Curriculum
AppSec, Privacy & License Compliance
Introduction to AppSec
0/2
Dependencies AppSec
0/5
-
Dependencies AppSec: SBOM and SCA.
Preview -
Understanding Software Bill of Materials (SBOM): A Crucial Tool in Software Supply Chain Security
Preview
-
How to read an SBOM row?
Preview
-
Software Composite Analysis (SCA): How secured are the dependencies?
Preview
-
How SCA scanners work? How to read an SCA finding?
Preview
Code AppSec
0/2
Runtime AppSec
0/2
Dependencies License Compliance
0/2
Privacy
0/2
Quiz
0/1
Bonus
0/3
Text lesson
How to read an SBOM row?
An SBOM lists all components in your software, whether vulnerable or not. Each row helps you track risk, license, and provenance.
- Component Name: The package or library (e.g.,
openssl,lodash). - Version: The specific version in use (e.g.,
1.3.0). - Type: Source (e.g., npm, Maven, pip), binary, or custom module.
- License: The license applied to the component (e.g., MIT, Apache-2.0, GPL).
- Supplier: Author or organization behind the component.
- Vulnerabilities: Linked CVEs or status like “none known”.
- Dependency Type: Whether the component is direct or transitive.
- PURL or SHA: Identifiers used to track the exact component version. This can replace component name and version)
Tip: Use SBOMs to audit both security (vulnerabilities) and legal (license) risk. Even non-vulnerable components may cause issues if their license is incompatible.