CVE on aws-lambda-java-serialization

Question

CVE on aws-lambda-java-serialization

nutzhub opened this issue 2 years ago · comments

Pradit Rattanapongchinda commented 2 years ago

Hi I try to use aws-lambda-java-runtime-interface-client but receive the dependency CVE on
aws-lambda-java-serialization-1.0.0.jar (pkg:maven/com.amazonaws/aws-lambda-java-serialization@1.0.0, cpe:2.3:a:amazon:aws_lambda:1.0.0:*:*:*:*:*:*:*) : CVE-2019-10777

Is there a plan to resolve ?

Mark Sailes · Answer 1 · Fri Jul 22 2022 17:56:08 GMT+0800 (China Standard Time)

Hi @nutzhub,

This CVE is for a JS command line tool. https://snyk.io/vuln/npm%3Aaws-lambda

I think there might be a mistake in whatever scanning tool you are using.

Could you explain further how you think the aws-lambda-java-runtime-interface-client is effected?

Thanks,

Pradit Rattanapongchinda · Answer 2 · Fri Jul 22 2022 18:34:45 GMT+0800 (China Standard Time)

That was a false positive in our CVE scan