Inspector Lambda Scanning – CWE-798 - Hardcoded credentials in package-lock.json

Question

Hi,

We've been testing out Inspector on our Lambda code (NodeJS) and one of the vulnerabilities it highlights is [hardcoded credentials](https://docs.aws.amazon.com/codeguru/detector-library/javascript/hardcoded-credentials/) in some of our package-lock.json files. I've reviewed the files in question and can only identify one that has a http username encoded in a url (but no password) and the other I can't even find a username in any of the urls. The only thing I can think that is causing this is that we are using some dependencies from a private repository although I can't see any credentials in the file.

Has anyone else observed this issue or can suggest what else might be triggering the detector?

Answer

Hello,

Generally, CWE-798: Use of Hard-coded credentials checks if product contains any hard-coded credential such as passwords, cryptographic key, Username and password combination, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. [1]

From the query posted, I understand that though your files doesn’t contain passwords, inspector is still detecting the vulnerability CWE-798. To further debug into this behaviour, I would suggest you to create a support case with us, so that we have visibility to the inspector findings and could fetch more details from internal team regarding this.

Reference
========
[1] https://cwe.mitre.org/data/definitions/798.html

Inspector Lambda Scanning – CWE-798 - Hardcoded credentials in package-lock.json

Reference

관련 콘텐츠