sbom.day — Software Bill of Materials

SBOM Dashboard

Software Bill of Materials — myapp v2.4.1

Up to date

247 Total Components +12 this week

1,024 Dependencies +34 this week

18 Vulnerabilities -3 resolved

3 Critical CVEs Requires action

12 License Types No conflicts

Vulnerability Severity Distribution

Critical 3

High 4

Medium 6

Low 5

Compliance

NTIA Minimum Elements

CycloneDX 1.4

SPDX 2.3

EO 14028 (partial)

Component Registry

Package Name	Version	Ecosystem	License	Severity	CVEs
`react`	`18.2.0`	npm	MIT	Low	0
Package Info Description: A JavaScript library for building user interfaces Author: Meta Open Source Hash: `sha256:a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3` Published: 2023-06-14 Dependency Tree react@18.2.0 └ loose-envify@1.4.0 └ js-tokens@4.0.0
`lodash`	`4.17.21`	npm	MIT	Medium	1
Package Info Description: A modern JavaScript utility library delivering modularity Hash: `sha256:b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6` Published: 2021-02-20 Known CVEs Medium CVE-2021-23337 Prototype Pollution via `zipObjectDeep`
`express`	`4.18.2`	npm	MIT	Low	0
Package Info Description: Fast, unopinionated web framework for Node.js Hash: `sha256:c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7` Dependencies: 30 direct, 52 transitive Dependency Tree express@4.18.2 └ body-parser@1.20.1 └ raw-body@2.5.1 └ path-to-regexp@0.1.7
`webpack`	`5.88.0`	npm	MIT	High	1
Package Info Description: Static module bundler for modern JavaScript applications Hash: `sha256:d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8` Dependencies: 52 direct, 185 transitive Known CVEs High CVE-2023-28154 Cross-realm object access via `require.resolve`
`openssl`	`3.0.8`	system	Apache-2.0	Critical	2
Package Info Description: Toolkit for TLS and SSL protocols and cryptography Hash: `sha256:e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9` Supplier: OpenSSL Software Foundation Known CVEs Critical CVE-2023-0286 X.509 GeneralName type confusion High CVE-2023-0215 Use-after-free in BIO_new_NDEF
`curl`	`8.1.2`	system	MIT-like	Medium	1
Package Info Description: Command-line tool and library for transferring data with URLs Hash: `sha256:f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0` Known CVEs Medium CVE-2023-28320 Use-after-free in SSH SHA256 fingerprint check
`django`	`4.2.3`	pypi	BSD-3-Clause	Low	0
Package Info Description: High-level Python web framework Hash: `sha256:a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1` Published: 2023-07-03 Dependency Tree django@4.2.3 └ asgiref@3.7.2 └ sqlparse@0.4.4 └ pytz@2023.3

Components

247 packages across 3 ecosystems

npm

198 npm packages

pypi

32 PyPI packages

sys

17 System packages

All Components

Name	Version	Ecosystem	License	Supplier	Severity
`react`	`18.2.0`	npm	MIT	Meta	Low
`typescript`	`5.1.3`	npm	Apache-2.0	Microsoft	Low
`webpack`	`5.88.0`	npm	MIT	Open Source	High
`openssl`	`3.0.8`	system	Apache-2.0	OpenSSL Foundation	Critical
`django`	`4.2.3`	pypi	BSD-3-Clause	Django Foundation	Low

Dependencies

1,024 total dependency edges

Dependency Graph

Direct and transitive dependency relationships

Package	Direct Deps	Transitive	Depth	Circular
`webpack` `5.88.0`	52	185	6	None
`express` `4.18.2`	30	52	4	None
`react` `18.2.0`	2	8	2	None
`babel` `7.22.5`	18	74	5	1 cycle
`django` `4.2.3`	3	12	2	None

Vulnerabilities

18 active findings — last scan 2026-05-04

3 Critical CVSS >9.0

4 High CVSS 7.0–9.0

6 Medium CVSS 4.0–7.0

5 Low CVSS <4.0

CVE Registry

CVE ID	Package	CVSS	Severity	Type	Status
`CVE-2023-0286`	`openssl@3.0.8`	9.8	Critical	Type Confusion	Open
`CVE-2023-0215`	`openssl@3.0.8`	7.5	High	Use-after-free	Open
`CVE-2023-28154`	`webpack@5.88.0`	8.2	High	Object Injection	Open
`CVE-2021-23337`	`lodash@4.17.21`	5.3	Medium	Prototype Pollution	In Review
`CVE-2023-28320`	`curl@8.1.2`	5.9	Medium	Use-after-free	Open

Licenses

12 distinct license types detected

License Distribution

License	Components	Category	Copyleft	Commercial Use
MIT	142	Permissive	No	Allowed
Apache-2.0	58	Permissive	No	Allowed
BSD-3-Clause	24	Permissive	No	Allowed
GPL-2.0	8	Copyleft	Yes	Review
ISC	7	Permissive	No	Allowed
AGPL-3.0	3	Strong Copyleft	Yes	Restricted

Vulnerability Severity Distribution

Compliance

Component Registry

Package Info

Dependency Tree

Package Info

Known CVEs

Package Info

Dependency Tree

Package Info

Known CVEs

Package Info

Known CVEs

Package Info

Known CVEs

Package Info

Dependency Tree

All Components

Dependency Graph

CVE Registry

License Distribution