SBOM: package added

Vulnerability potential Low
DDoS potential None

A dependency present in the current SBOM is missing from the previous snapshot

Impact

When the current SBOM is compared against a previous snapshot (a baseline from the last release, the main branch, or the prior build), this dependency appears in the new SBOM but not in the old one — it was added. This is an informational diff entry, not a fault in itself; its purpose is to draw a reviewer’s attention to a newly introduced component.

The practical significance:

  • New attack surface and new obligations. Every added component brings its own code, its own potential vulnerabilities, and its own license terms into the product. An addition is the moment to evaluate those before they become a vulnerable-dependency or license-policy finding.
  • Visibility into supply-chain change. Additions are frequently transitive — pulled in indirectly by bumping or adding a direct dependency — so a single intended change can quietly introduce several new packages. The diff makes that expansion visible.
  • Provenance check point. A newly appearing name is the right place to catch typosquats, dependency-confusion substitutions, or an unexpected maintainer change, since the package is being introduced rather than merely carried over.

On its own the entry carries no defect; the consequences depend on what the added package turns out to be, which downstream license and vulnerability checks then assess.

Vulnerability potential

A package addition is informational and has no direct security impact by itself — adding a dependency is a normal, expected event and does not constitute a flaw. It is flagged only so a human or policy can assess the new component.

The indirect relevance is that an addition is the trigger point for real checks: a newly introduced package may carry a known-vulnerable version (handled as a vulnerable-dependency finding) or an unexpected name that signals a typosquat or dependency-confusion attack. Treat the entry as a prompt to run vulnerability, license and provenance checks on the new component, not as a vulnerability in its own right.

Technical details

An SBOM diff is a set comparison between two bills of materials keyed by a stable component identity — normally the package URL (purl) or name@version. With the previous snapshot’s component set P and the current set C, the added set is C \ P: components present now but absent before. (The companion entries are removed = P \ C and bumped = same name, different version.)

Keying and granularity

The result depends on the key. Keying on name alone reports only first-time package introductions; keying on name@version reports a version change as a simultaneous remove+add unless the differ collapses those into a bumped entry. A correct differ matches by name first, then classifies same-name pairs as bumped and unmatched names as added/removed.

Direct vs transitive

The added component may be a direct dependency the developer wrote into the manifest, or a transitive one resolved by the package manager. Diffing the fully resolved lockfile/SBOM (not just the manifest) surfaces transitive additions that the manifest change does not mention. A single direct bump can therefore produce many added entries.

Snapshot baseline

The meaning of “added” is relative to whatever baseline was chosen. Comparing against the last released SBOM answers “what is new since we shipped”; comparing against the target branch answers “what does this PR introduce”. The baseline must be recorded for the diff to be interpretable.

Catching the issue

Additions are surfaced by diffing SBOMs in the pipeline and reviewing the result on every change.

Diffing tooling

Generate an SBOM per build (Syft, CycloneDX tools, the build system’s SBOM output) and diff it against the stored baseline with cyclonedx-cli diff, syft ... diff, bom diff, or GitHub’s Dependency Review action, which comments the dependency delta directly on pull requests. Commit lockfiles so the resolved graph is reproducible and the diff is meaningful.

Review and gating

Make the added-component list part of code review so a human evaluates each new package’s purpose, maintenance, popularity and provenance. Optionally gate new direct additions behind an allow-list or an approval step, and automatically run vulnerability and license scans on the added set so a risky introduction is caught at the moment it enters rather than later. Dependency-pinning and provenance checks (npm --package-lock-only, Sigstore/SLSA attestations) help confirm the addition is the package you intended.

How to reproduce

The “reproducer” is an SBOM diff, not runnable code. Below, the component left-pad is present in the current SBOM but absent from the previous snapshot, so the differ classifies it as added. Observe the component in current that has no counterpart in previous.

{
  "previous": {
    "components": [
      { "purl": "pkg:npm/[email protected]" },
      { "purl": "pkg:npm/[email protected]" }
    ]
  },
  "current": {
    "components": [
      { "purl": "pkg:npm/[email protected]" },
      { "purl": "pkg:npm/[email protected]" },
      { "purl": "pkg:npm/[email protected]" }
    ]
  }
}

The resulting diff entry:

sbom_diff:
  added:
    - name: left-pad
      version: 1.3.0
      purl: "pkg:npm/[email protected]"
      scope: transitive       # pulled in by a bumped direct dependency
  removed: []
  bumped: []