CRA Evidence Pack (buyer-facing)

A realistic product artifact preview using fictional AcmeHR SaaS data. It shows how confidence, evidence, missing proof, owner approval, and review status travel with generated content.

CRA Evidence Pack · v3

AcmeHR API for Compliance Teams

Product · CRA Important Class I · Generated 21 May 2026

PDF

Cover

XLSX

SBOM + Vulns

README

Gaps

Manufacturer

AcmeHR SaaS Ltd.

Recorded

Annex I class

Important — Class I

Recorded

Conformity route

Internal control (Module A)

Recorded

SBOM coverage

5 of 5 components inventoried

Component	Version	License	Type	Last scan
rails	8.0.2	MIT	ruby-gem	19 May 2026
pg	1.5.6	BSD-2-Clause	ruby-gem	19 May 2026
react	18.3.1	MIT	npm	19 May 2026
openssl (linked)	3.2.1	Apache-2.0	system	19 May 2026
stripe-ruby	12.6.0	MIT	ruby-gem	19 May 2026

Vulnerability posture

1 KEV-flagged · 2 under investigation

CVE-2026-1042

openssl

9.8 critical

KEV-flagged · patch scheduled

CVE-2026-0871

rails

7.5 high

Under investigation

CVE-2025-9920

react

5.3 medium

Not affected (xss feature off)

README — gap disclosure

2 gaps disclosed

SBOM last refresh older than 60 days for the system OpenSSL build chain — refresh scheduled for next CI run.
1 dependency (`tailwindcss-rails`) still under license review — not blocking, no exposure to user data.
All KEV-flagged vulnerabilities have remediation owners + target dates.
Customer notification template approved by Legal and on file.