1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
0
Hello,
I understand that you want the following package with the same name to be not marked as vulnerable in inspector. Please note that for it be to identified as a bug, as part pf troubleshooting process we require details that are non-public information.
Please open a support case with AWS using the following link: https://console.aws.amazon.com/support/home#/case/create
beantwortet vor 8 Monaten
Relevanter Inhalt
AWS OFFICIALAktualisiert vor einem Jahr- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren
Hello Alan, we do have some templates to submit Inspector false positives so I may be able to help. Can you tell me if this false positive is detected in EC2, ECR or Lambda?
Detected in ECR. The github link shows a history of closed project issues. In these the project contributor indicates the false positive is due to Inspector's heuristic methods used to detect the vuln likely limiting to matching on name, and being insufficient in this edge case where they have included a private node package in the project that includes tests (due to npm cmd resolution requirements). The contributor fully acknowledges the name collision w/ known malicious pkg, but refuses to edit it on principle of driving adoption of more accurate detection methods in scan tools.