OWASP SCVS Unknown Components

All direct and transitive components and their versions are known at completion of a build.

If you do not know the components used and their respective versions, then you can miss security vulnerabilities in components, have license issues, or cannot resolve provenance for large parts of your software.

Although direct dependencies can be read from dependencies specified in project files (often specific for popular package managers), to resolve the full dependencies graph tools either tools like package manager commands, SCA, or a valid SBOM provided by component providers should be used.

Xygeni’s scan-deps command is one of such tools, and it is used for automating verification of the checkpoint.

The build process should get all dependencies with package managers, and never add binaries or packages from other sources, with the possible exception of source code "snapshots" compiled at build time. Components involved and their versions should be clearly specified.

Please note that the checkpoint does not say anything about whether versions should be open (perhaps using semver requirements for automatic upgrade), or fully fixed.