CI/CD Pipeline Security & Shifting Left Part 2

A follow-up to my previous post I wanted to go back and remove the vulnerable code from and update the included libraries to fix any dependencies that were vulnerable. First, let's have a look at what has changed simply with the passage of time... Dependency-Track has not had a new SBOM for quite some time as the pipeline hasn't been run. However, it has continued to track vulnerabilities in the included components. Dependency-Track Apr 23 The summary view shows the included versions with the number of vulnerabilities by severity. Not only has Dependency-Track continued to do it's job quietly in the background but it has also been updating Defect Dojo as new vulnerabilities have been notified through it's vulnerability database feeds. Defect Dojo Apr 23 All of this happens based on the last SBOM ingested by Dependency-Track. Even if the pipeline has not been run in years and no new SBOM produced, it will continue to surface new vulnerabilities in the software compo