Serverless Function Scanning: No Vulnerabilities or Package details of GCP Cloud Function.

This article is regarding the Serverless Function Scanning for the GCP Cloud Function.

The user enabled the Serverless Function Scanning for the onboarded GCP cloud account and the permission status looks fine. After performing the scan, the cloud function is listed on the following page but the "Vulnerabilities" and "Package info" tab show “there is no data to show”.

1. Monitor > Vulnerabilities > Functions > Scanned Function

2. Monitor > Vulnerabilities > Functions > Scanned Function > Function details 
    
3. Monitor > Vulnerabilities > Functions > Scanned Function > Function details > Package Info
    
   
   The scanned cloud function on the GCP side is below.
    
    

• Prisma Cloud Runtime Security
• GCP Cloud Function

With the current design, the Serverless Function Scanning will not scan the code itself, it will examine the dependencies listed in the function's package configuration files, such as(for Python) requirements.txt, PKG-INFO files, etc. These dependencies are matched against known vulnerability databases.

 
That means if a cloud function as a zip file includes vulnerable contents(e.g. vulnerable library package), it will work as expected, but if it contains only code it won’t trigger any vulnerability.

In case you would like to test the vulnerability detection for your cloud function, you could package(e.g. as a ZIP file) your source code and the vulnerable library, then upload it to create a cloud function and perform the scan.