Skip to main content

Fix example vulnerable method for NPM

Veracode SCA supports vulnerable method analysis for NPM packages using the NPM and Yarn package managers. It does not support vulnerable method analysis with Bower.

These example steps provide a fix for a Regular Expression Denial Of Service (ReDoS) vulnerable method in the marked library in the example-javascript-vulnerable-methods repository.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Click the Agent-Based Scan tab.

  3. Select your workspace.

  4. Click Projects.

  5. Click the srcclr/example-javascript-vulnerable-methods project.

  6. Click Regular Expression Denial Of Service (ReDoS) in the Vulnerabilities table.

    The Vulnerable Methods section shows that the marked.InlineLexer method is the vulnerable part of the library.

  7. To address the identified vulnerable method, do one of these tasks:

    • Change your code to perform in the same manner without relying on this particular method.
    • Follow the provided instructions to update the library to a safe version.

  8. Validate the fix.