Vulnerability Workflow
This guide explains how CRA Evidence helps you track vulnerabilities, meet ENISA reporting deadlines, and demonstrate "without delay" remediation per CRA requirements.
Overview
CRA requires manufacturers to:
- Identify vulnerabilities in their products (Art. 13.6)
- Remediate without delay (Art. 13.7)
- Report actively exploited vulnerabilities to ENISA (Art. 14)
- Notify users about security issues (Art. 14)
CRA Evidence provides tools to manage all of these requirements.
Automatic Vulnerability Scanning
When you upload an SBOM, CRA Evidence automatically scans it for known vulnerabilities.
How It Works
SBOM Upload --> Component Extraction --> Trivy Scan --> Results Display
|
v
CVE Database Matching
- Component extraction: CRA Evidence parses your SBOM and extracts component identifiers (PURLs)
- Trivy scanning: Components are checked against the Trivy vulnerability database
- Results stored: Vulnerabilities are associated with your SBOM and version
What You'll See
After upload, the version page shows:
- Vulnerability count by severity (Critical, High, Medium, Low)
- Component list with affected components highlighted
- CVE details for each vulnerability
Why SBOM Quality Matters
Vulnerability matching depends on Package URLs (PURLs):
| SBOM Quality | Vulnerability Detection |
|---|---|
| High (80%+ PURL coverage) | Accurate, comprehensive |
| Medium (50-80% PURL) | May miss some vulnerabilities |
| Low (<50% PURL) | Significant gaps in detection |
See SBOM Guide for improving quality.
Understanding Scan Results
Severity Levels
CRA Evidence uses standard severity levels based on CVSS:
| Severity | CVSS Score | Typical Response |
|---|---|---|
| Critical | 9.0-10.0 | Immediate action |
| High | 7.0-8.9 | Urgent, address quickly |
| Medium | 4.0-6.9 | Plan remediation |
| Low | 0.1-3.9 | Address when convenient |
CVE Information
For each vulnerability, CRA Evidence shows:
- CVE ID: e.g., CVE-2024-12345
- Description: What the vulnerability is
- Affected component: Which component in your product
- CVSS score: Severity rating
- References: Links to advisories
ENISA Reporting (Article 14)
CRA requires reporting actively exploited vulnerabilities to ENISA and your national CSIRT.
When Reporting Is Required
Reporting is required when:
- You become aware of an actively exploited vulnerability in your product
- The vulnerability affects products you have placed on the market
"Actively exploited" means someone is actually using the vulnerability to attack systems, not just a theoretical risk.
Reporting Timeline
| Deadline | What You Must Submit |
|---|---|
| 24 hours | Early warning notification |
| 72 hours | Detailed vulnerability report |
| 14 days | Final report (after fix available) |
The clock starts when you become aware of active exploitation.
CRA Evidence Deadline Tracking
When you mark a vulnerability as "actively exploited," CRA Evidence:
- Calculates deadlines (24h, 72h, 14d from discovery)
- Tracks notification status (pending, sent, overdue)
- Alerts you to approaching and missed deadlines
Recording ENISA Notifications
CRA Evidence tracks your notifications for audit purposes:
- Navigate to the vulnerability
- Click Record ENISA Notification
- Select notification type (Early Warning, Detailed, Final)
- Add the notification content
- Save
This creates an audit record showing when you notified authorities.
Note: CRA Evidence does not automatically submit to ENISA. You must submit notifications through the ENISA Single Reporting Platform (available September 2026). CRA Evidence tracks that you did it and when.
Remediation Workflow
CRA Article 13(7) requires fixing vulnerabilities "without delay." CRA Evidence provides a structured workflow to track and demonstrate this.
Remediation Status Lifecycle
NOT STARTED --> IN PROGRESS --> FIXED --> VERIFIED --> RELEASED
| Status | Meaning |
|---|---|
| Not Started | Vulnerability identified, no work begun |
| In Progress | Remediation work has started |
| Fixed (Unverified) | Fix implemented, not yet tested |
| Verified | Fix tested and confirmed working |
| Released | Fix available to customers |
Tracking Remediation
For each affected version:
- Start Remediation: Click "Start Remediation" to record when work began
- Mark Fixed: Record when the fix was implemented
- Verify: Document how you verified the fix (scan, test, review)
- Release: Record when the fix was released to customers
Metrics for "Without Delay" Compliance
CRA Evidence automatically calculates:
- Time to Fix: Hours from discovery to fix implementation
- Time to Release: Hours from discovery to customer availability
These metrics demonstrate your responsiveness to regulators.
Managing Vulnerabilities
Creating Manual Vulnerabilities
Not all vulnerabilities come from scans. To add a manually discovered vulnerability:
- Navigate to Vulnerabilities in the main menu
- Click New Vulnerability
- Enter:
- Title and description
- CVE ID (if assigned)
- Severity
- Affected components
- Discovery source (internal, researcher, advisory)
- Click Create
Linking to Affected Versions
Connect vulnerabilities to specific product versions:
- Open the vulnerability
- Click Add Affected Version
- Select the product and version
- Add notes about how it's affected
False Positives
If a scanner reports a vulnerability that doesn't actually affect your product:
- Review the vulnerability details
- Document why it's not applicable (e.g., affected code path not used)
- Mark as False Positive or use VEX
Using VEX (Vulnerability Exploitability eXchange)
VEX statements document which vulnerabilities actually affect your product:
| VEX Status | Meaning |
|---|---|
| Affected | Vulnerability impacts your product |
| Not Affected | Vulnerability doesn't impact your product |
| Fixed | Vulnerability was fixed |
| Under Investigation | Still analyzing |
VEX can be included in your CycloneDX SBOM or tracked separately.
User Notification
CRA requires notifying users about vulnerabilities and available fixes.
When to Notify Users
- When you release a security update
- When users need to take action
- When a vulnerability may impact their security
Recording User Notifications
CRA Evidence tracks that you notified users:
- Open the vulnerability
- Click Record User Notification
- Enter:
- Notification method (email, advisory, etc.)
- Number of recipients
- Summary of notification content
- Save
Security Advisories
Create formal security advisories for significant vulnerabilities:
- Navigate to Security Advisories
- Click New Advisory
- Link relevant vulnerabilities
- Write advisory content
- Publish when ready
Advisory IDs follow format: SA-YYYY-NNN (e.g., SA-2025-001)
Scheduled Re-scanning
Vulnerabilities are discovered continuously. CRA Evidence can automatically re-scan your SBOMs:
Re-scan Frequency Options
| Option | When It Runs |
|---|---|
| On DB Update | When Trivy database updates (recommended) |
| Daily | Every 24 hours |
| Weekly | Every 7 days |
| Monthly | Every 30 days |
| Disabled | Manual only |
Configuring Re-scans
Organisation admins can configure in Settings > Organisation:
- Enable/disable automatic re-scanning
- Select frequency
- Configure notification preferences
Dashboard and Alerts
Vulnerability Dashboard
The dashboard shows:
- Total vulnerabilities by status
- Critical/High requiring immediate attention
- ENISA deadlines approaching or overdue
- Pending remediations across products
Overdue Alerts
CRA Evidence highlights:
- ENISA notifications past deadline
- Vulnerabilities with no remediation progress
- Old vulnerabilities not yet resolved
Best Practices
- Enable re-scanning: Automatically catch new CVEs in existing components — triage new findings within 24-48 hours.
- Start tracking immediately: Begin the remediation record when work starts; don't skip the verification step before marking fixed.
- Prepare ENISA processes before September 2026: Establish who handles notifications, configure CSIRT contacts, and register for the ENISA Single Reporting Platform when available.
API for Automation
Get Vulnerabilities
curl "https://app.craevidence.com/api/v1/vulnerabilities" \
-H "Authorization: Bearer $API_TOKEN"
Get Pending Remediations
curl "https://app.craevidence.com/api/v1/vulnerabilities/pending-remediations" \
-H "Authorization: Bearer $API_TOKEN"
Start Remediation
curl -X POST "https://app.craevidence.com/api/v1/vulnerabilities/{vuln_id}/versions/{version_id}/remediation/start" \
-H "Authorization: Bearer $API_TOKEN"
See API Overview for the complete API reference.
Key Dates Reminder
| Date | What Happens |
|---|---|
| Now | Build your vulnerability management process |
| September 11, 2026 | ENISA reporting obligations begin |
| December 11, 2027 | Full CRA enforcement |
Next Steps
- Technical File Export - Generate compliance bundles
- FAQ - Common questions answered
Glossary
| Term | Definition |
|---|---|
| CVE | Common Vulnerabilities and Exposures identifier |
| CVSS | Common Vulnerability Scoring System |
| ENISA | EU Agency for Cybersecurity |
| CSIRT | Computer Security Incident Response Team |
| VEX | Vulnerability Exploitability eXchange |
| Trivy | Open-source vulnerability scanner used by CRA Evidence |
Help us improve. What was missing or unclear?