MASTG-TEST-0273: Identify Dependencies with Known Vulnerabilities by Scanning Dependency Managers Artifacts

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

In this test case we are identifying dependencies with known vulnerabilities in iOS. Dependencies are integrated through dependency managers, and there might be one or more of them being used. We therefore need all of the relevant artifacts created by them to analyse them with a SCA scanning tool.

Steps

1. In order to do this in the most efficient way you would need to ask the developer(s) which dependency managers are being used and to share the relevant file(s) created by them. Follow Software Composition Analysis (SCA) of iOS Dependencies by Scanning Package Manager Artifacts for on overview of the package managers and request for the relevant files.

2. Run a SCA analysis tool such as dependency-check against the file(s) created by the dependency manager(s) and look for the use of vulnerable dependencies.

Observation

The output should include the dependency name and the CVE identifiers for any dependency with known vulnerabilities.

Evaluation

The test case fails if you can find dependencies with known vulnerabilities.

Demos

MASTG-DEMO-0053: Identifying Insecure Dependencies in SwiftPM through SBOM creation MASTG-DEMO-0052: Scanning Package Manager Artifacts for Insecure iOS Dependencies