Skip to main content

JavaScript AWS Support

Introduction

SAST Engine Pack EP 9.5.1 supports a stand-alone AWS Lambda scan which:

  • Identifies and maps:

    • Inputs

    • Outputs

    • Vulnerabilities that are specific to Lambda functions (using the new Lambda-related queries)

  • Natively supports:

    • File Processing (S3 buckets)

    • DynamoDB (Web Applications)

Overall Support

The SAST support is based on SAST CxQL queries only. The SAST Engine capabilities were not changed.

The scan identifies usage of AWS Lambda functions that require the AWS SDK platform inside JavaScript source code (more precisely within NodeJS). Since these functions run in a runtime environment and are usually event-driven, the receive data flow inputs and return data flow outputs are determined.

The DynamoDB and S3 library services are supported, either using AWS SDK version 2 or version 3. When interacting with these modules inside Lambda functions, new Client objects are created and object instruction commands are passed. Since both of these services represent data storage interactions, the database-related general CxQL queries with data insertion and retrieval APIs were updated.

A set of new CxQL queries specific to AWS Lambdas, as described in the next section, were implemented in a new group called JavaScript_AWS_Lambda.

Lists of queries are available here.