Hi!
One of the requirements for EN 18031-1 is that a product shouldn't contain publicly known exploitable vulnerabilities:
6.10.1 [GEC-1] Up-to-date software and hardware with no publicly known exploitable
vulnerabilities
6.10.1.1 Requirement
The equipment shall not include publicly known exploitable vulnerabilities that, if exploited, affect
security assets and network assets, except for vulnerabilities:
— that cannot be exploited in the specific conditions of the equipment; or
— that have been mitigated to an acceptable residual risk; or
— that have been accepted on a risk basis.
The Zephyr project from time to time publishes Github security advisories, but there is no clear way to map this against the nRF Connect SDK. Can Nordic provide this kind of mapping? It would greatly help ensuring conformance against EN18031-1 and RED Cybersecurity requirements.
