Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CodeGuru is not able to scan a 3rd party library that has vulnerabilities in it

0

Hi all,

I would like to use CodeGuru in my codepipeline, and I am trying to test it if it can find out that I am using some library that has vulnerabilities or has been deprecated.

I started with a nodejs project and npm install a library called 'request ', which it has been declared that "This package has been deprecated".

I already got some message after I installed the library Enter image description here

then I zip the project and upload to CodeGuru and asked for a scan. but turns out there is 0 finding. I was expecting it has some warning message to pop up.

Could anyone clarify that I am using CodeGuru in the wrong way because I want to use it like CodeQL

Topics
Machine Learning & AI
Tags
Amazon CodeGuru SecurityAmazon CodeGuru
Language
English
asked a year ago293 views
1 Answer
1
Accepted Answer

Hi,

From this page https://docs.aws.amazon.com/codeguru/latest/profiler-ug/what-is-codeguru-profiler.html, it seems that NodeJS is not supported in CodeGuru: Java/JVM and Python are.

Best,

Didier

EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
  • kosa
    a year ago

    Thanks Didier! I see... I wonder if there is any alternative that I can use to achieve something like codeQL can do or any similar tool can do scanning on 3rd party library.

  • Didier Durand EXPERT
    a year ago

    Hi Kosa, I don't know of AWS having tools for vuln scanning on NodeJS apps. You'd have to install some OSS tool to do that: see https://medium.com/@manjula.aw/nodejs-security-tools-de0d0c937ec0 Thanks for accepting my answer

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content