WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -637,18 +637,19 @@ _Description of mitigation implementing the requirement in "shall" format._
This section is a list of technical requirements necessary to satisfy the CRA essential requirements. Each technical requirement can be satisfied by one or more potential mitigations. Each mitigation may or may not be appropriate for an individual use case. The following section will define which mitigations will be required, depending on risk factors and/or a use case. See Annex C for more information.
### 5.2.X **TR-NKEV**: No known exploited vulnerabilities at first use
### 5.2.X **TR-NKEV**: No known exploitable vulnerabilities at first use
#### 5.2.X.x Requirement
Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known vulnerabilities both when first made available and when first used by a consumer, the manufacturer shall ensure that the product can be updated at the time of first use to address all known exploited vulnerabilities which were discovered after the product's placement on the market and before that first use.
#### 5.2.X.x **MI-KEVD**: No known exploited vulnerabilities after secure update
#### 5.2.X.x **MI-KEVD**: Documentation for secure update before or during first use
The product shall be accompanied by documentation describing how the product may be securely updated, including how to update the product prior to, or as part of, first use.
Guidance: This may include informing the user about automatic secure updates.
* Applicability: Product expected use is long enough to require updates
* Reference: TR-NKEV
* Objective: Prevent exploitation of known exploited vulnerabilities
* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)
@@ -656,31 +657,61 @@ Guidance: This may include informing the user about automatic secure updates.
* Verdict: If the secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL
* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results
#### 5.2.X.x **MI-SCAN**: No easily scannable exploitable vulnerabilities
#### 5.2.X.x **MI-KEVM**: Documentation of mitigation of known exploitable vulnerabilities
The product's development and release process shall include a process to document known exploitable vulnerabilities in the product and their fixes or mitigations. The documentation for this process shall be compliant with the process described in FIXME PT3 REFERENCE. The product shall be compliant with this requirement if it:
1. has no known exploitable vulnerabilities
1. has known exploitable vulnerabilities whose age is consistent with the manufacturer's documentation of how long vulnerabilities may go unfixed after public disclosure
1. for each detected vulnerability, has documentation of how the risk has been mitigated
* Reference: TR-NKEV
* Objective: Prevent exploitation of known exploited vulnerabilities
* Preparation: Compile a list of known exploitable vulnerabilities in the product and its components
* Activities: Compare the generated list of known exploitable vulnerabilities with the documentation of the known exploitable vulnerabilities that have been fixed or mitigated in the product
* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL
* Evidence: Documented vulnerability handling policy, list of vulnerabilities, documentation of mitigations or age of vulnerability, correlation of list of vulnerabilities with documentation of mitigations or age of vulnerablity
#### 5.2.X.x **MI-KEVT**: Testing for known exploitable vulnerabilities
If automatable and freely-usable vulnerability scanners are available for the product, then the product shall satisfy the following with respect to the three (or fewer, if fewer than three are avilable) most comprehensive of such scanners.
The product shall be tested for all known exploitable vulnerabilities to demonstrate that each has been mitigated. The product shall be compliant with this requirement if it:
1. have no vulnerabilities discovered by scans
1. have discoverable vulnerabilities whose age is consistent with the manufacturer's documentation of how long vulnerabilities may go unfixed after public disclosure
1. for each detected vulnerability, have publicly available documentation explaining how the risk has been mitigated
1. has no known exploitable vulnerabilities
1. has known exploitable vulnerabilities whose age is consistent with the manufacturer's documentation of how long vulnerabilities may go unfixed after public disclosure
1. for each tested vulnerability, the test result shows that the vulnerability has been mitigated
* Reference: TR-NKEV
* Objective: Prevent exploitation of known exploited vulnerabilities
* Preparation: Compile a list of known exploitable vulnerabilities in the product and its components and the list of known exploitable vulnerabilities that will be tested
* Activities: Run the tests and compare the results with the generated list of known exploitable vulnerabilities
* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or testing requirement => PASS, otherwise FAIL
* Evidence: Documented vulnerability handling policy, list of vulnerabilities, test results for each vulnerability or documentation of age of vulnerability, correlation of list of vulnerabilities with test results or documentation of age of vulnerablity
#### 5.2.X.x **MI-SCAN**: No easily scannable known exploitable vulnerabilities
If automatable and freely-usable vulnerability scanners are available for the product, then the product shall satisfy the following with respect to the three (or fewer, if fewer than three are avilable) most comprehensive of such scanners:
1. has no vulnerabilities discovered by scans
1. has discoverable vulnerabilities whose age is consistent with the manufacturer's documentation of how long vulnerabilities may go unfixed after public disclosure
1. for each detected vulnerability, has publicly available documentation explaining how the risk has been mitigated
* Reference: TR-NKEV
* Objective: Prevent exploitation of known vulnerabilities
* Preparation: Select up to three vulnerability scanners meeting the requirements
* Activities: On a new product, carry out a secure update, run the selected scanners on the product, and examine the documentation for any reported vulnerabilities
* Preparation: Select a set of tools meeting the requirements
* Activities: On a new product, carry out a secure update, run the tools on the product, and examine the documentation for any reported vulnerabilities
* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL
* Evidence: Documented vulnerability handling policy, list of vulnerability scanners selected, reports from each scanner, correlation of reports of discovered vulnerabilities with documentation of mitigations
