CRA Evidence Pack · v3
AcmeHR API for Compliance Teams
Product · CRA Important Class I · Generated 21 May 2026
PDF
Cover
XLSX
SBOM + Vulns
README
Gaps
Manufacturer
AcmeHR SaaS Ltd.
Recorded
Annex I class
Important — Class I
Recorded
Conformity route
Internal control (Module A)
Recorded
SBOM coverage
5 of 5 components inventoried| Component | Version | License | Type | Last scan |
|---|---|---|---|---|
| rails | 8.0.2 | MIT | ruby-gem | 19 May 2026 |
| pg | 1.5.6 | BSD-2-Clause | ruby-gem | 19 May 2026 |
| react | 18.3.1 | MIT | npm | 19 May 2026 |
| openssl (linked) | 3.2.1 | Apache-2.0 | system | 19 May 2026 |
| stripe-ruby | 12.6.0 | MIT | ruby-gem | 19 May 2026 |
Vulnerability posture
1 KEV-flagged · 2 under investigationCVE-2026-1042
openssl
9.8 critical
KEV-flagged · patch scheduled
CVE-2026-0871
rails
7.5 high
Under investigation
CVE-2025-9920
react
5.3 medium
Not affected (xss feature off)
README — gap disclosure
2 gaps disclosed- SBOM last refresh older than 60 days for the system OpenSSL build chain — refresh scheduled for next CI run.
- 1 dependency (`tailwindcss-rails`) still under license review — not blocking, no exposure to user data.
- All KEV-flagged vulnerabilities have remediation owners + target dates.
- Customer notification template approved by Legal and on file.