Inspector incorrectly flagging Npm vulnerabilities

It appears that the detection algorithms for Npm related vulnerabilities are identifying false positives results that could be easily avoided -

https://github.com/browserify/resolve/issues/319

Can someone file a bug internally so this can get hopefully be addressed?

Alan

lmessier EXPERT
7 months ago
Hello Alan, we do have some templates to submit Inspector false positives so I may be able to help. Can you tell me if this false positive is detected in EC2, ECR or Lambda?
avosper-stg0002
7 months ago
Detected in ECR. The github link shows a history of closed project issues. In these the project contributor indicates the false positive is due to Inspector's heuristic methods used to detect the vuln likely limiting to matching on name, and being insufficient in this edge case where they have included a private node package in the project that includes tests (due to npm cmd resolution requirements). The contributor fully acknowledges the name collision w/ known malicious pkg, but refuses to edit it on principle of driving adoption of more accurate detection methods in scan tools.

Topics

Security, Identity, & Compliance

Tags

Amazon Inspector

Language

English

avosper-stg0002

asked 8 months ago245 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hello,

I understand that you want the following package with the same name to be not marked as vulnerable in inspector. Please note that for it be to identified as a bug, as part pf troubleshooting process we require details that are non-public information.

Please open a support case with AWS using the following link: https://console.aws.amazon.com/support/home#/case/create

Sarthak_K

answered 7 months ago

Relevant content

False positive in ECR container image detected by AWS Inspector v2 related with com.fasterxml.jackson.core:jackson-databind?
AWS-User-7745669
asked 2 years ago
AWS EKS/AWS Inspector and Package Vulnerability
Accepted Answer
myronix88
asked a year ago
Security Vulnerabilities related to Cloud and Development
Accepted Answer
cloudarch
asked a year ago
AWS Inspector - Failed to detect the critical vulnerability in Grafana
Bhuvi - TheDataGuy
asked a year ago
What are best practices to secure my Linux server that's running on Lightsail?
AWS OFFICIALUpdated 4 months ago
How do I detect false positives caused by AWS Managed Rules, and then add the rules to a safe list?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot issues that are related to the PostGIS extension when I upgrade my RDS for PostgreSQL instance?
AWS OFFICIALUpdated 3 months ago
How do I identify the CloudWatch log event that caused a CloudWatch alarm to trigger?
AWS OFFICIALUpdated 2 months ago
Easily right-size bioinformatics workflows in AWS HealthOmics
EXPERT
ajfriedman18
published 22 days ago
Why is a /24 the smallest IP range that can be used with BYOIP?
EXPERT
Brettski-AWS
published a year ago