AWS Security ChangesHomeSearch

AWS inspector medium security documentation change

Service: inspector · 2025-08-28 · Security-related medium

File: inspector/latest/user/sbom-generator-ecosystem-collection.md

Summary

Added Puppeteer support details, Chrome collection paths, Oracle DB version limits, and environment variable handling

Security assessment

The changes document security evaluation boundaries (e.g., Oracle DB 19+ only) and environment variable controls (PUPPETEER_SKIP_CHROMIUM_DOWNLOAD) that affect vulnerability detection capabilities. These updates clarify security-relevant constraints in dependency analysis.

Diff

diff --git a/inspector/latest/user/sbom-generator-ecosystem-collection.md b/inspector/latest/user/sbom-generator-ecosystem-collection.md
index 87ed82bb8..d03927a95 100644
--- a//inspector/latest/user/sbom-generator-ecosystem-collection.md
+++ b//inspector/latest/user/sbom-generator-ecosystem-collection.md
@@ -111,0 +112 @@ The following is an example package URL for an `Apache Tomcat` application.
+  * Puppeteer (supports the puppeteer library; puppeteer-core is not included) 
@@ -114,0 +116,5 @@ The following is an example package URL for an `Apache Tomcat` application.
+
+###### Note
+
+Puppeteer supports the puppeteer library. Puppeteer core is not included. 
+
@@ -120,0 +127,2 @@ Amazon Inspector collects Google Chrome information from the following:
+  * The `chrome.exe` file (Windows Chrome installation) 
+
@@ -126 +134,3 @@ Amazon Inspector collects Google Chrome information from the following:
-The Amazon Inspector SBOM Generator parses and collects corresponding versions of each of the supported artifacts. 
+For each of the supported artifacts, the Sbomgen parses and collects either chrome file or the puppeteer file. For puppeteer installations, the corresponding Chromium version is collected based on the puppeteer version. For more information, see [Supported browsers](https://pptr.dev/supported-browsers) on the Puppeteer website. 
+
+When the `PUPPETEER_SKIP_CHROMIUM_DOWNLOAD` environment variable is set to `true`, evaluation is skipped, and the `skip_chromium_download=true` qualifier is added to the Puppeteer package URL. 
@@ -169,0 +180,7 @@ The following is an example package URL for a `puppeteer` version file.
+###### Example PURL
+
+The following is an example package URL with skip qualifier for a `puppeteer` version file. 
+    
+    
+    pkg:generic/google/[email protected]?distro=linux&skip_chromium_download=true
+
@@ -470,0 +488,4 @@ The following is an example package URL for the OpenSSL version.
+###### Note
+
+Vulnerability evaluation applies only to Oracle Database Server version 19 and higher. 
+
@@ -493 +514 @@ Version `23.7.0.25.01` is extracted to identify the Oracle Database version.
-The following is an example package URL for Oracle Database 
+The following is an example package URL for Oracle Database.