The dependency java-invoke-local-all.jar has a number of security flaws as identified by a VeraCode static scan

[iamle0pard]

If you run a VeraCode static security scan against the serverless-offline folder and files within 'node_modules' you will see that there are a number of flaws identified due to 'java-invoke-local-all.jar'.

Here are all the locations that 'gradle-wrapper.jar' exists:

node_modules\serverless-offline\node_modules.bin node_modules\java-invoke-local node_modules.bin\java-invoke-local

The following flaws have been identified:

http://cwe.mitre.org/data/definitions/73.html CWE-73: External Control of File Name or Path http://cwe.mitre.org/data/definitions/80.html CWE-80: Neutralization of Sctript-Related HTML Tags in a Web Page (Basic XSS) http://cwe.mitre.org/data/definitions/601.html CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

From the scan report, these are the filenames identified:

InvokeRequest.groovy LambdaClassLoader.groovy testing-reports.js

Here are the 4 specific locations identified where the flaws exist:

InvokeRequest.groovy: 28 LambdaClassLoader.groovy: 8 InvokeRequest.groovy: 21 testing-reports.js: 103

Currently using serverless-offline version: 6.4.0