Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs

While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effect...

Celý popis

Uloženo v:

Podrobná bibliografie
Vydáno v:	Proceedings of ACM on programming languages Ročník 8; číslo PLDI; s. 417 - 441
Hlavní autoři:	Ferreira, Mafalda, Monteiro, Miguel, Brito, Tiago, Coimbra, Miguel E., Santos, Nuno, Jia, Limin, Santos, José Fragoso
Médium:	Journal Article
Jazyk:	angličtina
Vydáno:	New York, NY, USA ACM 20.06.2024
Témata:	Automated static analysis Program analysis Security and privacy Software and application security Software and its engineering Software verification and validation Theory of computation Vulnerability Detection Static Analysis JavaScript
ISSN:	2475-1421, 2475-1421
On-line přístup:	Získat plný text
Tagy:	Přidat tag Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!

Abstract	While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effectiveness in identifying vulnerability patterns, potentially resulting in classification errors. Conversely, more information in the graph allows for a more effective analysis but may affect scalability. For example, scalability issues have been recently highlighted in ODGen, the state-of-the-art CPG-based tool for detecting Node.js vulnerabilities. This paper examines a new point in the design space of CPGs for JavaScript vulnerability detection. We introduce the Multiversion Dependency Graph (MDG), a novel graph-based data structure that captures the state evolution of objects and their properties during program execution. Compared to the graphs used by ODGen, MDGs are significantly simpler without losing key information needed for vulnerability detection. We implemented Graph.js, a new MDG-based static vulnerability scanner specialized in analyzing npm packages and detecting taint-style and prototype pollution vulnerabilities. Our evaluation shows that Graph.js outperforms ODGen by significantly reducing both the false negatives and the analysis time. Additionally, we have identified 49 previously undiscovered vulnerabilities in npm packages.
AbstractList	While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effectiveness in identifying vulnerability patterns, potentially resulting in classification errors. Conversely, more information in the graph allows for a more effective analysis but may affect scalability. For example, scalability issues have been recently highlighted in ODGen, the state-of-the-art CPG-based tool for detecting Node.js vulnerabilities. This paper examines a new point in the design space of CPGs for JavaScript vulnerability detection. We introduce the Multiversion Dependency Graph (MDG), a novel graph-based data structure that captures the state evolution of objects and their properties during program execution. Compared to the graphs used by ODGen, MDGs are significantly simpler without losing key information needed for vulnerability detection. We implemented Graph.js, a new MDG-based static vulnerability scanner specialized in analyzing npm packages and detecting taint-style and prototype pollution vulnerabilities. Our evaluation shows that Graph.js outperforms ODGen by significantly reducing both the false negatives and the analysis time. Additionally, we have identified 49 previously undiscovered vulnerabilities in npm packages. While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effectiveness in identifying vulnerability patterns, potentially resulting in classification errors. Conversely, more information in the graph allows for a more effective analysis but may affect scalability. For example, scalability issues have been recently highlighted in ODGen, the state-of-the-art CPG-based tool for detecting Node.js vulnerabilities. This paper examines a new point in the design space of CPGs for JavaScript vulnerability detection. We introduce the Multiversion Dependency Graph (MDG), a novel graph-based data structure that captures the state evolution of objects and their properties during program execution. Compared to the graphs used by ODGen, MDGs are significantly simpler without losing key information needed for vulnerability detection. We implemented Graph.js, a new MDG-based static vulnerability scanner specialized in analyzing npm packages and detecting taint-style and prototype pollution vulnerabilities. Our evaluation shows that Graph.js outperforms ODGen by significantly reducing both the false negatives and the analysis time. Additionally, we have identified 49 previously undiscovered vulnerabilities in npm packages.
ArticleNumber	164
Author	Santos, José Fragoso Monteiro, Miguel Jia, Limin Santos, Nuno Brito, Tiago Ferreira, Mafalda Coimbra, Miguel E.
Author_xml	– sequence: 1 givenname: Mafalda orcidid: 0000-0002-5307-4279 surname: Ferreira fullname: Ferreira, Mafalda email: mafalda.baptista@tecnico.ulisboa.pt organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal – sequence: 2 givenname: Miguel orcidid: 0000-0002-6346-7340 surname: Monteiro fullname: Monteiro, Miguel email: miguel.figueiredo.monteiro@tecnico.ulisboa.pt organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal – sequence: 3 givenname: Tiago orcidid: 0000-0001-5982-9794 surname: Brito fullname: Brito, Tiago email: tiago.de.oliveira.brito@tecnico.ulisboa.pt organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal – sequence: 4 givenname: Miguel E. orcidid: 0000-0002-7191-5895 surname: Coimbra fullname: Coimbra, Miguel E. email: miguel.e.coimbra@tecnico.ulisboa.pt organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal – sequence: 5 givenname: Nuno orcidid: 0000-0001-9938-0653 surname: Santos fullname: Santos, Nuno email: nuno.m.santos@tecnico.ulisboa.pt organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal – sequence: 6 givenname: Limin orcidid: 0000-0002-8160-349X surname: Jia fullname: Jia, Limin email: liminjia@andrew.cmu.edu organization: Carnegie Mellon University, Pittsburgh, USA – sequence: 7 givenname: José Fragoso orcidid: 0000-0001-5077-300X surname: Santos fullname: Santos, José Fragoso email: jose.fragoso@tecnico.ulisboa.pt organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal
BookMark	eNptkE1LAzEYhINUsNbi3VNunlY3m2w-jqXWqlQ8VD14Wd6mCY1ss0uSVvbfa2kVEU8zMA8DM6eo5xtvEDon-RUhrLymvORUsSPUL5goM8IK0vvlT9Awxvc8z4miTFLVR28Ta512xic8T5Ccxq-b2psAC1e71OGRh7qLLmLbBPwAW5jr4NqEP1xa4cdNndzWhOgaj29Ma_zSeN3haYB2Fc_QsYU6muFBB-jldvI8vstmT9P78WiWQSFEymQpGSdKFYovAXJTANiFKMEaIawtJVAQVAqugYO2VBEjORVMC7EUGiShA3S579WhiTEYW7XBrSF0Fcmr3SvV4ZUvMvtDarcb3fgUwNX_8Bd7HvT6p_Q7_ASPWm5K
CitedBy_id	crossref_primary_10_1007_s11042_024_19682_y crossref_primary_10_1145_3729304
Cites_doi	10.1109/SP46215.2023.10179352 10.1109/SP46215.2023.10179395 10.5281/zenodo.10933020 10.1109/EuroSP57164.2023.00068 10.1145/3133956.3133959 10.1109/CLOUD53861.2021.00014 10.1145/3359789.3359813 10.1109/ICSE.2013.6606621 10.1145/3468264.3468556 10.1007/978-3-642-03237-0_17 10.1145/1529282.1529711 10.1109/SP.2015.54 10.1145/3319535.3345656 10.1145/3106237.3106267 10.1109/SP.2010.26 10.1145/2635868.2635904 10.1145/3338906.3338933 10.1145/3468264.3468542 10.1109/SP.2014.44 10.1109/ICSE-C.2017.4 10.4230/LIPIcs.ECOOP.2020.16 10.14722/ndss.2023.24610 10.1109/CGO.2015.7054185 10.1109/EuroSP.2017.14 10.1145/512950.512973 10.1016/j.procs.2018.08.227 10.1109/SP.2009.33 10.1145/2664243.2664256 10.1145/3377811.3380390 10.1109/ASE.2015.28 10.14722/ndss.2018.23076 10.1109/ICSE48619.2023.00096 10.1016/j.cose.2022.102745 10.1145/2635868.2635916 10.1007/978-3-642-31057-7_20 10.1145/3460120.3484745 10.5281/zenodo.10936488 10.1145/3576915.3616584 10.56553/popets-2023-0046 10.1007/s10207-020-00537-0 10.1109/SP.2019.00058 10.1016/j.jisa.2021.102752 10.1109/TR.2023.3286301 10.5555/2831143.2831189
ContentType	Journal Article
Copyright	Owner/Author
Copyright_xml	– notice: Owner/Author
DBID	AAYXX CITATION
DOI	10.1145/3656394
DatabaseName	CrossRef
DatabaseTitle	CrossRef
DatabaseTitleList	CrossRef
DeliveryMethod	fulltext_linktorsrc
Discipline	Computer Science
EISSN	2475-1421
EndPage	441
ExternalDocumentID	10_1145_3656394 3656394
GrantInformation_xml	– fundername: Fundação para a Ciência e a Tecnologia grantid: 2021.06134.BD funderid: https:\/\/doi.org\/10.13039\/501100001871 – fundername: IAPMEI grantid: C6632206063-00466847 – fundername: Fundação para a Ciência e a Tecnologia grantid: SFRH\/BD\/146698\/2019 funderid: https:\/\/doi.org\/10.13039\/501100001871 – fundername: Carnegie Mellon University funderid: https:\/\/doi.org\/10.13039\/100008047 – fundername: Fundação para a Ciência e a Tecnologia grantid: 2022.03537.PTDC funderid: https:\/\/doi.org\/10.13039\/501100001871
GroupedDBID	AAKMM AAYFX ACM AEFXT AEJOY AIKLT AKRVB ALMA_UNASSIGNED_HOLDINGS GUFHI LHSKQ M~E OK1 ROL AAYXX CITATION
ID	FETCH-LOGICAL-a277t-85846199296daa0e2aafb75afe77ff58a3a73876ca6acf391e86374c77d7ca813
ISICitedReferencesCount	2
ISICitedReferencesURI	http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=001264464100019&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
ISSN	2475-1421
IngestDate	Sat Nov 29 07:45:10 EST 2025 Tue Nov 18 21:02:27 EST 2025 Mon Jul 07 16:40:28 EDT 2025
IsDoiOpenAccess	true
IsOpenAccess	true
IsPeerReviewed	true
IsScholarly	true
Issue	PLDI
Keywords	Vulnerability Detection Static Analysis JavaScript
Language	English
License	This work is licensed under a Creative Commons Attribution International 4.0 License.
LinkModel	OpenURL
MergedId	FETCHMERGED-LOGICAL-a277t-85846199296daa0e2aafb75afe77ff58a3a73876ca6acf391e86374c77d7ca813
ORCID	0000-0002-7191-5895 0000-0002-6346-7340 0000-0001-9938-0653 0000-0002-5307-4279 0000-0002-8160-349X 0000-0001-5982-9794 0000-0001-5077-300X
OpenAccessLink	https://dl.acm.org/doi/10.1145/3656394
PageCount	25
ParticipantIDs	crossref_primary_10_1145_3656394 crossref_citationtrail_10_1145_3656394 acm_primary_3656394
PublicationCentury	2000
PublicationDate	2024-06-20
PublicationDateYYYYMMDD	2024-06-20
PublicationDate_xml	– month: 06 year: 2024 text: 2024-06-20 day: 20
PublicationDecade	2020
PublicationPlace	New York, NY, USA
PublicationPlace_xml	– name: New York, NY, USA
PublicationTitle	Proceedings of ACM on programming languages
PublicationTitleAbbrev	ACM PACMPL
PublicationYear	2024
Publisher	ACM
Publisher_xml	– name: ACM
References	(bib53) 2018 (bib14) 2021 (bib13) 2015 (bib33) 2018; 135 (bib11) 1977 (bib26) 2009 (bib17) 2021 (bib27) 2023 (bib57) 2023 (bib50) 2019 (bib21) 2024 (bib44) 2021 (bib54) 2020 (bib23) 2018 (bib24) 2023 (bib2) 2017 (bib30) 2022; 21 (bib58) 2023 (bib25) 2009 (bib4) 2021 (bib6) 2023; 72 (bib63) 2023 (bib52) 2018 (bib16) 2019 (bib32) 2023; 2 (bib47) 2010 (bib41) 2019 (bib8) 2014 (bib1) 2017 (bib60) 2021 (bib64) 2019 (bib40) 2023 (bib35) 2021 (bib20) 2024 (bib5) 2023 (bib15) 2019 (bib29) 2021 (bib42) 2020 (bib61) 2014 (bib51) 2012 (bib12) 2024 (bib22) 2023 (bib55) 2014 (bib18) 2013 (bib36) 2022 (bib37) 2009 (bib45) 2017 (bib28) 2014 (bib19) 2023 (bib39) 2023 (bib49) 2023 (bib59) 2023 (bib62) 2015 (bib48) 2023 (bib56) 2023 (bib7) 2022; 118 (bib43) 2021; 58 (bib9) 2023 (bib46) 2017 (bib3) 2014 (bib31) 2015 (bib10) 2024 (bib34) 2015 (bib38) 2009 e_1_3_1_60_2 Gong Liang (e_1_3_1_24_2) 2018 e_1_3_1_43_2 e_1_3_1_22_2 Khodayari Soheil (e_1_3_1_30_2) 2021 e_1_3_1_45_2 e_1_3_1_8_2 e_1_3_1_62_2 e_1_3_1_41_2 e_1_3_1_64_2 e_1_3_1_20_2 e_1_3_1_4_2 e_1_3_1_6_2 e_1_3_1_26_2 e_1_3_1_47_2 e_1_3_1_2_2 e_1_3_1_28_2 e_1_3_1_49_2 Staicu Cristian-Alexandru (e_1_3_1_53_2) 2018 Nadji Yacin (e_1_3_1_39_2) 2009 e_1_3_1_32_2 e_1_3_1_55_2 e_1_3_1_34_2 e_1_3_1_57_2 e_1_3_1_13_2 e_1_3_1_51_2 e_1_3_1_11_2 e_1_3_1_17_2 e_1_3_1_15_2 e_1_3_1_36_2 e_1_3_1_59_2 e_1_3_1_19_2 e_1_3_1_38_2 e_1_3_1_21_2 e_1_3_1_44_2 e_1_3_1_23_2 e_1_3_1_46_2 e_1_3_1_7_2 e_1_3_1_40_2 e_1_3_1_9_2 e_1_3_1_42_2 e_1_3_1_63_2 e_1_3_1_29_2 e_1_3_1_3_2 e_1_3_1_5_2 e_1_3_1_25_2 e_1_3_1_48_2 e_1_3_1_27_2 Li Song (e_1_3_1_37_2) 2022 e_1_3_1_33_2 e_1_3_1_54_2 Xiao Feng (e_1_3_1_61_2) 2021 e_1_3_1_35_2 e_1_3_1_12_2 e_1_3_1_50_2 e_1_3_1_10_2 e_1_3_1_31_2 e_1_3_1_52_2 e_1_3_1_16_2 Zimmermann Markus (e_1_3_1_65_2) 2019 e_1_3_1_14_2 Stock Ben (e_1_3_1_56_2) 2014 e_1_3_1_58_2 e_1_3_1_18_2
References_xml	– start-page: 143 year: 2022 end-page: 160 ident: bib36 publication-title: Proceedings of the 31st USENIX Security Symposium (SEC ’22) – year: 2009 ident: bib38 publication-title: Proceedings of the Network and Distributed System Security Symposium (NDSS ’09) – year: 2023 ident: bib56 publication-title: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (’Prototype Pollution’) – start-page: 1059 year: 2023 end-page: 1076 ident: bib27 publication-title: 44th IEEE Symposium on Security and Privacy (S&P ’23) doi: 10.1109/SP46215.2023.10179352 – start-page: 655 year: 2014 end-page: 670 ident: bib55 publication-title: Proceedings of the 23rd USENIX Security Symposium (SEC ‘14’) – start-page: 2817 year: 2023 end-page: 2834 ident: bib19 publication-title: 44th IEEE Symposium on Security and Privacy (S&P ’23) doi: 10.1109/SP46215.2023.10179395 – year: 2024 ident: bib21 publication-title: Technical Report: Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs doi: 10.5281/zenodo.10933020 – start-page: 1101 year: 2023 end-page: 1127 ident: bib9 publication-title: Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P ’23) doi: 10.1109/EuroSP57164.2023.00068 – year: 2023 ident: bib24 – start-page: 1757 year: 2017 end-page: 1771 ident: bib46 publication-title: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17) doi: 10.1145/3133956.3133959 – start-page: 13 year: 2021 end-page: 19 ident: bib4 publication-title: 2021 IEEE 14th International Conference on Cloud Computing (CLOUD ’21) IEEE Computer Society doi: 10.1109/CLOUD53861.2021.00014 – start-page: 257 year: 2019 end-page: 269 ident: bib16 publication-title: Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC) (ACSAC ’19) doi: 10.1145/3359789.3359813 – start-page: 752 year: 2013 end-page: 761 ident: bib18 publication-title: Proceedings of the 2013 International Conference on Software Engineering (ICSE ’13) doi: 10.1109/ICSE.2013.6606621 – start-page: 1129 year: 2021 end-page: 1140 ident: bib44 publication-title: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE ’21) doi: 10.1145/3468264.3468556 – start-page: 238 year: 2009 end-page: 255 ident: bib26 publication-title: Proceedings of International Static Analysis Symposium (SAS ’09) doi: 10.1007/978-3-642-03237-0_17 – start-page: 1930 year: 2009 end-page: 1937 ident: bib25 publication-title: Proceedings of the 2009 ACM Symposium on Applied Computing (SAC ’09) doi: 10.1145/1529282.1529711 – start-page: 797 year: 2015 end-page: 812 ident: bib62 publication-title: 36th IEEE Symposium on Security and Privacy (S&P ’15) doi: 10.1109/SP.2015.54 – year: 2024 ident: bib10 – start-page: 1899 year: 2019 end-page: 1913 ident: bib15 publication-title: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19) doi: 10.1145/3319535.3345656 – start-page: 385 year: 2017 end-page: 395 ident: bib1 publication-title: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE ’17) doi: 10.1145/3106237.3106267 – year: 2023 ident: bib39 publication-title: Cypher Query Language – year: 2023 ident: bib40 publication-title: Graph Database and Analytics – start-page: 317 year: 2010 end-page: 331 ident: bib47 publication-title: 31th IEEE Symposium on Security and Privacy (S&P ’10) doi: 10.1109/SP.2010.26 – start-page: 121 year: 2014 end-page: 132 ident: bib28 publication-title: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’14) doi: 10.1145/2635868.2635904 – start-page: 455 year: 2019 end-page: 465 ident: bib41 publication-title: Proceedings of the 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE ’19) doi: 10.1145/3338906.3338933 – start-page: 268 year: 2021 end-page: 279 ident: bib35 publication-title: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE ’21) doi: 10.1145/3468264.3468542 – start-page: 590 year: 2014 end-page: 604 ident: bib61 publication-title: 35th IEEE Symposium on Security and Privacy (S&P ’14) doi: 10.1109/SP.2014.44 – start-page: 59 year: 2017 end-page: 62 ident: bib45 publication-title: Proceedings of the 39th International Conference on Software Engineering Companion (ICSE-C ’17) doi: 10.1109/ICSE-C.2017.4 – start-page: 16:1 year: 2020 end-page: 16:28 ident: bib42 publication-title: Proceedings of the 34th European Conference on Object-Oriented Programming (ECOOP ’20) doi: 10.4230/LIPIcs.ECOOP.2020.16 – year: 2023 ident: bib48 publication-title: Proceedings of 30th Annual Network and Distributed System Security Symposium (NDSS ’23) doi: 10.14722/ndss.2023.24610 – year: 2023 ident: bib59 publication-title: CWE-94: Improper Control of Generation of Code (‘Code Injection’) – start-page: 34 year: 2015 end-page: 45 ident: bib13 publication-title: Proceedings of 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO ’15) doi: 10.1109/CGO.2015.7054185 – start-page: 2525 year: 2021 end-page: 2542 ident: bib29 publication-title: 30th USENIX Security Symposium (SEC ’21) – start-page: 334 year: 2017 end-page: 349 ident: bib2 publication-title: IEEE Computer Society doi: 10.1109/EuroSP.2017.14 – start-page: 238 year: 1977 end-page: 252 ident: bib11 publication-title: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL ’77) doi: 10.1145/512950.512973 – volume: 135 start-page: 596 year: 2018 end-page: 605 ident: bib33 article-title: Static Taint Analysis Traversal with Object Oriented Component for Web File Injection Vulnerability Pattern Detection publication-title: Procedia Computer Science doi: 10.1016/j.procs.2018.08.227 – start-page: 331 year: 2009 end-page: 346 ident: bib37 publication-title: 30th IEEE Symposium on Security and Privacy (S&P ’09) doi: 10.1109/SP.2009.33 – start-page: 361 year: 2018 end-page: 376 ident: bib52 publication-title: 27th USENIX Security Symposium (SEC ’18) – start-page: 466 year: 2014 end-page: 475 ident: bib8 publication-title: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC ’14) doi: 10.1145/2664243.2664256 – start-page: 198 year: 2020 end-page: 209 ident: bib54 publication-title: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE ’20) doi: 10.1145/3377811.3380390 – year: 2021 ident: bib14 publication-title: ECMAScript parsing infrastructure for multipurpose analysis – year: 2023 ident: bib49 – start-page: 541 year: 2015 end-page: 551 ident: bib31 publication-title: Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering (ASE ’15) doi: 10.1109/ASE.2015.28 – year: 2018 ident: bib53 publication-title: Proceedings of the Network and Distributed System Security Symposium (NDSS ’18) doi: 10.14722/ndss.2018.23076 – start-page: 1059 year: 2023 end-page: 1070 ident: bib5 publication-title: 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE ’23) doi: 10.1109/ICSE48619.2023.00096 – year: 2018 ident: bib23 publication-title: Dynamic Analysis for JavaScript Code – year: 2023 ident: bib58 publication-title: CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – volume: 118 start-page: 102745 year: 2022 ident: bib7 article-title: Wasmati: An efficient static vulnerability scanner for WebAssembly publication-title: Computers & Security doi: 10.1016/j.cose.2022.102745 – year: 2021 ident: bib60 publication-title: 20th USENIX Security Symposium (SEC ’21) – start-page: 507 year: 2014 end-page: 517 ident: bib3 publication-title: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’14) doi: 10.1145/2635868.2635916 – start-page: 435 year: 2012 end-page: 458 ident: bib51 publication-title: Proceedings of the 26th European Conference on Object-Oriented Programming (ECOOP ’12) doi: 10.1007/978-3-642-31057-7_20 – year: 2023 ident: bib57 publication-title: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (’Path Traversal’) – start-page: 1789 year: 2021 end-page: 1804 ident: bib17 publication-title: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS ’21) doi: 10.1145/3460120.3484745 – year: 2024 ident: bib20 publication-title: Graph.js PLDI24 Artifact Evaluation doi: 10.5281/zenodo.10936488 – start-page: 2441 year: 2023 end-page: 2455 ident: bib63 publication-title: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS ’23) doi: 10.1145/3576915.3616584 – volume: 2 start-page: 171 year: 2023 end-page: 187 ident: bib32 article-title: Privacy Property Graph: Towards Automated Privacy Threat Modeling via Static Graph-based Analysis publication-title: Proceedings of Privacy Enhancing Technologies (PETS) 2023 doi: 10.56553/popets-2023-0046 – volume: 21 start-page: 1 issue: 1 year: 2022 end-page: 23 ident: bib30 article-title: DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules publication-title: International Journal of Information Security doi: 10.1007/s10207-020-00537-0 – start-page: 227 year: 2019 end-page: 245 ident: bib50 publication-title: 40th IEEE Symposium on Security and Privacy (S&P ’19) doi: 10.1109/SP.2019.00058 – volume: 58 start-page: 102752 year: 2021 ident: bib43 article-title: NodeXP: NOde. js server-side JavaScript injection vulnerability DEtection and eXPloitation publication-title: JISA doi: 10.1016/j.jisa.2021.102752 – year: 2024 ident: bib12 publication-title: Mitre corporation homepage – start-page: 995 year: 2019 end-page: 1010 ident: bib64 publication-title: 28th USENIX Security Symposium (SEC ’19) – start-page: 723 year: 2015 end-page: 735 ident: bib34 publication-title: Proceedings of the 24th USENIX Security Symposium (SEC ’15) – volume: 72 start-page: 1324 issue: 4 year: 2023 end-page: 1339 ident: bib6 article-title: Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages publication-title: IEEE Transactions on Reliability doi: 10.1109/TR.2023.3286301 – year: 2023 ident: bib22 – ident: e_1_3_1_5_2 doi: 10.1109/CLOUD53861.2021.00014 – ident: e_1_3_1_40_2 – ident: e_1_3_1_12_2 doi: 10.1145/512950.512973 – ident: e_1_3_1_14_2 doi: 10.1109/CGO.2015.7054185 – ident: e_1_3_1_27_2 doi: 10.1007/978-3-642-03237-0_17 – ident: e_1_3_1_35_2 doi: 10.5555/2831143.2831189 – ident: e_1_3_1_28_2 doi: 10.1109/SP46215.2023.10179352 – volume-title: Dynamic Analysis for JavaScript Code year: 2018 ident: e_1_3_1_24_2 – ident: e_1_3_1_15_2 – ident: e_1_3_1_23_2 – ident: e_1_3_1_42_2 doi: 10.1145/3338906.3338933 – ident: e_1_3_1_36_2 doi: 10.1145/3468264.3468542 – ident: e_1_3_1_62_2 doi: 10.1109/SP.2014.44 – ident: e_1_3_1_64_2 doi: 10.1145/3576915.3616584 – ident: e_1_3_1_6_2 doi: 10.1109/ICSE48619.2023.00096 – start-page: 143 volume-title: Proceedings of the 31st USENIX Security Symposium (SEC ’22) year: 2022 ident: e_1_3_1_37_2 – volume-title: 20th USENIX Security Symposium (SEC ’21) year: 2021 ident: e_1_3_1_61_2 – ident: e_1_3_1_59_2 – ident: e_1_3_1_51_2 doi: 10.1109/SP.2019.00058 – ident: e_1_3_1_49_2 doi: 10.14722/ndss.2023.24610 – ident: e_1_3_1_10_2 doi: 10.1109/EuroSP57164.2023.00068 – ident: e_1_3_1_54_2 doi: 10.14722/ndss.2018.23076 – ident: e_1_3_1_13_2 – ident: e_1_3_1_32_2 doi: 10.1109/ASE.2015.28 – start-page: 655 volume-title: Proceedings of the 23rd USENIX Security Symposium (SEC ‘14’) year: 2014 ident: e_1_3_1_56_2 – ident: e_1_3_1_17_2 doi: 10.1145/3359789.3359813 – ident: e_1_3_1_2_2 doi: 10.1145/3106237.3106267 – ident: e_1_3_1_38_2 doi: 10.1109/SP.2009.33 – ident: e_1_3_1_18_2 doi: 10.1145/3460120.3484745 – ident: e_1_3_1_48_2 doi: 10.1109/SP.2010.26 – ident: e_1_3_1_63_2 doi: 10.1109/SP.2015.54 – ident: e_1_3_1_57_2 – ident: e_1_3_1_26_2 doi: 10.1145/1529282.1529711 – ident: e_1_3_1_19_2 doi: 10.1109/ICSE.2013.6606621 – ident: e_1_3_1_55_2 doi: 10.1145/3377811.3380390 – ident: e_1_3_1_7_2 doi: 10.1109/TR.2023.3286301 – ident: e_1_3_1_20_2 doi: 10.1109/SP46215.2023.10179395 – ident: e_1_3_1_44_2 doi: 10.1016/j.jisa.2021.102752 – ident: e_1_3_1_8_2 doi: 10.1016/j.cose.2022.102745 – ident: e_1_3_1_34_2 doi: 10.1016/j.procs.2018.08.227 – ident: e_1_3_1_50_2 – start-page: 361 volume-title: 27th USENIX Security Symposium (SEC ’18) year: 2018 ident: e_1_3_1_53_2 – start-page: 2525 volume-title: 30th USENIX Security Symposium (SEC ’21) year: 2021 ident: e_1_3_1_30_2 – ident: e_1_3_1_25_2 – ident: e_1_3_1_11_2 – ident: e_1_3_1_9_2 doi: 10.1145/2664243.2664256 – ident: e_1_3_1_43_2 doi: 10.4230/LIPIcs.ECOOP.2020.16 – ident: e_1_3_1_22_2 doi: 10.5281/zenodo.10933020 – ident: e_1_3_1_21_2 doi: 10.5281/zenodo.10936488 – ident: e_1_3_1_47_2 doi: 10.1145/3133956.3133959 – ident: e_1_3_1_16_2 doi: 10.1145/3319535.3345656 – volume-title: Proceedings of the Network and Distributed System Security Symposium (NDSS ’09) year: 2009 ident: e_1_3_1_39_2 – start-page: 995 volume-title: 28th USENIX Security Symposium (SEC ’19) year: 2019 ident: e_1_3_1_65_2 – ident: e_1_3_1_58_2 – ident: e_1_3_1_33_2 doi: 10.56553/popets-2023-0046 – ident: e_1_3_1_41_2 – ident: e_1_3_1_46_2 doi: 10.1109/ICSE-C.2017.4 – ident: e_1_3_1_60_2 – ident: e_1_3_1_3_2 doi: 10.1109/EuroSP.2017.14 – ident: e_1_3_1_4_2 doi: 10.1145/2635868.2635916 – ident: e_1_3_1_45_2 doi: 10.1145/3468264.3468556 – ident: e_1_3_1_31_2 doi: 10.1007/s10207-020-00537-0 – ident: e_1_3_1_29_2 doi: 10.1145/2635868.2635904 – ident: e_1_3_1_52_2 doi: 10.1007/978-3-642-31057-7_20
SSID	ssj0001934839
Score	2.286799
Snippet	While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to...
SourceID	crossref acm
SourceType	Enrichment Source Index Database Publisher
StartPage	417
SubjectTerms	Automated static analysis Program analysis Security and privacy Software and application security Software and its engineering Software verification and validation Theory of computation
SubjectTermsDisplay	Security and privacy -- Software and application security Software and its engineering -- Automated static analysis Software and its engineering -- Software verification and validation Theory of computation -- Program analysis
Title	Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs
URI	https://dl.acm.org/doi/10.1145/3656394
Volume	8
WOSCitedRecordID	wos001264464100019&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText	1
inHoldings	1
isFullTextHit
isPrint
journalDatabaseRights	– providerCode: PRVHPJ databaseName: ROAD: Directory of Open Access Scholarly Resources customDbUrl: eissn: 2475-1421 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0001934839 issn: 2475-1421 databaseCode: M~E dateStart: 20170101 isFulltext: true titleUrlDefault: https://road.issn.org providerName: ISSN International Centre
link	http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV3Pb9MwFLbK4MCFwQBtDJAPiEsVaGynto_TKL9EpkoMNHGpHMeZIrXp1LXVduHEH46f7SRmcIADlyhKXhzJ79Pz8_N730PoxdgUBbG7HGhoohNGSpEIUuhES2kd2NTYLQlzzSb4yYk4O5PTweBHWwuznfOmEVdX8uK_qto-s8qG0tl_UHc3qH1g763S7dWq3V7_SvETRwoBR_zgSNZ6-HUzB2pplwV73bOQQH7hR7VVn53d8AFZV4679SE0a4p8f1x9PXwHtNaXsSM77RY-lwtydJzDsUPI9lpA_KGNhPYFJma1MrXrazTMVaXmfTAgB46s2pfc5PX5xnR5HxC8WHpQqfNld2KyrBdFGMmJDyev4vgFYZBnRUYR4kJOvLN5hPEsSZkvmm4NtIhwOP305kNkb5kv_AxLN_McWr-vCgwINKh1XanvqHyDYju8uYVuE55JSAzMv0eROkmZdSN9xTWM9TrIg0OjF5FDE3kmp_fRvbClwEceCg_QwDR7aLdt14GD9X6IvnXIwB4Z-Bdk4BYZ2CID98jAgAwcIwP3yMAeGY_Ql7eT0-P3SWitkSjC-ToR4HdC5rEcl0qNDFGqKnimKsN5VWVCUcWpXSi1GitdUZkaMaacac5LrpVI6WO00ywbs4-wkAJCYmWZKsEqIuyHWVGORDEiPNWCHqA9O0uzC0-eMgtzd4BetrM204GNHpqizGe-Uj7rBXEn2I5xQ-TJH_9wiO72cHuKdtarjXmG7ujtur5cPXcq_gnaKnjS
linkProvider	ISSN International Centre
openUrl	ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Efficient+Static+Vulnerability+Analysis+for+JavaScript+with+Multiversion+Dependency+Graphs&rft.jtitle=Proceedings+of+ACM+on+programming+languages&rft.au=Ferreira%2C+Mafalda&rft.au=Monteiro%2C+Miguel&rft.au=Brito%2C+Tiago&rft.au=Coimbra%2C+Miguel+E.&rft.date=2024-06-20&rft.pub=ACM&rft.eissn=2475-1421&rft.volume=8&rft.issue=PLDI&rft.spage=417&rft.epage=441&rft_id=info:doi/10.1145%2F3656394&rft.externalDocID=3656394
thumbnail_l	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2475-1421&client=summon
thumbnail_m	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2475-1421&client=summon
thumbnail_s	http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2475-1421&client=summon