Litcius/Paper detail

Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

Tiago Brito, Mafalda Ferreira, Miguel Monteiro, Pedro Lopes, Miguel Barros, José Fragoso Santos, Nuno Santos

2023IEEE Transactions on Reliability23 citationsDOIOpen Access PDF

Abstract

With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this article, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">npm</i> advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.

Topics & Concepts

JavaScriptComputer scienceStatic analysisNode (physics)Vulnerability (computing)Vulnerability assessmentReliability engineeringComputer securityEngineeringProgramming languagePsychologyPsychotherapistStructural engineeringPsychological resilienceWeb Application Security VulnerabilitiesSecurity and Verification in ComputingDigital and Cyber Forensics
Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages | Litcius