Without an SBOM, you cannot answer the question 'are we affected?' when a new CVE is announced for a transitive dependency. OWASP A08 (Software and Data Integrity Failures) and NIST 800-53 SA-10 require that organizations track and control the software components they use. SLSA L1 requires provenance; CycloneDX SBOM is the standard artifact format. License violations in transitive dependencies — a GPL-licensed package pulled in silently — can also create legal liability that only SBOM review surfaces. Projects with 45+ direct npm dependencies commonly have 500+ transitive dependencies with no systematic review.
Info because SBOM absence is a process gap rather than an immediate technical vulnerability, but it means CVE exposure and license risks in transitive dependencies go undetected.
Generate a CycloneDX SBOM and check license compliance in CI:
# Generate SBOM
npx @cyclonedx/cyclonedx-npm --output-format JSON > sbom.json
# License compliance check
npx license-checker --summary --failOn 'GPL-2.0;GPL-3.0;AGPL-3.0'
Add to .github/workflows/sbom.yml:
- name: Generate SBOM
run: npx @cyclonedx/cyclonedx-npm --output-format JSON > sbom.json
- name: License check
run: npx license-checker --failOn 'GPL-3.0;AGPL-3.0' --excludePrivatePackages
Commit sbom.json to the repository or store it as a CI artifact so it is available for vulnerability correlation when new CVEs are published.
ID: security-hardening.infra-monitoring.sbom-reviewed
Severity: info
What to look for: Count all direct and transitive dependencies. check whether the project has a generated SBOM (Software Bill of Materials) in SPDX or CycloneDX format, or whether there is evidence that the dependency tree has been reviewed for license compliance and unexpected transitive dependencies. Look for SBOM generation in CI/CD, license compliance checks, or documentation of reviewed dependencies.
Pass criteria: An SBOM has been generated and is available (either committed or generated in CI). License compliance has been reviewed and documented. Transitive dependencies are periodically audited — at least 1 SBOM or dependency tree review completed within the last 90 days. Report the count: "X direct dependencies and Y transitive dependencies catalogued."
Fail criteria: No SBOM generated. No evidence of license compliance review. Dependency tree not examined beyond direct dependencies.
Skip (N/A) when: The project has fewer than 10 direct dependencies and is an internal tool with no redistribution requirements.
Detail on fail: "No SBOM generated and no license compliance review documented — transitive dependency risks unknown" or "package.json has 45 direct dependencies but no audit of transitive dependencies or license conflicts performed"
Remediation: Generate an SBOM and review licenses:
# Generate SBOM in CycloneDX format
npx @cyclonedx/cyclonedx-npm --output-format JSON > sbom.json
# Check licenses for compliance
npx license-checker --summary --failOn "GPL-2.0;GPL-3.0;AGPL-3.0"
Add to CI/CD:
- name: Generate SBOM
run: npx @cyclonedx/cyclonedx-npm --output-format JSON > sbom.json
- name: License compliance check
run: npx license-checker --failOn "GPL-3.0;AGPL-3.0" --excludePrivatePackages