Struct CraSidecarMetadata 

pub struct CraSidecarMetadata {

    pub security_contact: Option<String>,
    pub vulnerability_disclosure_url: Option<String>,
    pub support_end_date: Option<DateTime<Utc>>,
    pub manufacturer_name: Option<String>,
    pub manufacturer_email: Option<String>,
    pub product_name: Option<String>,
    pub product_version: Option<String>,
    pub ce_marking_reference: Option<String>,
    pub update_mechanism: Option<String>,
    pub psirt_url: Option<String>,
    pub early_warning_contact: Option<String>,
    pub incident_report_contact: Option<String>,
    pub enisa_reporting_platform_id: Option<String>,
    pub coordinated_disclosure_policy_url: Option<String>,
    pub risk_assessment_url: Option<String>,
    pub risk_assessment_methodology: Option<String>,
    pub product_class: Option<CraProductClass>,
    pub conformity_assessment_route: Option<ConformityRoute>,
    pub is_oss_steward: bool,
    pub is_nis2_essential_entity: bool,
    pub is_nis2_important_entity: bool,
    pub processes_personal_data: bool,
    pub is_high_risk_ai: bool,
    pub red_repealed_until: Option<DateTime<Utc>>,
    pub eucc_protection_profile_id: Option<String>,
    pub eucc_target_of_evaluation: Option<String>,
    pub eucc_itsef_identifier: Option<String>,
    pub eucc_valid_until: Option<DateTime<Utc>>,
    pub annex_i_part_i_controls: BTreeMap<String, ControlAssertion>,
}

CRA sidecar metadata that supplements SBOM information

Fields

security_contact: Option<String>

Security contact email or URL for vulnerability disclosure

vulnerability_disclosure_url: Option<String>

URL for vulnerability disclosure policy/portal

support_end_date: Option<DateTime<Utc>>

End of support/security updates date

manufacturer_name: Option<String>

Manufacturer/vendor name (supplements SBOM creator info)

manufacturer_email: Option<String>

Manufacturer contact email

product_name: Option<String>

Product name (supplements SBOM document name)

product_version: Option<String>

Product version

ce_marking_reference: Option<String>

CE marking declaration reference (URL or document ID)

update_mechanism: Option<String>

Security update delivery mechanism description

psirt_url: Option<String>

PSIRT (Product Security Incident Response Team) public URL. Required to handle external vulnerability reports under Annex I Part II and Art. 14 incident reporting.

early_warning_contact: Option<String>

Channel (email, URL, phone) for the 24-hour early-warning notification to ENISA / CSIRT under CRA Art. 14(1) when an actively-exploited vulnerability is identified.

incident_report_contact: Option<String>

Channel for the 72-hour incident report under CRA Art. 14(2).

enisa_reporting_platform_id: Option<String>

Manufacturer-side identifier for the ENISA single reporting platform (Art. 14(7)). Until ENISA publishes the technical interface this is a placeholder string — typically a manufacturer registration ID.

coordinated_disclosure_policy_url: Option<String>

Coordinated vulnerability disclosure policy URL. Distinct from vulnerability_disclosure_url (which may point at a portal) — this is the published policy that meets CRA Art. 13(7) and ISO/IEC 29147 expectations.

risk_assessment_url: Option<String>

URL or document reference for the documented risk assessment required by CRA Art. 13(2). Annex V technical documentation must include or reference this assessment.

risk_assessment_methodology: Option<String>

Methodology used for the risk assessment (e.g., “ISO/IEC 27005:2022”, “NIST SP 800-30 r1”, “ETSI TS 102 165-1 TVRA”).

product_class: Option<CraProductClass>

CRA product class drives the conformity-assessment route and the severity calibration of compliance checks (vendor-hash coverage, PSIRT, EUCC reference, attestation).

conformity_assessment_route: Option<ConformityRoute>

Conformity-assessment route per CRA Annex VIII (Module A self-assessment, B+C EU-type examination, H full QA, or EUCC). Sidecar value wins over any CLI-provided default.

is_oss_steward: bool

Whether this product is supplied by an open-source software steward (CRA Art. 24). When true, manufacturer-only obligations (DoC, notified-body attestation, manufacturer email) are not enforced; SBOM, vulnerability-handling, and CVD policy are still required.

is_nis2_essential_entity: bool

True if the manufacturer is a NIS2 essential entity (Annex I of Directive (EU) 2022/2555). Triggers Art. 23 incident-reporting guidance in the cra-docs dossier.

is_nis2_important_entity: bool

True if the manufacturer is a NIS2 important entity (Annex II of Directive (EU) 2022/2555).

processes_personal_data: bool

True when the product processes personal data (GDPR Art. 32 security-of-processing applies in parallel to CRA Annex I).

is_high_risk_ai: bool

True when the product is a high-risk AI system per the AI Act (Regulation (EU) 2024/1689). AI-Act conformity coordination must be handled alongside CRA Module assessment.

red_repealed_until: Option<DateTime<Utc>>

Date until which the Radio Equipment Directive (RED, Directive 2014/53/EU) cybersecurity provisions still apply for this product. CRA repeals RED Art. 3(3)(d/e/f) on 2025-08-01; older device inventories may carry RED references through their support horizon.

eucc_protection_profile_id: Option<String>

Common Criteria Protection Profile identifier (e.g., “PP-CC-MFR-2024-01”).

eucc_target_of_evaluation: Option<String>

Common Criteria Target of Evaluation reference (URL or document ID).

eucc_itsef_identifier: Option<String>

IT Security Evaluation Facility (ITSEF) identifier — the accredited laboratory that performed the EUCC evaluation.

eucc_valid_until: Option<DateTime<Utc>>

EUCC certificate valid-until date.

annex_i_part_i_controls: BTreeMap<String, ControlAssertion>

Per-control assertions for CRA Annex I Part I, keyed by control ID (e.g., "1.a" through "1.l" for §1, "2.a" through "2.m" for §2 vulnerability-handling). Each entry records whether the manufacturer claims the control is satisfied, the evidence URL, and the methodology used.

BTreeMap for deterministic ordering in dossier output.

Implementations

impl CraSidecarMetadata

pub fn from_json_file(path: &Path) -> Result<Self, CraSidecarError>

Load sidecar metadata from a JSON file

pub fn from_yaml_file(path: &Path) -> Result<Self, CraSidecarError>

Load sidecar metadata from a YAML file

pub fn from_file(path: &Path) -> Result<Self, CraSidecarError>

Load sidecar metadata, auto-detecting format from extension

pub fn find_for_sbom(sbom_path: &Path) -> Option<Self>

Try to find a sidecar file for the given SBOM path.

Looks for <stem>.cra.{json,yaml,yml} and <stem>-cra.{json,yaml} alongside the SBOM. Multi-extension stems (app.cdx.json, app.spdx.json, app.spdx3.json) also try the inner stem (app.cra.json) so the common SBOM naming conventions work without forcing operators to repeat the format suffix.

pub fn has_cra_data(&self) -> bool

Check if any CRA-relevant fields are populated

pub fn example_json() -> String

Generate an example sidecar file content

Trait Implementations

impl Clone for CraSidecarMetadata

fn clone(&self) -> CraSidecarMetadata

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for CraSidecarMetadata

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for CraSidecarMetadata

fn default() -> CraSidecarMetadata

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for CraSidecarMetadata

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for CraSidecarMetadata

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.