Sample Reports

See exactly what auditors will receive. Preview both assessment tiers below.

Due Diligence Assessment Report

Standard Assessment

Standard

Component

Lodash

Version

4.17.21

PURL

pkg:npm/lodash@4.17.21

Report ID

CRA-2026-STD-00012

1. Ecosystem Health & Maintainer Profile

OpenSSF Scorecard

5.2 / 10

Bus Factor

Low

Activity

Inactive

License

MIT

Single primary maintainer. No releases since April 2021. Version 4.17.21 is the final release of the 4.x line.

2. Vulnerability Analysis (CVE)

Active CVEs

Historical CVEs (24mo)

3 patched

Avg Time-to-Remediate

42 days

Historical prototype pollution vulnerabilities (CVE-2020-8203, CVE-2021-23337) are patched in this version. The _.template function remains a theoretical risk if used with untrusted input.

3. Static Analysis (SAST) via Semgrep

Critical

High

Medium

2 (FP)

Overall

PASS

2 Medium findings flagged — both false positives (eval-like patterns in build tooling, not runtime code).

4. Credential / Secret Scanning via Trufflehog

Active Credentials

False Positives

Overall

PASS

Full git history (142 commits) + npm tarball scanned. 1 false positive flagged (test fixture with example API key format).

5. Safe Usage Recommendations

→ Do not pass untrusted user input to _.template() — use _.escape() first or use a dedicated templating library.
→ Pin to exact version 4.17.21. Do not use floating ranges as earlier versions contain prototype pollution vulnerabilities.
→ Consider migration to native ES methods (Array.flat, Object.entries, String.padStart) for new code.
→ Monitor for maintainer transfer or archive events given the bus factor of 1.

6. Executive Summary

Lodash 4.17.21 is a stable, widely-deployed utility library with no known unpatched vulnerabilities. The primary risk factor is maintenance: the project has a single maintainer and has not released an update since 2021. For general-purpose utility use (array/object manipulation, string operations), this represents acceptable risk. Teams using _.template with untrusted input should evaluate alternatives. The component is suitable for integration into products under the CRA for non-critical use cases.

7. Expert Assertion

"I have evaluated Lodash v4.17.21 against the essential requirements of the EU Cyber Resilience Act (CRA) Annex I. Based on the evidence gathered, I assert that this component meets the Standard due diligence requirements under CRA Article 10 / Annex I for use in non-critical environments. The component exhibits no known exploitable vulnerabilities in standard configurations, though its low maintenance activity warrants periodic re-assessment."

Signed by: Principal Security Consultant

Report ID: CRA-2026-STD-00012

Date: January 10, 2026

Machine-readable deliverables included: CycloneDX SBOM (JSON) + OpenVEX document (JSON)

This is a preview. The full report includes additional detail and regulatory cross-references.

Due Diligence Assessment Report

High-Criticality Assessment

High-Criticality

Component

OpenSSL

Version

3.2.1

PURL

pkg:generic/openssl@3.2.1

Report ID

CRA-2026-OSSL-001

1. Ecosystem Health & Maintainer Profile

OpenSSF Scorecard

8.8 / 10

Bus Factor

High (15+)

Activity

Active

Release Cadence

Monthly

2. Vulnerability Analysis (CVE)

Active CVEs

Patched (6mo)

4 Moderate

Avg Time-to-Remediate

9 days

All legacy CVEs related to obsolete ciphers (e.g., Blowfish) are disabled by default and do not pose a risk to standard TLS 1.3 implementations.

3. Static Analysis (SAST) Semgrep + CodeQL

Semgrep

PASS

0 Critical/High

CodeQL

PASS

0 Critical/High

Overall

PASS

Semgrep: 3 Medium findings (false positives — legacy macro patterns). CodeQL: 1 Medium data-flow alert in ssl/record/rec_layer_s3.c reviewed and confirmed as bounded by caller validation.

4. Binary Hardening Assessment via Aldur

ASLR/PIE

Enabled

DEP/NX

Enabled

Stack Canaries

Enabled

CFG

Verified

5. Malware Scan, CI Workflow Analysis & Credential Scanning

Malware (VirusTotal)

PASS

0/72 detections

CI Workflows (Zizmor)

PASS

0 critical issues

Credentials (Trufflehog)

PASS

0 active secrets

6. Cryptography Analysis (CBOM)

Approved Algorithms

Legacy (non-default)

Custom Implementations

Yes (crypto lib)

Overall

PASS

AES-128/256, SHA-256/384/512, SHA-3, RSA-2048+, ECDSA, Ed25519, ChaCha20-Poly1305 identified. MD5 and SHA-1 present only in legacy non-default paths.

7. AI Analysis & Threat Model

Anomaly review: No anomalous outbound networking or dead man's switch patterns. All sensitive API calls align with declared TLS/SSL functionality.

Threat model: Primary attack surfaces: TLS handshake parsing, X.509 certificate validation, memory management in C. Mitigated by extensive fuzzing (OSS-Fuzz), ASLR/stack canaries, and a dedicated security response team. No high-priority actions required beyond standard update practices.

8. Executive Summary

OpenSSL remains the industry standard for cryptographic operations. Version 3.2.1 represents a stable, highly-audited release. While its complexity is high, the project's adherence to OpenSSF Best Practices and its aggressive patching schedule make it the lowest-risk option for enterprise TLS requirements. Static analysis, malware scanning, CI workflow audit, and cryptographic inventory all pass with no concerns. Binary hardening is fully enabled across all four protection categories.

9. Expert Assertion

"I have evaluated OpenSSL v3.2.1 against the essential requirements of the EU Cyber Resilience Act (CRA) Annex I. I assert that this component meets the heightened due diligence requirements under CRA Article 10 / Annex I for integration into 'Class II' critical software products. The component demonstrates mature security processes, robust binary hardening, and no known exploitable vulnerabilities in standard cryptographic configurations."

Signed by: Principal Security Consultant

Report ID: CRA-2026-OSSL-001

Date: February 12, 2026

Machine-readable deliverables included: CycloneDX SBOM + OpenVEX + CBOM (crypto extension)

This is a preview. The full report includes dependency tree review, detailed regulatory mapping, and AI analysis appendix.

Download the Full Sample Report

Get both sample reports as complete PDFs — exactly what your auditors will see.

Ready to cover your full stack?

Get audit-ready reports for every component in your dependency tree.

Assess My Stack