- Checkmarx Documentation
- Checkmarx SAST
- SAST User Guide
- Creating and Managing Projects
- Advanced Actions
- JavaScript AWS Support
JavaScript AWS Support
Introduction
SAST Engine Pack EP 9.5.1 supports a stand-alone AWS Lambda scan which:
Identifies and maps:
Inputs
Outputs
Vulnerabilities that are specific to Lambda functions (using the new Lambda-related queries)
Natively supports:
File Processing (S3 buckets)
DynamoDB (Web Applications)
Overall Support
The SAST support is based on SAST CxQL queries only. The SAST Engine capabilities were not changed.
The scan identifies usage of AWS Lambda functions that require the AWS SDK platform inside JavaScript source code (more precisely within NodeJS). Since these functions run in a runtime environment and are usually event-driven, the receive data flow inputs and return data flow outputs are determined.
The DynamoDB and S3 library services are supported, either using AWS SDK version 2 or version 3. When interacting with these modules inside Lambda functions, new Client objects are created and object instruction commands are passed. Since both of these services represent data storage interactions, the database-related general CxQL queries with data insertion and retrieval APIs were updated.
A set of new CxQL queries specific to AWS Lambdas, as described in the next section, were implemented in a new group called JavaScript_AWS_Lambda.
Lists of queries are available here.