Skip to content

OWASP Mobile Application Security

MASTG-TEST-0274: Dependencies with Known Vulnerabilities in the App's SBOM

MASTG-TEST-0274: Dependencies with Known Vulnerabilities in the App's SBOM

Overview¶

In this test case we are identifying dependencies with known vulnerabilities by relying on a Software Bill of Material (SBOM).

Steps¶

Use Software Composition Analysis (SCA) of Android Dependencies by Creating a SBOM to generate a SBOM, or request one in CycloneDX format from the development team.
Upload the SBOM to dependency-track.
Inspect the dependency-track project for the use of vulnerable dependencies.

Observation¶

The output should include a list of dependencies with names and CVE identifiers, if any.

Evaluation¶

The test case fails if you can find dependencies with known vulnerabilities.