Retain artifacts and decisions together.
Useful product security evidence includes original SBOM uploads, normalized component records, findings review decisions, remediation updates, and timestamps.
Keep evidence tied to product versions.
Product-version context helps teams understand which SBOM, finding, or decision applied to which release or re-analysis cycle.
Audit history should be reviewable.
Reviewers need a clear path from product version to SBOM record, vulnerability handling, remediation status, and activity history.
Product alignment
How CRA Ledger maps this into a workflow
Product-version record
Released versions are anchored with metadata.
SBOM retained
Original formats are retained with source-artifact context.
Vulnerability review tracked
CVE triage decisions document ownership.
Remediation status connected
Fix updates and SLA tracking stay visible.
Decisions & timestamps preserved
Provenance is recorded for every decision.
Readiness evidence summarized
Evidence summaries keep output context reviewable.
Notice
Operational guidance only. Confirm product scope and CRA duties with official sources and advisers.
CRA Ledger supports readiness workflows and evidence organization. It does not guarantee compliance or replace legal advice.
Related resources