Vulnerable & Outdated Components
detect, prioritise, remediate

What are vulnerable and outdated components?

Vulnerable and outdated components is the OWASP Top 10 category that captures the full software-supply-chain failure pattern, not a single bug. OWASP listed it as A06:2021 to consolidate three previously separate Top 10 entries (using components with known vulnerabilities, using outdated components, and using unsupported components) and to give AppSec, vulnerability management, and product security teams one shared name for the risk that a deployed application depends on libraries, frameworks, runtimes, container base images, or operating-system packages that ship with known security flaws, missing patches, or no upstream maintainer at all. The canonical CWE is CWE-1104 (Use of Unmaintained Third Party Components), and the wider OWASP mapping covers CWE-937 (Use of Components with Known Vulnerabilities), CWE-1035 (Using Components with Known Vulnerabilities), and the supporting design-stage weaknesses around inventory, version discipline, and patch cadence.

The category is a parent, not a single vulnerability. A component is in scope for A06 if you do not know which version is in production, if you know the version but it has a published CVE you have not patched, if the version is no longer supported by an upstream maintainer, if the version is several majors behind current and missing accumulated security fixes, if it reaches you only through a transitive dependency you never named directly, or if it sits in a container base image, a runtime, or an operating-system package that lives outside your application code. The pattern repeats from the package manifest layer down to the kernel layer and across every language ecosystem.

A06 is mechanistically distinct from the per-package finding the platform usually records as vulnerable dependencies. The per-package finding is a single CVE in a single library that scanning surfaced; the A06 category covers the programme conditions that produce those findings repeatedly: no software composition analysis (SCA) coverage, no inventory, no end-of-life tracking, no upgrade cadence, no policy for unmaintained components, and no path to retire components that lost upstream support. SecPortal records both shapes on the engagement record through code scanning with Semgrep SAST and dependency analysis against repository connections via GitHub, GitLab, and Bitbucket OAuth, with the broader programme work landing through findings management so the supply-chain backlog and the per-package CVE share one canonical record.

Component layers in scope

A06 reaches further than the application source tree. Every layer below contributes components your application depends on at runtime, and every layer has its own version, advisory feed, end-of-life schedule, and patch cadence. A programme that scans only one layer surfaces only one slice of the category.

How A06 surfaces in production

OWASP names A06 as a category because the same risk shape arrives through several different programme failures. The four patterns below are the most common entry points for an A06 finding on an enterprise engagement record.

Common causes

How to detect it

Detection is a coverage problem before it is a tool problem. The right A06 detection posture covers every component layer that contributes to the running system, runs continuously rather than at release boundaries, and lands findings on a record that distinguishes a per-package CVE from a programme-level coverage gap.

How to fix it

How SecPortal records and tracks A06 findings

SecPortal is not a standalone SCA tool, does not host an SBOM registry, and does not run a reachability engine. It is the workspace where every A06 finding lands on the engagement record alongside source-level findings, external attack-surface findings, and authenticated DAST findings so severity, ownership, evidence, fix, and retest stay on one canonical record per service. The flow for an A06 finding looks like this on the platform.

What SecPortal does not do

Honesty on capability matters when the topic is software supply chain. SecPortal does not generate SBOMs on your behalf, does not host an SBOM registry, does not parse CycloneDX or SPDX files into a structured component graph the platform exposes as a queryable index, does not run a reachability analysis engine across application binaries, does not federate against an asset inventory or CMDB, does not integrate with Jira, ServiceNow, Slack, SIEM, SOAR, or upstream package registry advisories through a packaged API surface, and does not maintain a continuously-refreshed CISA KEV or FIRST EPSS feed inside the workspace. Programmes that need real-time KEV reconciliation, EPSS refresh, SBOM ingestion at scale, or upstream registry advisory streaming typically run an external worker against the public feeds and land the refreshed data on the engagement record through bulk-finding-import. The platform value is the consolidated record where every A06 finding (whether it came from native code scanning, bulk import from an outside SCA, or a manual finding entry against a runtime CVE) lives alongside the rest of the security backlog with the same lifecycle, the same RBAC, the same activity log, and the same evidence trail.

Related vulnerabilities and recommended reading

A06 is the parent category for a cluster of more specific findings and the upstream concern for several SecPortal workflows. The pages below cover the per-package finding shape, the frameworks that map control evidence against A06, and the programme workflows that hold the A06 backlog across detect, triage, prioritise, route, remediate, and verify.

• Vulnerable dependencies the per-package CVE finding shape that A06 most often surfaces in production, with detection, lockfile, and patch guidance.
• Hardcoded secrets an adjacent A07-class finding that often shares a code-scanning pass with A06 dependency analysis on the same engagement record.
• Insecure design (A04:2021) the upstream design-stage category that explains why a component-choice decision was made without an upgrade plan to begin with.
• Security misconfiguration (A05:2021) the adjacent deployment-stage category that often pairs with A06 when an outdated component is also misconfigured at runtime.
• NIST SSDF (SP 800-218) practice group PW.4 (acquire and maintain well-secured software) and PS.3 (protect components) are the federal practice mapping for A06 evidence.
• NIST SP 800-161 (C-SCRM) the cybersecurity supply chain risk management practices that wrap A06 component decisions inside an enterprise C-SCRM operating model.
• EU Cyber Resilience Act the regulatory consequence for product manufacturers that requires component documentation, vulnerability handling, and security update support across the product lifecycle.
• OWASP ASVS Chapter V14 (Configuration) and V14.2 (Dependency) are the verification standard sections that read against the controls A06 expects.
• OWASP SAMM the maturity model that surfaces the programme gaps (security testing, defect management, secure build) that generate repeat A06 findings.
• OWASP Top 10 explained the parent reference that sets A06 alongside the rest of the Top 10 and the changes from the 2017 list.
• Software bill of materials guide the practitioner-side guide to running SBOM-aligned vulnerability management as the inventory layer A06 reconciliation depends on.
• SAST vs SCA code scanning the technical comparison between source-code analysis and dependency analysis inside the same build pass.
• CISA secure software development attestation guide the US federal attestation that requires SBOM, vulnerability disclosure, and component-handling evidence from software suppliers.
• SLSA framework explained the build-integrity scaffold that pairs each release with a signed provenance attestation, so the components in production trace to a known build.
• Reachability analysis vulnerability prioritisation the prioritisation technique that separates exploitable A06 findings from the long tail of unreachable transitive CVEs.
• Risk-based vulnerability management buyer guide the buyer guide for the operating model A06 component findings flow through alongside the rest of the security backlog.
• Dependency vulnerability triage the engagement workflow that turns the SCA detection wall into a defensible queue of reachable risk with a closure cadence.
• SDLC vulnerability handoff the stage-gate workflow that moves A06 findings from AppSec to engineering owners without losing the trail back to the CVE source.
• Container image vulnerability remediation workflow the workflow for the container-base-image layer of A06 where OS packages drift independently of application code.
• SBOM management and VEX publishing the operational discipline that keeps the SBOM-VEX-finding triangle reconciled on one record across release cycles.
• Patch management coordination the cross-team coordination that schedules and verifies the patch work A06 prioritisation queues up.
• SecPortal for AppSec teams the audience overview for the teams that own A06 discovery, triage, and remediation across the application portfolio.
• SecPortal for vulnerability management teams the audience overview for the teams that aggregate A06 findings alongside the wider scanner-output backlog.
• SecPortal for product security teams the audience overview for product security organisations that ship components downstream and have to publish their own A06 evidence.

Compliance impact