Skip to content

OWASP Mobile Application Security

MASTG-TEST-0274: Dependencies with Known Vulnerabilities in the App's SBOM

OWASP/owasp-mastg

MASTG-TEST-0274: Dependencies with Known Vulnerabilities in the App's SBOM

Overview¶

In this test case we are identifying dependencies with known vulnerabilities by relying on a Software Bill of Material (SBOM).

Steps¶

Either ask the development team to share a SBOM in CycloneDX format, or, if you have access to the original source code, create one following Software Composition Analysis (SCA) of Android Dependencies by Creating a SBOM.
Upload the SBOM to dependency-track.
Inspect the dependency-track project for the use of vulnerable dependencies.

Observation¶

The output should include a list of dependencies with names and CVE identifiers, if any.

Evaluation¶

The test case fails if you can find dependencies with known vulnerabilities.