SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

SBOM01 Missing SBOM / Lockfile

What this means

SiteShadow flagged that your project may be missing the "paper trail" for dependencies: a lockfile (for reproducible installs) and/or an SBOM (software bill of materials).

Why it matters

Safer examples

1) Add and commit the lockfile for your ecosystem

2) Generate an SBOM in CI

Common formats: SPDX, CycloneDX. Store as a build artifact and/or commit when appropriate.

# Example (tooling varies): generate SBOM in CI and attach to build
syft dir:. -o cyclonedx-json > sbom.cdx.json

3) Treat SBOM/lockfile as required for releases

Make releases fail if the lockfile is missing or drifted from manifests.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.