// SAMPLE REPORT · SUPPLY CHAIN
Supply-chain report for Contoso.Payments.Api.
The kind of executive-ready report a NuGet-heavy team sees after a Rorix scan: clear risk summary, upgrade targets, license concerns, and next actions for CI.
Security grade: B (72 / 100)·SBOM exports: CycloneDX + SPDX
Critical
1
findings
High
1
findings
Medium
1
findings
Security grade
B
72 / 100
SBOM formats
2
CycloneDX · SPDX
Top findings
critical
Microsoft.Data.SqlClient
High-impact vulnerability in connection handling
4.1.0 → 5.1.2
Upgrade to 5.1.2 or later. Breakglass exception not recommended.
high
Newtonsoft.Json
Known vulnerable dependency version in common .NET attack paths
12.0.3 → 13.0.3
Upgrade to 13.0.3 and verify serializer settings in production.
medium
Legacy.Logging.Extensions
Weak transitive dependency chain with permissive downgrade path
2.8.1 → 2.9.0
Pin the fixed version in central package management.
Compliance snapshot
- 1 copyleft license detected in a transitive dependency
- 2 packages missing normalized license metadata
Recommended next step
Export the SBOM, set a severity threshold in CI, and block new pull requests that introduce critical findings or restricted licenses.