LET'S TALK
← All work
SBOMCVE ScanningSupply ChainDeep Prototype

SbomScanner — SBOM Vulnerability + License Scan

52 seeded packages across a realistic Node.js + Python stack. Matches every package against CVE feeds (CVE-2022-23529 jsonwebtoken bypass, CVE-2021-44906 minimist prototype pollution, CVE-2023-23931 cryptography, …), classifies licenses, flags EOL upstream versions. NTIA SBOM compliance shape.

SbomScanner — SBOM Vulnerability + License Scan preview
Open live →

What it is

The shape behind NTIA SBOM compliance + supply-chain risk. Walks every package in your stack (direct + transitive) against CVE feeds, classifies licenses across the 5 SPDX categories, flags EOL upstream versions where the upstream stopped releasing security patches.

What it catches

  • 52 seeded packages across the realistic Node.js + Python stack: Next.js, React, axios, lodash, express, jsonwebtoken, node-fetch, semver, ws, minimist, moment (EOL), ffmpeg-static (GPL-3.0 trap), AWS SDK v2 (EOL Sept 2025), Apollo Server 3 (EOL Oct 2024), Django 3.2 (EOL), Pillow, cryptography, urllib3, and more.
  • Real CVE matches with severity, title, and fixed-in version:
    • jsonwebtoken 8.5.1 → CVE-2022-23529 (critical, weak verification bypass)
    • minimist 1.2.5 → CVE-2021-44906 (critical, prototype pollution)
    • lodash 4.17.20 → CVE-2021-23337 (high, command injection)
    • moment 2.29.0 → CVE-2022-31129 (high, ReDoS)
    • ws 7.4.0 → CVE-2024-37890 (high, DoS via request headers)
    • urllib3 1.26.5 → CVE-2023-43804 (high, cookie header leakage)
    • and 14 more
  • License classification across permissive / weak-copyleft / strong-copyleft / proprietary. GPL-3.0 traps surface (ffmpeg-static, readline). SPDX expressions (e.g., Apache-2.0 OR BSD-3-Clause) handled.
  • EOL detection — flags upstream versions where security patches stopped. Examples: AWS SDK v2 (Sept 2025), Apollo Server 3 (Oct 2024), moment.js (recommend day.js / date-fns), gulp 3, grunt 1.0, Babel 6, Elasticsearch (use OpenSearch instead).
  • Transitive depth — every package marked with depth (0 = direct, 1-3 = transitive). The minimist critical CVE is at depth 3 — the kind of vuln that hides past npm audit if you don’t walk the full tree.

Why this shape

CISA’s “Known Exploited Vulnerabilities” catalog + the NTIA SBOM mandate (Executive Order 14028) requires every federal contractor to produce a working SBOM. Most tools (Snyk, Dependabot, Trivy) output the same shape. SbomScanner prototypes the shape directly — paste the SBOM, see the vulnerabilities, licenses, and EOL signal on one screen.

How it ships

Single HTML file, ~24KB. Zero dependencies. The 52-package catalog with real CVEs, license-class map, SPDX expression handler, and EOL detection are 220 lines of vanilla JavaScript.

Open the tool →