OpenChainGraph Suite · ART-139 · wave 25

CRA Annex I Completeness Checker

Assess the EU CRA (Regulation 2024/2847) Annex I essential requirements subset: machine-readable SBOM, top-level dependency coverage, vulnerability handling policy, secure-by-default, and selected conformity route. Outputs gaps list and route verdict. Second node of the cra-product-conformance chain.

EU CRA 2024/2847Annex IConformity AssessmentFull applicability Dec 2027W3C VC §13.11PDF ExportZero PII

🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.

Scope

Second node of the cra-product-conformance chain (art-138→139→140). Assesses the CRA Annex I essential requirements checklist for a product: is an SBOM present and machine-readable, do top-level dependencies appear in the SBOM, is there a vulnerability handling policy, is the product secure by default, and has a valid conformity route been selected. Penalty for non-compliance: up to €15M or 2.5% of global annual turnover. Full applicability 11 Dec 2027; vulnerability reporting (Article 14) applies from 11 Sep 2026.

Presets

Annex I Checklist

SBOM present

A software bill of materials exists for this product

SBOM machine-readable

SBOM is in a machine-readable format (CycloneDX or SPDX)

Top-level dependencies covered

All top-level dependencies appear in the SBOM

Vulnerability handling policy present

A documented policy for handling reported vulnerabilities exists

Secure by default

Product ships with secure-by-default configuration (Annex I §1.2)

Conformity route

Result

Execution Hash & §4 Artifact

SHA-256 execution hash (JCS canonical — RFC 8785):

Chain Handoff → art-140

Pass the execution_hash above as parent_hashes[1] when calling assess_cra_vuln_reporting_readiness (art-140) to complete the cra-product-conformance chain.