search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.68k stars 3.93k forks source link

aws-lambda-nodejs: CDK Lambda/Inspector incompatibility #31493

Open rtejwani1309 opened 1 month ago

rtejwani1309 commented 1 month ago

Describe the feature

NodejsFunction construct in CDK for provisioning Lambdas uses esbuild to bundle the source code. This is a pattern that many follow which is in accordance with AWS guidance/documentation.

The Inspector service can not get successful scans for these functions as its SBOM generator tool is expecting a node_modules directory to determine the dependencies for the function. This results in an empty 'components' array in the SBOM file (CycloneDX format) and thus Inspector reports no vulnerabilities for the function.

Although it is possible to use a command hook to re-create the required node_modules directory structure, this shouldn't be a requirement for teams to handle by themselves.

Use Case

The feature request is to improve the compatibility between Lambdas that are provisioned by CDK and the Inspector service. This should have the effect that Inspector can successfully find dependencies for these functions and therefore provide accurate vulnerability information.

Proposed Solution

No response

Other Information

No response

Acknowledgements

CDK version used

2.158.0

Environment details (OS name and version, etc.)

MacOs

pahud commented 1 month ago

Thank you for the use case and workaround sharing. I'm making it a p2. Please help us prioritize with 👍 .