Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs

While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effect...

Full description

Saved in:
Bibliographic Details
Published in:Proceedings of ACM on programming languages Vol. 8; no. PLDI; pp. 417 - 441
Main Authors: Ferreira, Mafalda, Monteiro, Miguel, Brito, Tiago, Coimbra, Miguel E., Santos, Nuno, Jia, Limin, Santos, José Fragoso
Format: Journal Article
Language:English
Published: New York, NY, USA ACM 20.06.2024
Subjects:
Automated static analysis
Program analysis
Security and privacy
Software and application security
Software and its engineering
Software verification and validation
Theory of computation
Vulnerability Detection
Static Analysis
JavaScript
ISSN:2475-1421, 2475-1421
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Abstract While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effectiveness in identifying vulnerability patterns, potentially resulting in classification errors. Conversely, more information in the graph allows for a more effective analysis but may affect scalability. For example, scalability issues have been recently highlighted in ODGen, the state-of-the-art CPG-based tool for detecting Node.js vulnerabilities. This paper examines a new point in the design space of CPGs for JavaScript vulnerability detection. We introduce the Multiversion Dependency Graph (MDG), a novel graph-based data structure that captures the state evolution of objects and their properties during program execution. Compared to the graphs used by ODGen, MDGs are significantly simpler without losing key information needed for vulnerability detection. We implemented Graph.js, a new MDG-based static vulnerability scanner specialized in analyzing npm packages and detecting taint-style and prototype pollution vulnerabilities. Our evaluation shows that Graph.js outperforms ODGen by significantly reducing both the false negatives and the analysis time. Additionally, we have identified 49 previously undiscovered vulnerabilities in npm packages.
AbstractList While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effectiveness in identifying vulnerability patterns, potentially resulting in classification errors. Conversely, more information in the graph allows for a more effective analysis but may affect scalability. For example, scalability issues have been recently highlighted in ODGen, the state-of-the-art CPG-based tool for detecting Node.js vulnerabilities. This paper examines a new point in the design space of CPGs for JavaScript vulnerability detection. We introduce the Multiversion Dependency Graph (MDG), a novel graph-based data structure that captures the state evolution of objects and their properties during program execution. Compared to the graphs used by ODGen, MDGs are significantly simpler without losing key information needed for vulnerability detection. We implemented Graph.js, a new MDG-based static vulnerability scanner specialized in analyzing npm packages and detecting taint-style and prototype pollution vulnerabilities. Our evaluation shows that Graph.js outperforms ODGen by significantly reducing both the false negatives and the analysis time. Additionally, we have identified 49 previously undiscovered vulnerabilities in npm packages.
While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to include in the graphs remains a challenge. Including less information can lead to a more scalable analysis but at the cost of reduced effectiveness in identifying vulnerability patterns, potentially resulting in classification errors. Conversely, more information in the graph allows for a more effective analysis but may affect scalability. For example, scalability issues have been recently highlighted in ODGen, the state-of-the-art CPG-based tool for detecting Node.js vulnerabilities. This paper examines a new point in the design space of CPGs for JavaScript vulnerability detection. We introduce the Multiversion Dependency Graph (MDG), a novel graph-based data structure that captures the state evolution of objects and their properties during program execution. Compared to the graphs used by ODGen, MDGs are significantly simpler without losing key information needed for vulnerability detection. We implemented Graph.js, a new MDG-based static vulnerability scanner specialized in analyzing npm packages and detecting taint-style and prototype pollution vulnerabilities. Our evaluation shows that Graph.js outperforms ODGen by significantly reducing both the false negatives and the analysis time. Additionally, we have identified 49 previously undiscovered vulnerabilities in npm packages.
ArticleNumber 164
Author Santos, José Fragoso
Monteiro, Miguel
Jia, Limin
Santos, Nuno
Brito, Tiago
Ferreira, Mafalda
Coimbra, Miguel E.
Author_xml – sequence: 1
  givenname: Mafalda
  orcidid: 0000-0002-5307-4279
  surname: Ferreira
  fullname: Ferreira, Mafalda
  email: mafalda.baptista@tecnico.ulisboa.pt
  organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal
– sequence: 2
  givenname: Miguel
  orcidid: 0000-0002-6346-7340
  surname: Monteiro
  fullname: Monteiro, Miguel
  email: miguel.figueiredo.monteiro@tecnico.ulisboa.pt
  organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal
– sequence: 3
  givenname: Tiago
  orcidid: 0000-0001-5982-9794
  surname: Brito
  fullname: Brito, Tiago
  email: tiago.de.oliveira.brito@tecnico.ulisboa.pt
  organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal
– sequence: 4
  givenname: Miguel E.
  orcidid: 0000-0002-7191-5895
  surname: Coimbra
  fullname: Coimbra, Miguel E.
  email: miguel.e.coimbra@tecnico.ulisboa.pt
  organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal
– sequence: 5
  givenname: Nuno
  orcidid: 0000-0001-9938-0653
  surname: Santos
  fullname: Santos, Nuno
  email: nuno.m.santos@tecnico.ulisboa.pt
  organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal
– sequence: 6
  givenname: Limin
  orcidid: 0000-0002-8160-349X
  surname: Jia
  fullname: Jia, Limin
  email: liminjia@andrew.cmu.edu
  organization: Carnegie Mellon University, Pittsburgh, USA
– sequence: 7
  givenname: José Fragoso
  orcidid: 0000-0001-5077-300X
  surname: Santos
  fullname: Santos, José Fragoso
  email: jose.fragoso@tecnico.ulisboa.pt
  organization: INESC-ID, Lisboa, Portugal, Instituto Superior Técnico, Universidade de Lisboa, Lisboa, Portugal
BookMark eNptkE1LAzEYhINUsNbi3VNunlY3m2w-jqXWqlQ8VD14Wd6mCY1ss0uSVvbfa2kVEU8zMA8DM6eo5xtvEDon-RUhrLymvORUsSPUL5goM8IK0vvlT9Awxvc8z4miTFLVR28Ta512xic8T5Ccxq-b2psAC1e71OGRh7qLLmLbBPwAW5jr4NqEP1xa4cdNndzWhOgaj29Ma_zSeN3haYB2Fc_QsYU6muFBB-jldvI8vstmT9P78WiWQSFEymQpGSdKFYovAXJTANiFKMEaIawtJVAQVAqugYO2VBEjORVMC7EUGiShA3S579WhiTEYW7XBrSF0Fcmr3SvV4ZUvMvtDarcb3fgUwNX_8Bd7HvT6p_Q7_ASPWm5K
CitedBy_id crossref_primary_10_1007_s11042_024_19682_y
crossref_primary_10_1145_3729304
Cites_doi 10.1109/SP46215.2023.10179352
10.1109/SP46215.2023.10179395
10.5281/zenodo.10933020
10.1109/EuroSP57164.2023.00068
10.1145/3133956.3133959
10.1109/CLOUD53861.2021.00014
10.1145/3359789.3359813
10.1109/ICSE.2013.6606621
10.1145/3468264.3468556
10.1007/978-3-642-03237-0_17
10.1145/1529282.1529711
10.1109/SP.2015.54
10.1145/3319535.3345656
10.1145/3106237.3106267
10.1109/SP.2010.26
10.1145/2635868.2635904
10.1145/3338906.3338933
10.1145/3468264.3468542
10.1109/SP.2014.44
10.1109/ICSE-C.2017.4
10.4230/LIPIcs.ECOOP.2020.16
10.14722/ndss.2023.24610
10.1109/CGO.2015.7054185
10.1109/EuroSP.2017.14
10.1145/512950.512973
10.1016/j.procs.2018.08.227
10.1109/SP.2009.33
10.1145/2664243.2664256
10.1145/3377811.3380390
10.1109/ASE.2015.28
10.14722/ndss.2018.23076
10.1109/ICSE48619.2023.00096
10.1016/j.cose.2022.102745
10.1145/2635868.2635916
10.1007/978-3-642-31057-7_20
10.1145/3460120.3484745
10.5281/zenodo.10936488
10.1145/3576915.3616584
10.56553/popets-2023-0046
10.1007/s10207-020-00537-0
10.1109/SP.2019.00058
10.1016/j.jisa.2021.102752
10.1109/TR.2023.3286301
10.5555/2831143.2831189
ContentType Journal Article
Copyright Owner/Author
Copyright_xml – notice: Owner/Author
DBID AAYXX
CITATION
DOI 10.1145/3656394
DatabaseName CrossRef
DatabaseTitle CrossRef
DatabaseTitleList CrossRef
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 2475-1421
EndPage 441
ExternalDocumentID 10_1145_3656394
3656394
GrantInformation_xml – fundername: Fundação para a Ciência e a Tecnologia
  grantid: 2021.06134.BD
  funderid: https:\/\/doi.org\/10.13039\/501100001871
– fundername: IAPMEI
  grantid: C6632206063-00466847
– fundername: Fundação para a Ciência e a Tecnologia
  grantid: SFRH\/BD\/146698\/2019
  funderid: https:\/\/doi.org\/10.13039\/501100001871
– fundername: Carnegie Mellon University
  funderid: https:\/\/doi.org\/10.13039\/100008047
– fundername: Fundação para a Ciência e a Tecnologia
  grantid: 2022.03537.PTDC
  funderid: https:\/\/doi.org\/10.13039\/501100001871
GroupedDBID AAKMM
AAYFX
ACM
AEFXT
AEJOY
AIKLT
AKRVB
ALMA_UNASSIGNED_HOLDINGS
GUFHI
LHSKQ
M~E
OK1
ROL
AAYXX
CITATION
ID FETCH-LOGICAL-a277t-85846199296daa0e2aafb75afe77ff58a3a73876ca6acf391e86374c77d7ca813
ISICitedReferencesCount 2
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=001264464100019&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
ISSN 2475-1421
IngestDate Sat Nov 29 07:45:10 EST 2025
Tue Nov 18 21:02:27 EST 2025
Mon Jul 07 16:40:28 EDT 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue PLDI
Keywords Vulnerability Detection
Static Analysis
JavaScript
Language English
License This work is licensed under a Creative Commons Attribution International 4.0 License.
LinkModel OpenURL
MergedId FETCHMERGED-LOGICAL-a277t-85846199296daa0e2aafb75afe77ff58a3a73876ca6acf391e86374c77d7ca813
ORCID 0000-0002-7191-5895
0000-0002-6346-7340
0000-0001-9938-0653
0000-0002-5307-4279
0000-0002-8160-349X
0000-0001-5982-9794
0000-0001-5077-300X
OpenAccessLink https://dl.acm.org/doi/10.1145/3656394
PageCount 25
ParticipantIDs crossref_primary_10_1145_3656394
crossref_citationtrail_10_1145_3656394
acm_primary_3656394
PublicationCentury 2000
PublicationDate 2024-06-20
PublicationDateYYYYMMDD 2024-06-20
PublicationDate_xml – month: 06
  year: 2024
  text: 2024-06-20
  day: 20
PublicationDecade 2020
PublicationPlace New York, NY, USA
PublicationPlace_xml – name: New York, NY, USA
PublicationTitle Proceedings of ACM on programming languages
PublicationTitleAbbrev ACM PACMPL
PublicationYear 2024
Publisher ACM
Publisher_xml – name: ACM
References (bib53) 2018
(bib14) 2021
(bib13) 2015
(bib33) 2018; 135
(bib11) 1977
(bib26) 2009
(bib17) 2021
(bib27) 2023
(bib57) 2023
(bib50) 2019
(bib21) 2024
(bib44) 2021
(bib54) 2020
(bib23) 2018
(bib24) 2023
(bib2) 2017
(bib30) 2022; 21
(bib58) 2023
(bib25) 2009
(bib4) 2021
(bib6) 2023; 72
(bib63) 2023
(bib52) 2018
(bib16) 2019
(bib32) 2023; 2
(bib47) 2010
(bib41) 2019
(bib8) 2014
(bib1) 2017
(bib60) 2021
(bib64) 2019
(bib40) 2023
(bib35) 2021
(bib20) 2024
(bib5) 2023
(bib15) 2019
(bib29) 2021
(bib42) 2020
(bib61) 2014
(bib51) 2012
(bib12) 2024
(bib22) 2023
(bib55) 2014
(bib18) 2013
(bib36) 2022
(bib37) 2009
(bib45) 2017
(bib28) 2014
(bib19) 2023
(bib39) 2023
(bib49) 2023
(bib59) 2023
(bib62) 2015
(bib48) 2023
(bib56) 2023
(bib7) 2022; 118
(bib43) 2021; 58
(bib9) 2023
(bib46) 2017
(bib3) 2014
(bib31) 2015
(bib10) 2024
(bib34) 2015
(bib38) 2009
e_1_3_1_60_2
Gong Liang (e_1_3_1_24_2) 2018
e_1_3_1_43_2
e_1_3_1_22_2
Khodayari Soheil (e_1_3_1_30_2) 2021
e_1_3_1_45_2
e_1_3_1_8_2
e_1_3_1_62_2
e_1_3_1_41_2
e_1_3_1_64_2
e_1_3_1_20_2
e_1_3_1_4_2
e_1_3_1_6_2
e_1_3_1_26_2
e_1_3_1_47_2
e_1_3_1_2_2
e_1_3_1_28_2
e_1_3_1_49_2
Staicu Cristian-Alexandru (e_1_3_1_53_2) 2018
Nadji Yacin (e_1_3_1_39_2) 2009
e_1_3_1_32_2
e_1_3_1_55_2
e_1_3_1_34_2
e_1_3_1_57_2
e_1_3_1_13_2
e_1_3_1_51_2
e_1_3_1_11_2
e_1_3_1_17_2
e_1_3_1_15_2
e_1_3_1_36_2
e_1_3_1_59_2
e_1_3_1_19_2
e_1_3_1_38_2
e_1_3_1_21_2
e_1_3_1_44_2
e_1_3_1_23_2
e_1_3_1_46_2
e_1_3_1_7_2
e_1_3_1_40_2
e_1_3_1_9_2
e_1_3_1_42_2
e_1_3_1_63_2
e_1_3_1_29_2
e_1_3_1_3_2
e_1_3_1_5_2
e_1_3_1_25_2
e_1_3_1_48_2
e_1_3_1_27_2
Li Song (e_1_3_1_37_2) 2022
e_1_3_1_33_2
e_1_3_1_54_2
Xiao Feng (e_1_3_1_61_2) 2021
e_1_3_1_35_2
e_1_3_1_12_2
e_1_3_1_50_2
e_1_3_1_10_2
e_1_3_1_31_2
e_1_3_1_52_2
e_1_3_1_16_2
Zimmermann Markus (e_1_3_1_65_2) 2019
e_1_3_1_14_2
Stock Ben (e_1_3_1_56_2) 2014
e_1_3_1_58_2
e_1_3_1_18_2
References_xml – start-page: 143
  year: 2022
  end-page: 160
  ident: bib36
  publication-title: Proceedings of the 31st USENIX Security Symposium (SEC ’22)
– year: 2009
  ident: bib38
  publication-title: Proceedings of the Network and Distributed System Security Symposium (NDSS ’09)
– year: 2023
  ident: bib56
  publication-title: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (’Prototype Pollution’)
– start-page: 1059
  year: 2023
  end-page: 1076
  ident: bib27
  publication-title: 44th IEEE Symposium on Security and Privacy (S&P ’23)
  doi: 10.1109/SP46215.2023.10179352
– start-page: 655
  year: 2014
  end-page: 670
  ident: bib55
  publication-title: Proceedings of the 23rd USENIX Security Symposium (SEC ‘14’)
– start-page: 2817
  year: 2023
  end-page: 2834
  ident: bib19
  publication-title: 44th IEEE Symposium on Security and Privacy (S&P ’23)
  doi: 10.1109/SP46215.2023.10179395
– year: 2024
  ident: bib21
  publication-title: Technical Report: Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs
  doi: 10.5281/zenodo.10933020
– start-page: 1101
  year: 2023
  end-page: 1127
  ident: bib9
  publication-title: Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P ’23)
  doi: 10.1109/EuroSP57164.2023.00068
– year: 2023
  ident: bib24
– start-page: 1757
  year: 2017
  end-page: 1771
  ident: bib46
  publication-title: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17)
  doi: 10.1145/3133956.3133959
– start-page: 13
  year: 2021
  end-page: 19
  ident: bib4
  publication-title: 2021 IEEE 14th International Conference on Cloud Computing (CLOUD ’21) IEEE Computer Society
  doi: 10.1109/CLOUD53861.2021.00014
– start-page: 257
  year: 2019
  end-page: 269
  ident: bib16
  publication-title: Proceedings of the 35th Annual Computer Security Applications Conference (ACSAC) (ACSAC ’19)
  doi: 10.1145/3359789.3359813
– start-page: 752
  year: 2013
  end-page: 761
  ident: bib18
  publication-title: Proceedings of the 2013 International Conference on Software Engineering (ICSE ’13)
  doi: 10.1109/ICSE.2013.6606621
– start-page: 1129
  year: 2021
  end-page: 1140
  ident: bib44
  publication-title: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE ’21)
  doi: 10.1145/3468264.3468556
– start-page: 238
  year: 2009
  end-page: 255
  ident: bib26
  publication-title: Proceedings of International Static Analysis Symposium (SAS ’09)
  doi: 10.1007/978-3-642-03237-0_17
– start-page: 1930
  year: 2009
  end-page: 1937
  ident: bib25
  publication-title: Proceedings of the 2009 ACM Symposium on Applied Computing (SAC ’09)
  doi: 10.1145/1529282.1529711
– start-page: 797
  year: 2015
  end-page: 812
  ident: bib62
  publication-title: 36th IEEE Symposium on Security and Privacy (S&P ’15)
  doi: 10.1109/SP.2015.54
– year: 2024
  ident: bib10
– start-page: 1899
  year: 2019
  end-page: 1913
  ident: bib15
  publication-title: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19)
  doi: 10.1145/3319535.3345656
– start-page: 385
  year: 2017
  end-page: 395
  ident: bib1
  publication-title: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE ’17)
  doi: 10.1145/3106237.3106267
– year: 2023
  ident: bib39
  publication-title: Cypher Query Language
– year: 2023
  ident: bib40
  publication-title: Graph Database and Analytics
– start-page: 317
  year: 2010
  end-page: 331
  ident: bib47
  publication-title: 31th IEEE Symposium on Security and Privacy (S&P ’10)
  doi: 10.1109/SP.2010.26
– start-page: 121
  year: 2014
  end-page: 132
  ident: bib28
  publication-title: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’14)
  doi: 10.1145/2635868.2635904
– start-page: 455
  year: 2019
  end-page: 465
  ident: bib41
  publication-title: Proceedings of the 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE ’19)
  doi: 10.1145/3338906.3338933
– start-page: 268
  year: 2021
  end-page: 279
  ident: bib35
  publication-title: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE ’21)
  doi: 10.1145/3468264.3468542
– start-page: 590
  year: 2014
  end-page: 604
  ident: bib61
  publication-title: 35th IEEE Symposium on Security and Privacy (S&P ’14)
  doi: 10.1109/SP.2014.44
– start-page: 59
  year: 2017
  end-page: 62
  ident: bib45
  publication-title: Proceedings of the 39th International Conference on Software Engineering Companion (ICSE-C ’17)
  doi: 10.1109/ICSE-C.2017.4
– start-page: 16:1
  year: 2020
  end-page: 16:28
  ident: bib42
  publication-title: Proceedings of the 34th European Conference on Object-Oriented Programming (ECOOP ’20)
  doi: 10.4230/LIPIcs.ECOOP.2020.16
– year: 2023
  ident: bib48
  publication-title: Proceedings of 30th Annual Network and Distributed System Security Symposium (NDSS ’23)
  doi: 10.14722/ndss.2023.24610
– year: 2023
  ident: bib59
  publication-title: CWE-94: Improper Control of Generation of Code (‘Code Injection’)
– start-page: 34
  year: 2015
  end-page: 45
  ident: bib13
  publication-title: Proceedings of 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO ’15)
  doi: 10.1109/CGO.2015.7054185
– start-page: 2525
  year: 2021
  end-page: 2542
  ident: bib29
  publication-title: 30th USENIX Security Symposium (SEC ’21)
– start-page: 334
  year: 2017
  end-page: 349
  ident: bib2
  publication-title: IEEE Computer Society
  doi: 10.1109/EuroSP.2017.14
– start-page: 238
  year: 1977
  end-page: 252
  ident: bib11
  publication-title: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL ’77)
  doi: 10.1145/512950.512973
– volume: 135
  start-page: 596
  year: 2018
  end-page: 605
  ident: bib33
  article-title: Static Taint Analysis Traversal with Object Oriented Component for Web File Injection Vulnerability Pattern Detection
  publication-title: Procedia Computer Science
  doi: 10.1016/j.procs.2018.08.227
– start-page: 331
  year: 2009
  end-page: 346
  ident: bib37
  publication-title: 30th IEEE Symposium on Security and Privacy (S&P ’09)
  doi: 10.1109/SP.2009.33
– start-page: 361
  year: 2018
  end-page: 376
  ident: bib52
  publication-title: 27th USENIX Security Symposium (SEC ’18)
– start-page: 466
  year: 2014
  end-page: 475
  ident: bib8
  publication-title: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC ’14)
  doi: 10.1145/2664243.2664256
– start-page: 198
  year: 2020
  end-page: 209
  ident: bib54
  publication-title: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE ’20)
  doi: 10.1145/3377811.3380390
– year: 2021
  ident: bib14
  publication-title: ECMAScript parsing infrastructure for multipurpose analysis
– year: 2023
  ident: bib49
– start-page: 541
  year: 2015
  end-page: 551
  ident: bib31
  publication-title: Proceedings of the 30th IEEE/ACM International Conference on Automated Software Engineering (ASE ’15)
  doi: 10.1109/ASE.2015.28
– year: 2018
  ident: bib53
  publication-title: Proceedings of the Network and Distributed System Security Symposium (NDSS ’18)
  doi: 10.14722/ndss.2018.23076
– start-page: 1059
  year: 2023
  end-page: 1070
  ident: bib5
  publication-title: 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE ’23)
  doi: 10.1109/ICSE48619.2023.00096
– year: 2018
  ident: bib23
  publication-title: Dynamic Analysis for JavaScript Code
– year: 2023
  ident: bib58
  publication-title: CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
– volume: 118
  start-page: 102745
  year: 2022
  ident: bib7
  article-title: Wasmati: An efficient static vulnerability scanner for WebAssembly
  publication-title: Computers & Security
  doi: 10.1016/j.cose.2022.102745
– year: 2021
  ident: bib60
  publication-title: 20th USENIX Security Symposium (SEC ’21)
– start-page: 507
  year: 2014
  end-page: 517
  ident: bib3
  publication-title: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’14)
  doi: 10.1145/2635868.2635916
– start-page: 435
  year: 2012
  end-page: 458
  ident: bib51
  publication-title: Proceedings of the 26th European Conference on Object-Oriented Programming (ECOOP ’12)
  doi: 10.1007/978-3-642-31057-7_20
– year: 2023
  ident: bib57
  publication-title: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (’Path Traversal’)
– start-page: 1789
  year: 2021
  end-page: 1804
  ident: bib17
  publication-title: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS ’21)
  doi: 10.1145/3460120.3484745
– year: 2024
  ident: bib20
  publication-title: Graph.js PLDI24 Artifact Evaluation
  doi: 10.5281/zenodo.10936488
– start-page: 2441
  year: 2023
  end-page: 2455
  ident: bib63
  publication-title: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS ’23)
  doi: 10.1145/3576915.3616584
– volume: 2
  start-page: 171
  year: 2023
  end-page: 187
  ident: bib32
  article-title: Privacy Property Graph: Towards Automated Privacy Threat Modeling via Static Graph-based Analysis
  publication-title: Proceedings of Privacy Enhancing Technologies (PETS) 2023
  doi: 10.56553/popets-2023-0046
– volume: 21
  start-page: 1
  issue: 1
  year: 2022
  end-page: 23
  ident: bib30
  article-title: DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules
  publication-title: International Journal of Information Security
  doi: 10.1007/s10207-020-00537-0
– start-page: 227
  year: 2019
  end-page: 245
  ident: bib50
  publication-title: 40th IEEE Symposium on Security and Privacy (S&P ’19)
  doi: 10.1109/SP.2019.00058
– volume: 58
  start-page: 102752
  year: 2021
  ident: bib43
  article-title: NodeXP: NOde. js server-side JavaScript injection vulnerability DEtection and eXPloitation
  publication-title: JISA
  doi: 10.1016/j.jisa.2021.102752
– year: 2024
  ident: bib12
  publication-title: Mitre corporation homepage
– start-page: 995
  year: 2019
  end-page: 1010
  ident: bib64
  publication-title: 28th USENIX Security Symposium (SEC ’19)
– start-page: 723
  year: 2015
  end-page: 735
  ident: bib34
  publication-title: Proceedings of the 24th USENIX Security Symposium (SEC ’15)
– volume: 72
  start-page: 1324
  issue: 4
  year: 2023
  end-page: 1339
  ident: bib6
  article-title: Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages
  publication-title: IEEE Transactions on Reliability
  doi: 10.1109/TR.2023.3286301
– year: 2023
  ident: bib22
– ident: e_1_3_1_5_2
  doi: 10.1109/CLOUD53861.2021.00014
– ident: e_1_3_1_40_2
– ident: e_1_3_1_12_2
  doi: 10.1145/512950.512973
– ident: e_1_3_1_14_2
  doi: 10.1109/CGO.2015.7054185
– ident: e_1_3_1_27_2
  doi: 10.1007/978-3-642-03237-0_17
– ident: e_1_3_1_35_2
  doi: 10.5555/2831143.2831189
– ident: e_1_3_1_28_2
  doi: 10.1109/SP46215.2023.10179352
– volume-title: Dynamic Analysis for JavaScript Code
  year: 2018
  ident: e_1_3_1_24_2
– ident: e_1_3_1_15_2
– ident: e_1_3_1_23_2
– ident: e_1_3_1_42_2
  doi: 10.1145/3338906.3338933
– ident: e_1_3_1_36_2
  doi: 10.1145/3468264.3468542
– ident: e_1_3_1_62_2
  doi: 10.1109/SP.2014.44
– ident: e_1_3_1_64_2
  doi: 10.1145/3576915.3616584
– ident: e_1_3_1_6_2
  doi: 10.1109/ICSE48619.2023.00096
– start-page: 143
  volume-title: Proceedings of the 31st USENIX Security Symposium (SEC ’22)
  year: 2022
  ident: e_1_3_1_37_2
– volume-title: 20th USENIX Security Symposium (SEC ’21)
  year: 2021
  ident: e_1_3_1_61_2
– ident: e_1_3_1_59_2
– ident: e_1_3_1_51_2
  doi: 10.1109/SP.2019.00058
– ident: e_1_3_1_49_2
  doi: 10.14722/ndss.2023.24610
– ident: e_1_3_1_10_2
  doi: 10.1109/EuroSP57164.2023.00068
– ident: e_1_3_1_54_2
  doi: 10.14722/ndss.2018.23076
– ident: e_1_3_1_13_2
– ident: e_1_3_1_32_2
  doi: 10.1109/ASE.2015.28
– start-page: 655
  volume-title: Proceedings of the 23rd USENIX Security Symposium (SEC ‘14’)
  year: 2014
  ident: e_1_3_1_56_2
– ident: e_1_3_1_17_2
  doi: 10.1145/3359789.3359813
– ident: e_1_3_1_2_2
  doi: 10.1145/3106237.3106267
– ident: e_1_3_1_38_2
  doi: 10.1109/SP.2009.33
– ident: e_1_3_1_18_2
  doi: 10.1145/3460120.3484745
– ident: e_1_3_1_48_2
  doi: 10.1109/SP.2010.26
– ident: e_1_3_1_63_2
  doi: 10.1109/SP.2015.54
– ident: e_1_3_1_57_2
– ident: e_1_3_1_26_2
  doi: 10.1145/1529282.1529711
– ident: e_1_3_1_19_2
  doi: 10.1109/ICSE.2013.6606621
– ident: e_1_3_1_55_2
  doi: 10.1145/3377811.3380390
– ident: e_1_3_1_7_2
  doi: 10.1109/TR.2023.3286301
– ident: e_1_3_1_20_2
  doi: 10.1109/SP46215.2023.10179395
– ident: e_1_3_1_44_2
  doi: 10.1016/j.jisa.2021.102752
– ident: e_1_3_1_8_2
  doi: 10.1016/j.cose.2022.102745
– ident: e_1_3_1_34_2
  doi: 10.1016/j.procs.2018.08.227
– ident: e_1_3_1_50_2
– start-page: 361
  volume-title: 27th USENIX Security Symposium (SEC ’18)
  year: 2018
  ident: e_1_3_1_53_2
– start-page: 2525
  volume-title: 30th USENIX Security Symposium (SEC ’21)
  year: 2021
  ident: e_1_3_1_30_2
– ident: e_1_3_1_25_2
– ident: e_1_3_1_11_2
– ident: e_1_3_1_9_2
  doi: 10.1145/2664243.2664256
– ident: e_1_3_1_43_2
  doi: 10.4230/LIPIcs.ECOOP.2020.16
– ident: e_1_3_1_22_2
  doi: 10.5281/zenodo.10933020
– ident: e_1_3_1_21_2
  doi: 10.5281/zenodo.10936488
– ident: e_1_3_1_47_2
  doi: 10.1145/3133956.3133959
– ident: e_1_3_1_16_2
  doi: 10.1145/3319535.3345656
– volume-title: Proceedings of the Network and Distributed System Security Symposium (NDSS ’09)
  year: 2009
  ident: e_1_3_1_39_2
– start-page: 995
  volume-title: 28th USENIX Security Symposium (SEC ’19)
  year: 2019
  ident: e_1_3_1_65_2
– ident: e_1_3_1_58_2
– ident: e_1_3_1_33_2
  doi: 10.56553/popets-2023-0046
– ident: e_1_3_1_41_2
– ident: e_1_3_1_46_2
  doi: 10.1109/ICSE-C.2017.4
– ident: e_1_3_1_60_2
– ident: e_1_3_1_3_2
  doi: 10.1109/EuroSP.2017.14
– ident: e_1_3_1_4_2
  doi: 10.1145/2635868.2635916
– ident: e_1_3_1_45_2
  doi: 10.1145/3468264.3468556
– ident: e_1_3_1_31_2
  doi: 10.1007/s10207-020-00537-0
– ident: e_1_3_1_29_2
  doi: 10.1145/2635868.2635904
– ident: e_1_3_1_52_2
  doi: 10.1007/978-3-642-31057-7_20
SSID ssj0001934839
Score 2.286896
Snippet While static analysis tools that rely on Code Property Graphs (CPGs) to detect security vulnerabilities have proven effective, deciding how much information to...
SourceID crossref
acm
SourceType Enrichment Source
Index Database
Publisher
StartPage 417
SubjectTerms Automated static analysis
Program analysis
Security and privacy
Software and application security
Software and its engineering
Software verification and validation
Theory of computation
SubjectTermsDisplay Security and privacy -- Software and application security
Software and its engineering -- Automated static analysis
Software and its engineering -- Software verification and validation
Theory of computation -- Program analysis
Title Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs
URI https://dl.acm.org/doi/10.1145/3656394
Volume 8
WOSCitedRecordID wos001264464100019&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVHPJ
  databaseName: ROAD: Directory of Open Access Scholarly Resources
  customDbUrl:
  eissn: 2475-1421
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0001934839
  issn: 2475-1421
  databaseCode: M~E
  dateStart: 20170101
  isFulltext: true
  titleUrlDefault: https://road.issn.org
  providerName: ISSN International Centre
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV1Lb9NAEF6FwoELhQJqKaA9IC6RoV4_dn2sSnipriJRqopLNFmvK0uJU6VJ1F448cOZ2V0_KBzgwMWynPFG2vk083l2Hoy9oqMXVYowKIpUB7HOskAJSAL0hlCAQIJq56ecHcuTE3V-no0Hgx9NLcxmJutaXV9nl_9V1fgMlU2ls_-g7nZRfID3qHS8otrx-leKH9mmEHTET0Sy0sOz9YxaS9ss2JuuCwnlF36GDXyxdsMFZG057saF0NAUufm4-mb4gdpaX_WJ7Lh1fDYX5PAop2MHn-01p_hDEwntCkzMcmkqO9domEMJsy4YkFOPrMqV3OTVxdq0eR8UvFg4UMHFoj0xWVTzqV_Jig9Hb_rxCxFTnpU46CHO58RbmydimQRh7IqmGwOtejgcH7_71LO3sSv89K47dj20fvcKMTXQiJC6Rm6i8q0W2_6XO-yukElGiYH5916kLotipJGu4prWeuvlidDoeY_Q9JjJ6UP2wH9S8EMHhUdsYOodtt2M6-Deej9m31pkcIcM_gsyeIMMjsjgHTI4IYP3kcE7ZHCHjCfs6_vR6dHHwI_WCEBIuQoU8U7KPM7SAuDACIByKhMojZRlmSiIQEboKDWkoMsoC41KIxlrKQupQYXRU7ZVL2qzyzikU4MktUBDTh_nSiUG8J0EwrIoMwj32A7u0uTSNU-Z-L3bY6-bXZto342ehqLMJq5SPukEeSvYrHFL5Nkf_2Gf3e_g9pxtrZZr84Ld05tVdbV8aVX8E5aHecg
linkProvider ISSN International Centre
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Efficient+Static+Vulnerability+Analysis+for+JavaScript+with+Multiversion+Dependency+Graphs&rft.jtitle=Proceedings+of+ACM+on+programming+languages&rft.au=Ferreira%2C+Mafalda&rft.au=Monteiro%2C+Miguel&rft.au=Brito%2C+Tiago&rft.au=Coimbra%2C+Miguel+E.&rft.date=2024-06-20&rft.pub=ACM&rft.eissn=2475-1421&rft.volume=8&rft.issue=PLDI&rft.spage=417&rft.epage=441&rft_id=info:doi/10.1145%2F3656394&rft.externalDocID=3656394
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2475-1421&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2475-1421&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2475-1421&client=summon