Skip to content

MASTG-TEST-0275: Dependencies with Known Vulnerabilities in the App's SBOM

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

This test case checks for dependencies with known vulnerabilities in iOS applications by using a Software Bill of Materials (SBOM). The SBOM should be in CycloneDX format, which is a standard for describing the components and dependencies of software.

Steps

  1. Either ask the development team to share a SBOM in CycloneDX format, or, if you have access to the original source code, create one following Software Composition Analysis (SCA) of iOS Dependencies by Creating a SBOM.
  2. Upload the SBOM to dependency-track.
  3. Inspect the dependency-track project for the use of vulnerable dependencies.

Observation

The output should include a list of dependencies with names and CVE identifiers, if any.

Evaluation

The test case fails if you can find dependencies with known vulnerabilities.