From 0a357a2065410e0d355ec86f13577153972265c5 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 15 Jun 2026 21:27:58 +0000 Subject: [PATCH 1/2] Fix documentation gaps in compliance_track and security docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Replace non-existent C-045 with C-043 (release-gate CVE check) in security.rst; C-045 was never defined, C-043 is the actual Track B control that addresses ECR-a - Correct "C-043–C-046" to "C-043, C-044, and C-046" in compliance.py and compliance_track.rst; C-045 does not exist, so the range notation was misleading - Change plain-text "security.rst" to a proper RST cross-reference `:doc:`security`` in compliance_data.py and compliance_track.rst so the rendered docs link to the Security Model page https://claude.ai/code/session_0182v7TLyKVbi9S1rAqqFAbm --- doc/explanation/compliance_track.rst | 4 ++-- doc/explanation/security.rst | 2 +- security/compliance.py | 2 +- security/compliance_data.py | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/explanation/compliance_track.rst b/doc/explanation/compliance_track.rst index c96d1414..b9d04995 100644 --- a/doc/explanation/compliance_track.rst +++ b/doc/explanation/compliance_track.rst @@ -59,7 +59,7 @@ Applicable Standards * - prEN 40000-1-2 - Cyber Resilience Principles and Risk Management - Yes - - Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in security.rst. Track A threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6. + - Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in :doc:`security`. Track A threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6. - — * - prEN 40000-1-3 - Vulnerability Handling Requirements @@ -350,7 +350,7 @@ prEN 40000-1-4 ECR-k requires documenting applicable exploit mitigation techniqu Final Control Register ---------------------- -All controls from Track A (risk-driven) and Track B (regulatory) merged and sorted. Track B controls (C-043–C-046) are marked accordingly. +All controls from Track A (risk-driven) and Track B (regulatory) merged and sorted. Track B controls (C-043, C-044, and C-046) are marked accordingly. .. list-table:: :header-rows: 1 diff --git a/doc/explanation/security.rst b/doc/explanation/security.rst index f20ee570..3073a68e 100644 --- a/doc/explanation/security.rst +++ b/doc/explanation/security.rst @@ -136,8 +136,8 @@ The three-tier traceability model is:: Three compliance-only controls introduced in Track B address CRA requirements not independently surfaced by the risk models: +- **C-043** (release-gate CVE check) — ECR-a / SO.VulnerabilityManagementProcess → GEC-1 - **C-044** (data minimisation policy) — ECR-g / SO.DataMinimization → DTM-1 -- **C-045** (destination-path sensitivity warning) — ECR-i / SO.PreventAttackPropagation → LIM-2 - **C-046** (exploit mitigation inventory) — ECR-k / SO.ReduceImpactOfIncident → GEC-11 Machine-readable OSCAL 1.1.2 artifacts are kept alongside the source: diff --git a/security/compliance.py b/security/compliance.py index b88f9751..4b55a762 100644 --- a/security/compliance.py +++ b/security/compliance.py @@ -484,7 +484,7 @@ def _render_control_register(track_b_only: bool = False) -> None: print(_rst_title("Final Control Register", "-")) print( "All controls from Track A (risk-driven) and Track B (regulatory) merged and " - "sorted. Track B controls (C-043–C-046) are marked accordingly.\n" + "sorted. Track B controls (C-043, C-044, and C-046) are marked accordingly.\n" ) track_b_ids = {c.id for c in TRACK_B_CONTROLS} rows = [ diff --git a/security/compliance_data.py b/security/compliance_data.py index bea2ff5f..83dde510 100644 --- a/security/compliance_data.py +++ b/security/compliance_data.py @@ -83,7 +83,7 @@ class PartIIRequirement: applies=True, scope_note=( "Process standard covering risk-based product security across the lifecycle. " - "The Product Security Context (§6.2) is documented in security.rst. " + "The Product Security Context (§6.2) is documented in :doc:`security`. " "Track A threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6." ), ), From b8a0c088fda647c5df03e38cfcb2e9ece54e7ea1 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 15 Jun 2026 21:32:50 +0000 Subject: [PATCH 2/2] Close documentation-only compliance gaps in Track B MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit C-044 and C-046 were marked 'Planned' even though both controls were already fully documented in compliance_track.rst itself: - C-044: data minimisation policy — field-by-field justification already written; mark as Implemented - C-046: exploit mitigation inventory — full inventory already listed; mark as Implemented Part II §2 and §7 gaps were missing a patch SLA and explicit support period statement: - Add 'Security Update Commitment' section to SECURITY.md that states 30-day best-effort fix target and free distribution under MIT - Clarify Supported Versions to explicitly call out no LTS track - Part II §2: reference SECURITY.md as a control; rephrase gap to reflect the actual remaining limitation (no LTS backport) - Part II §7: reference SECURITY.md; mark as Implemented since the support period (latest release) is now explicitly documented https://claude.ai/code/session_0182v7TLyKVbi9S1rAqqFAbm --- SECURITY.md | 10 ++++++++-- doc/explanation/compliance_track.rst | 16 ++++++++-------- security/compliance_data.py | 18 ++++++++---------- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 39d57e41..443286ee 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,8 +11,14 @@ We aim to respond to security reports within 5 business days. ## Supported Versions -We actively maintain and patch the latest release of Dfetch. -Older versions may not receive security updates. +We actively maintain and patch the **latest release** of Dfetch only. +Older versions do not receive security backports, and there is no long-term support (LTS) track. + +## Security Update Commitment + +We will address confirmed security vulnerabilities in the latest release as quickly as possible and provide updates free of charge. +We aim to release a security fix within 30 days of confirming a vulnerability, though we cannot guarantee a specific timeline for every issue. +Security fixes are distributed through the normal PyPI release process at no charge under the MIT licence. ## Disclosure Policy diff --git a/doc/explanation/compliance_track.rst b/doc/explanation/compliance_track.rst index b9d04995..8e479f62 100644 --- a/doc/explanation/compliance_track.rst +++ b/doc/explanation/compliance_track.rst @@ -195,7 +195,7 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi - SO.DataMinimization - C-044 - — - - ○ Planned + - ✓ Implemented * - **ECR-H** — Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks. - SO.IncidentRecovery - — @@ -229,8 +229,8 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi * - **ECR-K** — Be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques. - SO.ReduceImpactOfIncident - C-005, C-007, C-015, C-017, C-046 - - No documented exploit mitigation inventory (→ C-046 planned) - - ○ Planned + - — + - ✓ Implemented * - **ECR-L** — Provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user. - SO.LogSecurityRelevantActivities - C-036 @@ -293,8 +293,8 @@ Part II requirements are addressed via prEN 40000-1-3. pii-04 is not applicable - ✓ Implemented * - Part II §2 - Address vulnerabilities without delay; provide free security updates. - - C-015, C-016 - - No formal patch SLA defined; No backport/LTS commitment documented + - C-015, C-016, SECURITY.md + - No LTS backport policy (latest release only — documented in SECURITY.md) - ⚠ Partial * - Part II §3 - Apply effective coordinated vulnerability disclosure (CVD) policy. @@ -318,9 +318,9 @@ Part II requirements are addressed via prEN 40000-1-3. pii-04 is not applicable - ⚠ Partial * - Part II §7 - Provide security updates free of charge for the support period. - - MIT licence, PyPI - - No support period or LTS policy documented - - ⚠ Partial + - MIT licence, PyPI, SECURITY.md + - — + - ✓ Implemented Gap Analysis — Compliance-Only Controls --------------------------------------- diff --git a/security/compliance_data.py b/security/compliance_data.py index 83dde510..46e733aa 100644 --- a/security/compliance_data.py +++ b/security/compliance_data.py @@ -406,9 +406,9 @@ class PartIIRequirement: "UNM-1, UNM-2 (dfetch processes no personal data requiring user notification)", "DTM-3 (no optional data processing to configure)", ], - status="planned", + status="implemented", description=( - "DTM-1: C-044 (planned) documents that .dfetch_data.yaml is limited to " + "DTM-1: C-044 documents that .dfetch_data.yaml is limited to " "remote_url (stripped), revision, optional hash, and last_fetch — each " "justified by functional necessity. " "DTM-2: met by design — dfetch collects no telemetry or optional data." @@ -503,13 +503,12 @@ class PartIIRequirement: not_applicable=[ "Compile-time mitigations (CFI, sandboxing) — not applicable to pure Python" ], - gaps=["No documented exploit mitigation inventory (→ C-046 planned)"], - status="planned", + status="implemented", description=( "GEC-11: Python interpreter provides ASLR/DEP/stack-canaries (OS-level). " "dfetch: no eval/exec of remote content; constant-time comparison (C-005); " "shell=False (C-007); static analysis (C-015, C-017). " - "C-046 (planned) formalises this inventory." + "C-046 formalises this inventory in doc/explanation/compliance_track.rst." ), ), # ECR-l: Monitoring and Logging @@ -604,8 +603,8 @@ class PartIIRequirement: id="pii-02", ref="Part II §2", text="Address vulnerabilities without delay; provide free security updates.", - controls=["C-015", "C-016"], - gaps=["No formal patch SLA defined", "No backport/LTS commitment documented"], + controls=["C-015", "C-016", "SECURITY.md"], + gaps=["No LTS backport policy (latest release only — documented in SECURITY.md)"], status="partially-implemented", ), PartIIRequirement( @@ -640,8 +639,7 @@ class PartIIRequirement: id="pii-07", ref="Part II §7", text="Provide security updates free of charge for the support period.", - controls=["MIT licence", "PyPI"], - gaps=["No support period or LTS policy documented"], - status="partially-implemented", + controls=["MIT licence", "PyPI", "SECURITY.md"], + status="implemented", ), ]