Is there a vulnerability scanner (SAST, SCA, or other) that flags in-code CDN scripts where the script is referencing a vulnerable package (ex. jQuery 1.9 is susceptible to XSS). Typically, SCA scans find vulnerable 3rd party packages by searching package.json, nuget, or the equivalent package listing; but do not scan the source code itself. SAST scans will scan the custom code, but not flag on specific versions of packages found (the screenshot below would flag on not using SRIs, but not for vulnerable versions). Is there either an existing SAST/SCA company that checks for these or a niche tool that will identify them?

Closed 5 days ago.

Closed 16 secs ago.

showing 8 vulnerabilities (2 moderate, 6 high) while installing, though the app is created successfully, it does not work
It shows