The European Parliament approved the EU's Cyber Resilience Act (CRA) on March 12th.
CRA uses the Software Bill of Materials (SBOM) to describe, record, and monitor product security. Therefore, a formal document outlining CRA compliance requirements and specifically describing all SBOM-specific requirements is expected soon.
However, in anticipation of the adoption of the CRA, Germany's Federal Office of Information Security (BSI) has been working to clarify SBOM requirements. The Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products (Part 2: Software Bill of Materials (SBOM)) has been published since November 28th.
The 17-page requirements document is published here.
Its key requirements can be summed up as follows:
LicenseRef-scancode-
.LicenRef-<unique-inventorying-entity>
it must be used to meet SPDX license expression criteria.
Technical Guideline TR-03183 is an important step forward toward clarifying the exact steps software builders need to take to meet CRA compliance. However, it still needs to be answered.
Without CPE or PURL as an identification requirement, creating vulnerability reports from the SBOM is prone to errors.
The guideline uses ‘scope of delivery’ to define the depth at which the transitive component must be enumerated. However, it does not include any guidance on the acceptable ‘scope of delivery.’
The guidelines explicitly acknowledge that the method for computing SHA-256 of source code still needs to be completed.
The guidelines call out including all transitive components recursively but do not explicitly require specifying relationships among those components. In our experience, missing/skipping relationships is a common problem with SBOM generators and adversely affects using SBOM for vulnerability management.