Go back to the web Sign In

Troubleshooting

Common issues and solutions for CRA Evidence.

Login and Authentication

I can't log in

Check your email address. Make sure you're using the email associated with your CRA Evidence account. Email addresses are case-insensitive.

Check your password. Use the "Forgot password" link to reset it if needed.

Check MFA. If MFA is enabled, make sure your authenticator app's clock is accurate. TOTP codes are time-sensitive.

Check your organisation. If you're a member of multiple organisations, select the correct one after entering credentials.

MFA code isn't working

TOTP codes change every 30 seconds. Wait for a new code and try again. If codes consistently fail, check that your device's clock is accurate and synced automatically.

If you've lost access to your authenticator app, use a backup code. No backup codes? Contact your organisation administrator to reset your MFA.

I'm locked out of my account

After multiple failed login attempts, accounts are temporarily locked. Wait 15 minutes and try again with the correct credentials.

If you're still locked out, contact your organisation administrator or email support@craevidence.com.

SBOM Uploads

Upload fails with "Invalid format"

CRA Evidence accepts CycloneDX (1.4-1.6) and SPDX (2.3) in JSON format. Common issues:

  • Wrong format: XML files aren't supported. Convert to JSON.
  • Corrupted file: Re-export the SBOM from your generation tool.
  • Missing required fields: Ensure your SBOM has component names and versions.

Upload fails with "Quality score too low"

If your organisation enforces a minimum quality score, SBOMs below the threshold may be rejected. Check Settings > Organisation for the policy.

To improve quality scores:

  • Add PURLs (Package URLs) to components
  • Include SHA-256 hashes
  • Add supplier information
  • Include license declarations

SBOM shows "0 components"

The file was parsed but no components were found. This usually means:

  • The SBOM is empty or minimal
  • The format is valid but the component array is missing
  • Your build tool generated a stub file

Regenerate the SBOM ensuring your project has dependencies to document.

Duplicate SBOM warning

When you upload an SBOM with the same hash as an existing one, you'll see a warning. This prevents accidental duplicates. If you intentionally want to re-upload, delete the existing SBOM first or confirm you want a duplicate.

Vulnerability Scanning

No vulnerabilities found for known vulnerable components

Vulnerability matching depends on accurate component identification. Issues include:

  • Missing PURLs: Without Package URLs, matching is less reliable
  • Database lag: New CVEs take time to appear in vulnerability databases
  • Name variations: "lodash" vs "@types/lodash" are different packages

Ensure your SBOM generator includes PURLs for better matching.

Too many vulnerabilities showing

If you're seeing vulnerabilities that don't actually affect your product, use VEX statements to mark them as "Not Affected" with an appropriate justification. This cleans up your vulnerability view while maintaining an audit trail.

Vulnerability status resets after rescan

When you rescan an SBOM with newer vulnerability data, new vulnerabilities appear as "new". Your existing VEX statements and manual triaging are preserved for known vulnerabilities.

Technical File Export

Export is missing documents

Technical file exports include:

  • SBOMs (must be uploaded)
  • Compliance documents (must be uploaded)
  • VEX statements (auto-included)
  • Metadata (auto-generated)

If expected content is missing, check that it's actually uploaded to the version you're exporting.

Export fails with timeout

Large exports (many products, many SBOMs) may timeout. Try:

  • Exporting one product at a time
  • Reducing included versions
  • Selecting only current/supported versions

ZIP file is corrupted

If the download was interrupted, try again. Large files on slow connections may fail. If the problem persists, contact support.

API and CLI

API key not working

  • Check the key is active (not revoked)
  • Check the key hasn't expired
  • Verify you're using the correct format: Authorization: Bearer cra_...
  • Ensure the key has required scopes for your operation

Rate limit exceeded

API calls are rate limited. If you hit the limit:

  • Wait and retry (limits reset per minute)
  • Reduce request frequency
  • Contact us if you need higher limits for legitimate use cases

CLI authentication fails

The CLI reads credentials from CRA_EVIDENCE_API_KEY (environment variable), --api-key (flag), or ~/.cra-evidence/config.yaml. Verify:

  • The key is set as CRA_EVIDENCE_API_KEY (not CRA_API_KEY — that's a common CI/CD secret name, not a CLI variable)
  • The key has the required scope for your operation (see CLI Reference)
  • You can reach api.craevidence.com from your network
  • If using Docker, the env var is passed into the container: -e CRA_EVIDENCE_API_KEY=$YOUR_SECRET

Organisation and Teams

Can't see a product

Products may be restricted by team membership. If you can't see a product:

  • Check if it belongs to a team you're not on
  • Ask a team lead to add you
  • Ask an admin if you should have access

Can't change settings

Most settings require Admin or Owner role. Check your role in the user menu. Ask an admin to upgrade your access if needed.

Can't invite members

Only Admins and Owners can invite new members. If you're a Member or Viewer, ask an admin to send invitations on your behalf.

Performance Issues

Dashboard loads slowly

Large organisations with many products may experience slower dashboards. Try:

  • Using filters to reduce displayed items
  • Closing browser tabs to free memory
  • Checking your internet connection

SBOM parsing is slow

Very large SBOMs (10,000+ components) take longer to process. This is normal. Processing happens asynchronously; you'll be notified when complete.

Browser Compatibility

CRA Evidence works best with modern browsers:

  • Chrome (last 2 versions)
  • Firefox (last 2 versions)
  • Safari (last 2 versions)
  • Edge (last 2 versions)

If you experience issues on older browsers, update to a current version.

Getting More Help

If your issue isn't covered here:

  1. Check the relevant documentation page for your feature
  2. Search the FAQ for common questions
  3. Contact support at support@craevidence.com with:
    • What you're trying to do
    • What's happening instead
    • Any error messages you see
    • Your browser and operating system
Last updated February 27, 2026
Was this page helpful?
Thanks for your feedback!

Help us improve. What was missing or unclear?