A9 – Where to look for known vulnerabilities on third-party components