Resources
OWASP Web Application Security
Step-by-step guide (identify the problems and fix them on your local computer)
Install Trivy
After installing and running the command, you should see version information similar to the following
trivy --version
Scan the local projects
Navigate to the target project and run the command
trivy fs .Generated report example
Update, Patch, or Remove Vulnerable Packages
Focus on fixing Critical and High severity vulnerabilities first.
Use package management tools to find out why a package is installed.
For example,
yarn why @babel/traverseOutput
Note that @babel/traverse exists because @babel/core depends on it. Since our project still requires @babel/core, we upgraded the @babel/core version by executing the command yarn add @babel/core -D, and executed trivy fs . to generate the report again to see if the security issue is resolved.
After upgrading @babel/core, the Critical problem is solved.
