Skip to content

MASTG-TEST-0275: Dependencies with Known Vulnerabilities in the App's SBOM

Overview

This test case checks for dependencies with known vulnerabilities in iOS applications by using a Software Bill of Materials (SBOM). The SBOM should be in CycloneDX format, which is a standard for describing the components and dependencies of software.

Steps

  1. Either ask the development team to share a SBOM in CycloneDX format, or, if you have access to the original source code, create one following Software Composition Analysis (SCA) of iOS Dependencies by Creating a SBOM.
  2. Upload the SBOM to dependency-track.
  3. Inspect the dependency-track project for the use of vulnerable dependencies.

Observation

The output should include a list of dependencies with names and CVE identifiers, if any.

Evaluation

The test case fails if you can find dependencies with known vulnerabilities.