21Eyl
Vulnerable packages in CDN scripts
I'm looking for a vulnerability scanner (SAST, SCA, or other) that flags in-code CDN scripts where the script is referencing a vulnerable package (ex. jQuery 1.9 is susceptible to XSS). Typically, SCA scans find vulnerable 3rd party packages by searching package.json, nuget, or the equivalent package listing; but do not scan the source code itself. SAST scans will scan the custom code, but not flag on specific versions of packages found (the screenshot below would flag on not using SRIs, but not for vulnerable versions). Is there either an existing SAST/SCA company that checks for these or a niche tool that will identify them?
