Skip to main content

Fix example vulnerable method for NPM

Veracode SCA supports vulnerable method analysis for NPM packages using the NPM and Yarn package managers. It does not support vulnerable method analysis with Bower.

These example steps provide a fix for a Regular Expression Denial Of Service (ReDoS) vulnerable method in the marked library in the example-javascript-vulnerable-methods repository.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select your workspace.

  4. Select Projects.

  5. Select the srcclr/example-javascript-vulnerable-methods project.

  6. Select Regular Expression Denial Of Service (ReDoS) in the Vulnerabilities table.

    The Vulnerable Methods section shows that the marked.InlineLexer method is the vulnerable part of the library.

  7. To address the identified vulnerable method, do one of these tasks:

    • Change your code to perform in the same manner without relying on this particular method.
    • Follow the provided instructions to update the library to a safe version.

  8. Validate the fix.

Last updated on