Quickstart Guide

Get your first product set up in CRA Evidence in under 5 minutes. By the end of this guide, you'll have:

• Created your organisation
• Registered your first product
• Added a version
• Uploaded an SBOM

Prerequisites

• A CRA Evidence account (sign up at https://app.craevidence.com)
• An SBOM file for your product (CycloneDX or SPDX format)

Don't have an SBOM yet? See How to Generate an SBOM at the end of this guide.

---

Step 1: Create Your Account

1. Navigate to https://app.craevidence.com/register
2. Enter your email address and password
3. Verify your email by clicking the link sent to your inbox
4. Complete your profile information

---

Step 2: Set Up Your Organisation

After logging in, you'll be prompted to create an organisation:

1. Click Create Organisation
2. Enter your company name
3. (Optional) Add company details for CRA compliance:
   • Legal name
   • Address
   • Contact email
   • EU member state

These details appear in your technical file exports and are required for full CRA compliance.

Tip: You can update organisation details later in Settings > Organisation.

---

Step 3: Create Your First Product

Products in CRA Evidence represent your Products with Digital Elements (PDEs):

1. From the Dashboard, click Products in the navigation
2. Click New Product
3. Enter:
   • Name: Your product's commercial name
   • Description: Brief description of what the product does
   • Category: Select the CRA category (see note below)
4. Click Create Product

Understanding Product Categories

CRA defines different compliance requirements based on product type:

Examples:

• Password manager software: Important Class I
• Operating system: Important Class II
• Hardware security module: Critical
• Internal business application: Default

Not sure which category? Start with Default and see Core Concepts for detailed classification guidance.

---

Step 4: Add a Version

Each product has versions representing releases:

1. On your product page, click Add Version
2. Enter:
   • Version Number: e.g., "1.0.0", "2024.1", etc.
   • Release Date: When this version was/will be released
   • End of Support Date: When security support ends (minimum 5 years per CRA)
3. Click Create Version

CRA Requirement: Article 13(5) requires you to define and communicate a support period of at least 5 years.

---

Step 5: Upload Your SBOM

Now upload your Software Bill of Materials:

1. On your version page, locate the Artifacts section
2. Click the SBOM tab
3. Drag and drop your SBOM file, or click to browse
4. Wait for validation and processing

What Happens After Upload

CRA Evidence automatically:

1. Validates the SBOM format (CycloneDX or SPDX)
2. Extracts component information
3. Calculates a quality score based on TR-03183 requirements
4. Scans for known vulnerabilities using Trivy

You'll see results within a few seconds.

Understanding Your Quality Score

The quality score (0-100) measures how well your SBOM meets TR-03183 recommendations.

See Core Concepts for the quality score calculation and full score range interpretation. See SBOM Guide for details on improving your score.

---

What's Next?

Congratulations! You've set up your first product with an SBOM. Here's what to do next:

Immediate Next Steps

1. Review vulnerabilities: Check the scan results for any known CVEs
2. Improve SBOM quality: If your score is below 80, see SBOM Guide
3. Upload documents: Add your risk assessment and other CRA documents

Building Toward CRA Ready Status

To achieve "CRA Ready" status for your version, you need:

• [ ] At least one SBOM uploaded
• [ ] Risk Assessment document
• [ ] EU Declaration of Conformity
• [ ] User Manual
• [ ] Vulnerability Disclosure Policy

See Documents Checklist for the complete list.

Understanding Your Dashboard

Your dashboard now shows:

• CRA Status: Incomplete or Ready
• Quality Score: SBOM quality percentage
• Vulnerabilities: Count by severity
• Documents: Upload status for required documents

---

Generating Your First SBOM

If you don't have an SBOM yet, here are the quickest ways to generate one:

For Container Images (Docker)

Using Syft:

# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

# Generate SBOM from container image
syft your-image:tag -o cyclonedx-json > sbom.json

For Node.js Projects

Using @cyclonedx/cyclonedx-npm:

# Install globally
npm install -g @cyclonedx/cyclonedx-npm

# Generate SBOM
cyclonedx-npm --output-file sbom.json

For Python Projects

Using cyclonedx-py:

# Install
pip install cyclonedx-bom

# Generate from requirements.txt
cyclonedx-py requirements -o sbom.json

For Java/Maven Projects

Using CycloneDX Maven Plugin:

<!-- Add to pom.xml -->
<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.7.9</version>
</plugin>

# Generate SBOM
mvn cyclonedx:makeAggregateBom

See SBOM Guide for comprehensive generation instructions.

---

Troubleshooting

"SBOM validation failed"

• Ensure your file is valid JSON
• Check that it's CycloneDX (look for "bomFormat": "CycloneDX") or SPDX (look for "spdxVersion")
• Verify the file isn't corrupted during upload

"Low quality score"

This is common for first-time uploads. The score reflects:

• Percentage of components with Package URLs (PURLs)
• Percentage of components with SHA-256 hashes
• Percentage of components with supplier information

See SBOM Guide for improvement strategies.

"No vulnerabilities found"

This could mean:

• Your components are up to date (good!)
• Components lack PURLs needed for matching (check quality score)
• Trivy doesn't have data for your components (less common)

---

Next Guide

Continue to Core Concepts to understand:

• What the Cyber Resilience Act requires
• How CRA Evidence maps to those requirements
• The compliance timeline you're working toward