A Software Bill of Materials (SBOM) is a structured inventory of all components that make up a piece of software — including third-party libraries, packages, versions, and their relationships. SBOMs help organizations understand what is inside their software, evaluate exposure to known vulnerabilities, and meet supply-chain security and compliance requirements.
We publish SBOMs because transparency and security are core to Defguard. Making our dependency information public lets customers and auditors independently verify what we ship, continuously assess risk against public CVE databases, and integrate our artifacts into their own security tooling and compliance workflows. SBOMs also help us respond faster to newly disclosed issues: we track and scan dependencies after each release, prioritize remediation, and communicate status openly. This practice aligns with ISO 27001 controls and demonstrates our commitment to a secure software supply chain.
Separate SBOMs are available for mobile apps (Android, iOS), the desktop app
(Windows, macOS, Linux), and server components (Core, Proxy, Gateway).
Alongside each SBOM, advisories files are also published to summarize known
vulnerabilities in detail.
We use Trivy to generate SBOM files and scan for vulnerabilities in our dependencies. Each
SBOM is updated every day in our CI/CD pipeline and provided in the standard SPDX format.
Component
Version
Date checked
Links
Vulnerability status
Status
Active vulnerabilities
webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic
webpki: Name constraints for URI names were incorrectly accepted
webpki: Name constraints were accepted for certificates asserting a wildcard name
axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
axios: Axios: Remote Code Execution via Prototype Pollution escalation
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
lodash: lodash: Arbitrary code execution via untrusted input in template imports
lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns
picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Active vulnerabilities
Upstream / suppressed findings
Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
Explanation: glib is a transitive dependency of Tauri which we cannot update ourselves. Waiting for tauri to finish migration to gtk4-rs: https://github.com/tauri-apps/tauri/issues/12563
