By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Inspector Lambda Scanning – CWE-798 - Hardcoded credentials in package-lock.json

1

Hi,

We've been testing out Inspector on our Lambda code (NodeJS) and one of the vulnerabilities it highlights is hardcoded credentials in some of our package-lock.json files. I've reviewed the files in question and can only identify one that has a http username encoded in a url (but no password) and the other I can't even find a username in any of the urls. The only thing I can think that is causing this is that we are using some dependencies from a private repository although I can't see any credentials in the file.

Has anyone else observed this issue or can suggest what else might be triggering the detector?

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaSecurity, Identity, & ComplianceAmazon Inspector
Language
English
MarkH
asked a year ago381 views
1 Answer
0

Hello,

Generally, CWE-798: Use of Hard-coded credentials checks if product contains any hard-coded credential such as passwords, cryptographic key, Username and password combination, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. [1]

From the query posted, I understand that though your files doesn’t contain passwords, inspector is still detecting the vulnerability CWE-798. To further debug into this behaviour, I would suggest you to create a support case with us, so that we have visibility to the inspector findings and could fetch more details from internal team regarding this.

Reference

[1] https://cwe.mitre.org/data/definitions/798.html

AWS
Divya_A
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content