registry  /  projen  /  0.101.3

projen@0.101.3

CDK for software projects

Static Scan Results

scanned 14d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 224 file(s), 4.83 MB of source, external domains: aws.amazon.com, biomejs.dev, bit.ly, docs.aws.amazon.com, github.com, maven.apache.org, nextjs.org, nodejs.org, parceljs.org, projen.io, python-poetry.org, reactjs.org, registry.npmjs.org, test.pypi.org, vercel.com, www.npmjs.com, www.w3.org

Source & flagged code

7 flagged · loading source
lib/run-task.cjsView file
5727patternName = aws_access_key severity = critical line = 5727 matchedText = var byte...=");
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/run-task.cjsView on unpkg · L5727
5727patternName = aws_access_key severity = critical line = 5727 matchedText = var byte...=");
Critical
Secret Pattern

AWS access key ID in lib/run-task.cjs

lib/run-task.cjsView on unpkg · L5727
874Cross-file remote execution chain: lib/run-task.cjs spawns lib/tasks.js; helper contains network access plus dynamic code execution. L874: graph[models[i]] = { L875: // http://jsperf.com/1-vs-infinity L876: // micro-opt, but this is simple. ... L1202: } L1203: if (process.platform === "win32") { L1204: const osRelease = os.release().split("."); ... L1247: supportsColor: getSupportLevel, L1248: stdout: translateLevel(supportsColor(true, tty2.isatty(1))), L1249: stderr: translateLevel(supportsColor(true, tty2.isatty(2))) ... L1316: if (u && !bracket && c.length === 5 || c[0] === "x" && c.length === 3) { L1317: return String.fromCharCode(parseInt(c.slice(1), 16)); L1318: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/run-task.cjsView on unpkg · L874
lib/util/exec.jsView file
38exports.systemShell = systemShell; L39: const child_process = __importStar(require("child_process")); L40: const dax_1 = require("dax");
High
Child Process

Package source references child process execution.

lib/util/exec.jsView on unpkg · L38
lib/javascript/node-project.jsView file
412if (release || shouldPackage) { L413: this.packageTask.execArgs([ L414: "mkdir",
High
Shell

Package source references shell execution.

lib/javascript/node-project.jsView on unpkg · L412
lib/cdk/index.jsView file
16Object.defineProperty(exports, "__esModule", { value: true }); L17: __exportStar(require("./construct-lib"), exports); L18: __exportStar(require("./jsii-docgen"), exports);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/cdk/index.jsView on unpkg · L16
lib/projects.jsView file
74try { L75: return path.dirname(require.resolve(path.join(moduleName, "package.json"), { L76: paths: [process.cwd()], L77: })); ... L125: const postSynth = opts.post ?? true; L126: process.env.PROJEN_DISABLE_POST = (!postSynth).toString(); L127: process.env.PROJEN_CREATE_PROJECT = "true"; ... L129: } L130: //# sourceMappingURL=data:application/json;base64,[redacted]...
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

lib/projects.jsView on unpkg · L74

Findings

2 Critical3 High5 Medium4 Low
CriticalCritical Secretlib/run-task.cjs
CriticalSecret Patternlib/run-task.cjs
HighChild Processlib/util/exec.js
HighShelllib/javascript/node-project.js
HighCross File Remote Execution Contextlib/run-task.cjs
MediumDynamic Requirelib/cdk/index.js
MediumUnsafe Vm Contextlib/projects.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings