SBOM01 Missing SBOM / Lockfile

What this means

SiteShadow flagged that your project may be missing the "paper trail" for dependencies: a lockfile (for reproducible installs) and/or an SBOM (software bill of materials).

Why it matters

You can't answer "are we vulnerable?" quickly without an inventory.
Incident response slows down: unknown transitive deps delay triage and patching.
Reproducibility + integrity: lockfiles help ensure you install what you tested.

Safer examples

1) Add and commit the lockfile for your ecosystem

Node: package-lock.json / pnpm-lock.yaml / yarn.lock
Python: poetry.lock / Pipfile.lock / pinned requirements.txt
Ruby: Gemfile.lock

2) Generate an SBOM in CI

Common formats: SPDX, CycloneDX. Store as a build artifact and/or commit when appropriate.

# Example (tooling varies): generate SBOM in CI and attach to build
syft dir:. -o cyclonedx-json > sbom.cdx.json

3) Treat SBOM/lockfile as required for releases

Make releases fail if the lockfile is missing or drifted from manifests.

How SiteShadow detects it (high level)

Checks for the presence of common lockfiles and warns when they're missing.
Flags projects with dependency manifests but without a clear reproducible install path.

References

OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library

Request access View coverage