Skill Being Reviewed
Skill name: sbom-analysis
Skill path: skills/vuln-management/sbom-analysis/
False Positive Analysis
Benign code/configuration that triggers a false positive:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [
{
"type": "library",
"name": "eslint-plugin-internal",
"version": "4.2.0",
"scope": "excluded",
"licenses": [{"license": {"id": "GPL-3.0-only"}}],
"properties": [
{"name": "cdx:npm:package:development", "value": "true"},
{"name": "acme:stage", "value": "lint-only"}
]
}
]
}Why this is a false positive:
The skill flags GPL/AGPL and other strong-copyleft licenses as distribution or SaaS concerns, but it does not require component scope/stage classification first. A lint-only development dependency excluded from the shipped runtime artifact should not be treated like a production dependency in distributed software or a network-exposed SaaS component. It should still be recorded, but priority and legal analysis should be different.
Coverage Gaps
Missed variant 1:
{
"components": [
{"name": "openssl", "version": "3.0.8", "type": "library", "scope": "required"},
{"name": "vulnerable-test-fixture", "version": "1.0.0", "type": "library", "scope": "excluded"}
],
"dependencies": [
{"ref": "app", "dependsOn": ["openssl", "vulnerable-test-fixture"]}
]
}Why it should be caught:
The skill counts known CVEs and transitive risk, but it does not require separating required runtime dependencies from excluded/dev/test/build-only dependencies before assigning risk. That can over-prioritize test fixtures and under-prioritize runtime libraries that are actually reachable in production.
Missed variant 2:
FROM node:22 AS build
RUN npm ci --include=dev
RUN npm run build
FROM gcr.io/distroless/nodejs22
COPY --from=build /app/dist /app/dist
CMD ["/app/dist/server.js"]
Why it should be caught:
An SBOM generated from the source tree or build stage can differ materially from the deployed image SBOM. The skill asks for software identity and component counts, but it does not require declaring whether the SBOM represents source, build environment, container image, runtime filesystem, or deployed service. Without that, vulnerability and license decisions can be made against the wrong artifact stage.
Edge Cases
Some organizations intentionally keep dev/build dependencies in a separate SBOM for auditability. That is useful, but the report should not merge dev, build, test, and runtime components into one severity bucket.
For containerized apps, a package may be present in the build image but absent from the final runtime layer. Conversely, a base image package may be absent from the application lockfile but present in production. The analysis should require stage and artifact labels before risk classification.
Remediation Quality
Suggested additions:
SBOM artifact stage: source tree, lockfile, build image, final image, runtime filesystem, deployed service.
Component scope: required/runtime, optional, dev, test fixture, build-only, excluded.
Risk rule: production/runtime components drive vulnerability SLA; dev/build-only components drive separate hygiene/legal review unless shipped or reachable.
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| Syft/Grype |
Partial |
Can generate image SBOMs and scan vulnerabilities, but the reviewer still must choose source vs final image. |
| CycloneDX |
Partial |
Supports scope/properties/formulation data, but the skill must require reviewers to use them. |
| SCA dashboards |
Partial |
Often separate dev/prod dependency groups, but container base-image packages still require runtime artifact scanning. |
Overall Assessment
Strengths: Strong NTIA minimum-element validation, VEX interpretation, transitive risk, and license-conflict coverage.
Needs improvement: Require artifact stage and component scope before deciding vulnerability SLA, license conflict severity, and overall supply-chain risk.
Priority recommendations:
- Add an artifact-stage field to the SBOM overview and executive summary.
- Add component scope distribution to the transitive dependency and license sections.
- Separate runtime vulnerability priority from dev/build-only hygiene findings.
Bounty Info
Skill Being Reviewed
Skill name: sbom-analysis
Skill path:
skills/vuln-management/sbom-analysis/False Positive Analysis
Benign code/configuration that triggers a false positive:
{ "bomFormat": "CycloneDX", "specVersion": "1.5", "components": [ { "type": "library", "name": "eslint-plugin-internal", "version": "4.2.0", "scope": "excluded", "licenses": [{"license": {"id": "GPL-3.0-only"}}], "properties": [ {"name": "cdx:npm:package:development", "value": "true"}, {"name": "acme:stage", "value": "lint-only"} ] } ] }Why this is a false positive:
The skill flags GPL/AGPL and other strong-copyleft licenses as distribution or SaaS concerns, but it does not require component scope/stage classification first. A lint-only development dependency excluded from the shipped runtime artifact should not be treated like a production dependency in distributed software or a network-exposed SaaS component. It should still be recorded, but priority and legal analysis should be different.
Coverage Gaps
Missed variant 1:
{ "components": [ {"name": "openssl", "version": "3.0.8", "type": "library", "scope": "required"}, {"name": "vulnerable-test-fixture", "version": "1.0.0", "type": "library", "scope": "excluded"} ], "dependencies": [ {"ref": "app", "dependsOn": ["openssl", "vulnerable-test-fixture"]} ] }Why it should be caught:
The skill counts known CVEs and transitive risk, but it does not require separating required runtime dependencies from excluded/dev/test/build-only dependencies before assigning risk. That can over-prioritize test fixtures and under-prioritize runtime libraries that are actually reachable in production.
Missed variant 2:
Why it should be caught:
An SBOM generated from the source tree or build stage can differ materially from the deployed image SBOM. The skill asks for software identity and component counts, but it does not require declaring whether the SBOM represents source, build environment, container image, runtime filesystem, or deployed service. Without that, vulnerability and license decisions can be made against the wrong artifact stage.
Edge Cases
Some organizations intentionally keep dev/build dependencies in a separate SBOM for auditability. That is useful, but the report should not merge dev, build, test, and runtime components into one severity bucket.
For containerized apps, a package may be present in the build image but absent from the final runtime layer. Conversely, a base image package may be absent from the application lockfile but present in production. The analysis should require stage and artifact labels before risk classification.
Remediation Quality
Suggested additions:
Comparison to Other Tools
Overall Assessment
Strengths: Strong NTIA minimum-element validation, VEX interpretation, transitive risk, and license-conflict coverage.
Needs improvement: Require artifact stage and component scope before deciding vulnerability SLA, license conflict severity, and overall supply-chain risk.
Priority recommendations:
Bounty Info