MASTG-TEST-0274: Dependencies with Known Vulnerabilities in the App's SBOM

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Overview¶

In this test case we are identifying dependencies with known vulnerabilities by relying on a Software Bill of Material (SBOM).

Either ask the development team to share a SBOM in CycloneDX format, or, if you have access to the original source code, create one following Software Composition Analysis (SCA) of Android Dependencies by Creating a SBOM.
Upload the SBOM to dependency-track.
Inspect the dependency-track project for the use of vulnerable dependencies.

The output should include a list of dependencies with names and CVE identifiers, if any.

The test case fails if you can find dependencies with known vulnerabilities.