Security Test: LLM Supply Chain Vulnerabilities¶

Description¶

Default Severity:

LLM supply chain vulnerabilities occur when weaknesses in the development or deployment process of language models allow attackers to tamper with the data, model code, or supporting infrastructure. This is dangerous because any alteration might lead to biased or harmful outputs, security breaches, or even system failures. Developers could inadvertently trust compromised components or overlook validation checks when integrating third-party datasets or software, making it easier for attackers to introduce errors or malicious tweaks. If these issues go unaddressed, users could end up relying on faulty or manipulated models, which in turn affects decision-making, privacy, and overall system reliability.

Reference:

https://genai.owasp.org/llmrisk/llm05-supply-chain-vulnerabilities/
- https://owasp.org/www-project-top-10-for-large-language-model-applications/

Configuration¶

Identifier: injection/llm_supply_chain_vulnerabilities

Examples¶

All configuration available:

checks:
  injection/llm_supply_chain_vulnerabilities:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
OWASP LLM Top 10	LLM05:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.12.2`
NIST	`SP800-53`
FedRAMP	`SI-3`
CWE	`1195`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N`
CVSS Score	`5.0`