CRA Annex I Part II vulnerability handling obligations. Addressed in the Part II table below via SECURITY.md, SBOM (C-022), and dependency-review CI (C-016).
87
+
- Covers CRA Annex I Part II vulnerability handling obligations. Addressed in the Part II table below via `SECURITY.md<https://github.com/dfetch-org/dfetch/blob/main/SECURITY.md>`_, SBOM (:ref:`C-022<c-022>`), and dependency-review CI (:ref:`C-016<c-016>`).
88
88
- No formal patch SLA or LTS backport policy defined.
89
89
* - prEN 40000-1-4
90
90
- Generic Security Requirements (draft, indicative publication October 2027)
91
91
- Yes
92
-
- Primary standard for this document. Maps CRA Annex I Part I Art. 2(a)–(m) to Security Objectives (SO.\*) and Technical Controls (GEC-\*, SUM-\*, etc.). The catalog is included as security/cra_pren_4000014_oscal_catalog.json.
92
+
- Primary standard for this document. Maps CRA Annex I Part I Art. 2(a)–(m) to Security Objectives (SO.\*) and Technical Controls (GEC-\*, SUM-\*, etc.). The catalog is included as `security/cra_pren_4000014_oscal_catalog.json<https://github.com/dfetch-org/dfetch/blob/main/security/cra_pren_4000014_oscal_catalog.json>`_.
93
93
- Standard is in draft; final clause numbering may change.
94
94
* - EN 18031-1/2:2024
95
95
- Common security requirements for radio equipment (basis of prEN 40000-1-4)
@@ -120,12 +120,12 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
120
120
- Status
121
121
* - **ECR-A** — Be made available on the market without known exploitable vulnerabilities.
- No CVE gate at release time (→ :ref:`C-043<c-043>` planned)
125
125
- ⚠ Partial
126
126
* - **ECR-B** — Be made available on the market with a secure by default configuration, including the possibility to reset the product to its original state.
127
127
- SO.SecureDefaultConfiguration
128
-
- C-001, C-002
128
+
- :ref:`C-001<c-001>`, :ref:`C-002<c-002>`
129
129
- —
130
130
- ⚠ Partial
131
131
* -
@@ -150,7 +150,7 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
150
150
- — N/A
151
151
* -
152
152
- SO.UserUpdateNotification
153
-
- C-040
153
+
- :ref:`C-040<c-040>`
154
154
- —
155
155
- ✓ Implemented
156
156
* -
@@ -160,62 +160,62 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
160
160
- — N/A
161
161
* - **ECR-D** — Ensure protection from unauthorised access by appropriate control mechanisms including authentication, identity or access management systems, and report on possible unauthorised access.
162
162
- SO.AccessControl
163
-
- C-006, C-036
163
+
- :ref:`C-006<c-006>`, :ref:`C-036<c-036>`
164
164
- —
165
165
- ⚠ Partial
166
166
* -
167
167
- SO.AccessControlReport
168
-
- C-009
168
+
- :ref:`C-009<c-009>`
169
169
- No persistent log of unauthorised access attempts
170
170
- ⚠ Partial
171
171
* - **ECR-E** — Protect the confidentiality of stored, transmitted or otherwise processed data by state-of-the-art mechanisms such as encryption at rest and in transit.
* - **ECR-F** — Protect the integrity of stored, transmitted or otherwise processed data, commands, programs and configuration against unauthorised manipulation or modification, and report on corruptions.
197
197
- SO.DataStoredIntegrity
198
-
- C-005
198
+
- :ref:`C-005<c-005>`
199
199
- Integrity hash opt-in only; not enforced by default for git/svn
200
200
- ⚠ Partial
201
201
* -
202
202
- SO.DataProcessedIntegrity
203
-
- C-005, C-034
203
+
- :ref:`C-005<c-005>`, :ref:`C-034<c-034>`
204
204
- —
205
205
- ✓ Implemented
206
206
* -
207
207
- SO.DataTransmittedIntegrity
208
-
- C-003, C-004
208
+
- :ref:`C-003<c-003>`, :ref:`C-004<c-004>`
209
209
- No end-to-end hash for git/svn transport beyond TLS/SSH channel integrity
210
210
- ⚠ Partial
211
211
* -
212
212
- SO.IntegrityReport
213
-
- C-009
213
+
- :ref:`C-009<c-009>`
214
214
- No persistent integrity-violation log
215
215
- ⚠ Partial
216
216
* - **ECR-G** — Process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation).
217
217
- SO.DataMinimization
218
-
- C-044
218
+
- :ref:`C-044<c-044>`
219
219
- —
220
220
- ✓ Implemented
221
221
* - **ECR-H** — Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks.
@@ -225,17 +225,17 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
225
225
- — N/A
226
226
* -
227
227
- SO.IncidentResilience
228
-
- C-002, C-007
228
+
- :ref:`C-002<c-002>`, :ref:`C-007<c-007>`
229
229
- No timeout on VCS operations (potential resource exhaustion)
230
230
- ⚠ Partial
231
231
* - **ECR-I** — Minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks.
232
232
- SO.LimitExternalImpact
233
-
- C-001, C-007
233
+
- :ref:`C-001<c-001>`, :ref:`C-007<c-007>`
234
234
- —
235
235
- ⚠ Partial
236
236
* -
237
237
- SO.PreventAttackPropagation
238
-
- C-001, C-008
238
+
- :ref:`C-001<c-001>`, :ref:`C-008<c-008>`
239
239
- —
240
240
- ✓ Implemented
241
241
* -
@@ -245,22 +245,22 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
245
245
- — N/A
246
246
* - **ECR-J** — Be designed, developed and produced to limit attack surfaces, including external interfaces.
* - **ECR-K** — Be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.
* - **ECR-L** — Provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user.
257
257
- SO.LogSecurityRelevantActivities
258
-
- C-036
258
+
- :ref:`C-036<c-036>`
259
259
- No persistent security event log (LGM-2/3/4 gap); No opt-out for logging — dfetch does not log by default
260
260
- ⚠ Partial
261
261
* -
262
262
- SO.MonitorSecurityRelevantActivities
263
-
- C-009
263
+
- :ref:`C-009<c-009>`
264
264
- —
265
265
- ⚠ Partial
266
266
* -
@@ -312,17 +312,17 @@ Part II requirements are addressed via prEN 40000-1-3. pii-04 is not applicable
312
312
- Status
313
313
* - Part II §1
314
314
- Identify and document vulnerabilities and components (SBOM).
315
-
- C-021, C-022
315
+
- :ref:`C-021<c-021>`, :ref:`C-022<c-022>`
316
316
- —
317
317
- ✓ Implemented
318
318
* - Part II §2
319
319
- Address vulnerabilities without delay; provide free security updates.
320
-
- C-015, C-016, SECURITY.md
321
-
- No LTS backport policy (latest release only — documented in SECURITY.md)
dfetch's CI detects vulnerabilities at commit time (C-015, C-016, C-017) but does not gate the release publish on a CVE scan of runtime dependencies. C-043 (planned) adds ``pip-audit`` or ``osv-scanner`` to the publish workflow.
358
+
dfetch's CI detects vulnerabilities at commit time (:ref:`C-015<c-015>`, :ref:`C-016<c-016>`, :ref:`C-017<c-017>`) but does not gate the release publish on a CVE scan of runtime dependencies. :ref:`C-043<c-043>` (planned) adds ``pip-audit`` or ``osv-scanner`` to the publish workflow.
359
359
360
-
**C-044 — Data minimisation policy (ECR-g, SO.DataMinimization → DTM-1)**
360
+
**:ref:`C-044 <c-044>` — Data minimisation policy (ECR-g, SO.DataMinimization → DTM-1)**
361
361
362
-
dfetch processes dependency metadata only. The ``.dfetch_data.yaml`` file stores: ``remote_url`` (credentials stripped by C-036), ``revision``, optional ``integrity.hash``, and ``last_fetch`` timestamp. Each field is functionally necessary for ``dfetch check`` and ``dfetch freeze``. No personal data is collected; no telemetry is sent. C-044 formalises this assertion as a documented policy.
362
+
dfetch processes dependency metadata only. The ``.dfetch_data.yaml`` file stores: ``remote_url`` (credentials stripped by :ref:`C-036<c-036>`), ``revision``, optional ``integrity.hash``, and ``last_fetch`` timestamp. Each field is functionally necessary for ``dfetch check`` and ``dfetch freeze``. No personal data is collected; no telemetry is sent. :ref:`C-044<c-044>` formalises this assertion as a documented policy.
0 commit comments