Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this article, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a compreh...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on reliability Vol. 72; no. 4; pp. 1324 - 1339
Main Authors: Brito, Tiago, Ferreira, Mafalda, Monteiro, Miguel, Lopes, Pedro, Barros, Miguel, Santos, Jose Fragoso, Santos, Nuno
Format: Journal Article
Language:English
Published: New York IEEE 01.12.2023
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects:
Applications programs
Automatic testing
Codes
Computer security
Datasets
Ecosystems
Empirical analysis
Engines
Java
Nodes
Static analysis
Static code analysis
Task analysis
ISSN:0018-9529, 1558-1721
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Abstract With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this article, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.
AbstractList With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this article, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.
Author Monteiro, Miguel
Santos, Jose Fragoso
Santos, Nuno
Brito, Tiago
Barros, Miguel
Lopes, Pedro
Ferreira, Mafalda
Author_xml – sequence: 1
  givenname: Tiago
  orcidid: 0000-0001-5982-9794
  surname: Brito
  fullname: Brito, Tiago
  email: tiago.de.oliveira.brito@tecnico.ulisboa.pt
  organization: INESC-ID/IST, Universidade de Lisboa, Lisboa, Portugal
– sequence: 2
  givenname: Mafalda
  orcidid: 0000-0002-5307-4279
  surname: Ferreira
  fullname: Ferreira, Mafalda
  email: mafalda.baptista@tecnico.ulisboa.pt
  organization: INESC-ID/IST, Universidade de Lisboa, Lisboa, Portugal
– sequence: 3
  givenname: Miguel
  orcidid: 0000-0002-6346-7340
  surname: Monteiro
  fullname: Monteiro, Miguel
  email: miguel.figueiredo.monteiro@tecnico.ulisboa.pt
  organization: INESC-ID/IST, Universidade de Lisboa, Lisboa, Portugal
– sequence: 4
  givenname: Pedro
  surname: Lopes
  fullname: Lopes, Pedro
  email: pedro.daniel.l@tecnico.ulisboa.pt
  organization: INESC-ID/IST, Universidade de Lisboa, Lisboa, Portugal
– sequence: 5
  givenname: Miguel
  surname: Barros
  fullname: Barros, Miguel
  email: miguel.v.barros@tecnico.ulisboa.pt
  organization: INESC-ID/IST, Universidade de Lisboa, Lisboa, Portugal
– sequence: 6
  givenname: Jose Fragoso
  orcidid: 0000-0001-5077-300X
  surname: Santos
  fullname: Santos, Jose Fragoso
  email: jose.fragoso@tecnico.ulisboa.pt
  organization: INESC-ID/IST, Universidade de Lisboa, Lisboa, Portugal
– sequence: 7
  givenname: Nuno
  orcidid: 0000-0001-9938-0653
  surname: Santos
  fullname: Santos, Nuno
  email: nuno.m.santos@tecnico.ulisboa.pt
  organization: INESC-ID/IST, Universidade de Lisboa, Lisboa, Portugal
BookMark eNp9kM9LwzAcxYNMcJuevXgIeO6Wb5K26XHM3wyVrQqeSpqmklmbmWRC_3s7toN48PTlC-_zeO-N0KC1rUboHMgEgGTTfDmhhLIJoyJhBI7QEOJYRJBSGKAhISCiLKbZCRp5v-5fzjMxRG-rsK06bGv8IL_lSjmzCXgVZDAKz1rZdN54nFvbeFxbh1-3TaudLE1jQoevdNAqGNti0-JHW-nJ2uNnqT7ku_an6LiWjddnhztGLzfX-fwuWjzd3s9ni0gxBqHPx5KaKwkl5VValYJXoq5YqfoWNSgl0pQzzUXGUgFlCSBTqkGIhENFlFBsjC73vhtnv7bah2Jtt66P7gsqsoRQARx6VbxXKWe9d7oulNm1tG1w0jQFkGK3YpEvi92KxWHFnpv-4TbOfErX_UNc7Amjtf6lhkQkacZ-ALHpfjg
CODEN IERQAD
CitedBy_id crossref_primary_10_1145_3656394
crossref_primary_10_1109_TSE_2024_3488041
crossref_primary_10_3390_app132312953
crossref_primary_10_1145_3729304
Cites_doi 10.1007/s00607-018-0664-z
10.1109/EuroSP.2017.14
10.1145/2508859.2516703
10.1109/SP.2014.44
10.1016/j.jisa.2021.102752
10.14722/ndss.2017.23414
10.1145/3321705.3329841
10.1145/3468264.3468542
10.1109/ICSE.2009.5070521
10.14722/ndss.2019.23009
10.1145/3236024.3236027
10.1007/978-3-540-87403-4_11
10.1145/2976749.2978380
10.14722/ndss.2018.23071
10.1145/3106237.3106267
10.1007/s10207-020-00537-0
10.1007/978-3-642-03237-0_17
10.1145/3133956.3133959
10.14722/ndss.2018.23309
10.1145/3377811.3380390
10.1145/1315245.1315250
ContentType Journal Article
Copyright Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2023
Copyright_xml – notice: Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2023
DBID 97E
ESBDL
RIA
RIE
AAYXX
CITATION
7SP
8FD
L7M
DOI 10.1109/TR.2023.3286301
DatabaseName IEEE Xplore (IEEE)
IEEE Xplore Open Access Journals
IEEE All-Society Periodicals Package (ASPP) 1998–Present
IEEE Electronic Library (IEL)
CrossRef
Electronics & Communications Abstracts
Technology Research Database
Advanced Technologies Database with Aerospace
DatabaseTitle CrossRef
Technology Research Database
Advanced Technologies Database with Aerospace
Electronics & Communications Abstracts
DatabaseTitleList Technology Research Database
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Engineering
EISSN 1558-1721
EndPage 1339
ExternalDocumentID 10_1109_TR_2023_3286301
10168679
Genre orig-research
GrantInformation_xml – fundername: IAPMEI
– fundername: national funds
  grantid: 2021.06134.BD; SFRH/BD/146698/2019
GroupedDBID -~X
.DC
0R~
29I
4.4
5GY
5VS
6IK
8WZ
97E
A6W
AAJGR
AARMG
AASAJ
AAWTH
ABAZT
ABQJQ
ABVLG
ACGFO
ACGFS
ACIWK
ACNCT
AENEX
AETIX
AGQYO
AGSQL
AHBIQ
AI.
AIBXA
AKJIK
AKQYR
ALLEH
ALMA_UNASSIGNED_HOLDINGS
ASUFR
ATWAV
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
CS3
DU5
EBS
EJD
ESBDL
H~9
IAAWW
IBMZZ
ICLAB
IDIHD
IFIPE
IFJZH
IPLJI
JAVBF
LAI
M43
MS~
OCL
P2P
RIA
RIE
RNS
TN5
VH1
VJK
AAYXX
CITATION
7SP
8FD
L7M
ID FETCH-LOGICAL-c331t-1736f4ca1b24d7db84d8fd3bc863f1cc87743e4893781bb11a72e188641d0c8c3
IEDL.DBID RIE
ISICitedReferencesCount 7
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=001025589500001&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
ISSN 0018-9529
IngestDate Tue Aug 12 09:41:05 EDT 2025
Sat Nov 29 01:54:37 EST 2025
Tue Nov 18 22:26:32 EST 2025
Wed Aug 27 02:12:08 EDT 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 4
Language English
License https://creativecommons.org/licenses/by/4.0/legalcode
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c331t-1736f4ca1b24d7db84d8fd3bc863f1cc87743e4893781bb11a72e188641d0c8c3
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ORCID 0000-0001-5982-9794
0000-0001-5077-300X
0000-0002-6346-7340
0000-0001-9938-0653
0000-0002-5307-4279
OpenAccessLink https://ieeexplore.ieee.org/document/10168679
PQID 2896028141
PQPubID 85456
PageCount 16
ParticipantIDs crossref_citationtrail_10_1109_TR_2023_3286301
ieee_primary_10168679
proquest_journals_2896028141
crossref_primary_10_1109_TR_2023_3286301
PublicationCentury 2000
PublicationDate 2023-Dec.
2023-12-00
20231201
PublicationDateYYYYMMDD 2023-12-01
PublicationDate_xml – month: 12
  year: 2023
  text: 2023-Dec.
PublicationDecade 2020
PublicationPlace New York
PublicationPlace_xml – name: New York
PublicationTitle IEEE transactions on reliability
PublicationTitleAbbrev TR
PublicationYear 2023
Publisher IEEE
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Publisher_xml – name: IEEE
– name: The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
References ref57
ref78
Durieux (ref95) 2020
ref96
Staicu (ref71) 2020
ref77
Gong (ref9) 2018
ref76
Alhuzali (ref87) 2018
Lee (ref52) 2012
Gauthier (ref10) 2018
Dahse (ref79) 2014
ref93
(ref26) 2016
ref51
ref94
ref90
ref89
ref86
Staicu (ref5) 2018
ref88
Stock (ref6) 2017
Beyer (ref99) 2022
Li (ref15) 2022
ref8
Xiao (ref92) 2021
ref7
Felmetsger (ref85) 2010
ref4
Khodayari (ref56) 2021
ref82
ref81
ref84
ref83
ref80
Zimmermann (ref3) 2019
References_xml – start-page: 2525
  volume-title: Proc. USENIX Secur.
  year: 2021
  ident: ref56
  article-title: JAW: Studying client-side CSRF with hybrid property graphs and declarative traversals
– ident: ref96
  doi: 10.1007/s00607-018-0664-z
– start-page: 995
  volume-title: Proc. USENIX Secur.
  year: 2019
  ident: ref3
  article-title: Small world with high risks: A study of security threats in the NPM ecosystem
– ident: ref80
  doi: 10.1109/EuroSP.2017.14
– year: 2016
  ident: ref26
  article-title: TypeScript specification v1.8
– start-page: 377
  volume-title: Proc. USENIX Secur.
  year: 2018
  ident: ref87
  article-title: Navex: Precise and scalable exploit generation for dynamic web applications
– ident: ref88
  doi: 10.1145/2508859.2516703
– start-page: 321
  volume-title: Proc. FASE
  year: 2022
  ident: ref99
  article-title: Advances in automatic software testing: Test-Comp
– ident: ref57
  doi: 10.1109/SP.2014.44
– ident: ref78
  doi: 10.1016/j.jisa.2021.102752
– ident: ref7
  doi: 10.14722/ndss.2017.23414
– start-page: 530
  volume-title: Proc. IEEE/ACM 42nd Int. Conf. Softw. Eng.
  year: 2020
  ident: ref95
  article-title: Empirical review of automated analysis tools on 47,587 ethereum smart contracts
– start-page: 96
  volume-title: Proc. 19th Int. Workshop Found. Object-Oriented Lang.
  year: 2012
  ident: ref52
  article-title: Safe: Formal specification and implementation of a scalable analysis framework for ecmascript
– ident: ref90
  doi: 10.1145/3321705.3329841
– ident: ref93
  doi: 10.1145/3468264.3468542
– ident: ref82
  doi: 10.1109/ICSE.2009.5070521
– ident: ref8
  doi: 10.14722/ndss.2019.23009
– ident: ref77
  doi: 10.1145/3236024.3236027
– year: 2018
  ident: ref9
  article-title: Dynamic analysis for javascript code
– ident: ref83
  doi: 10.1007/978-3-540-87403-4_11
– ident: ref81
  doi: 10.1145/2976749.2978380
– ident: ref4
  doi: 10.14722/ndss.2018.23071
– ident: ref76
  doi: 10.1145/3106237.3106267
– ident: ref94
  doi: 10.1007/s10207-020-00537-0
– start-page: 2951
  volume-title: Proc. USENIX Secur.
  year: 2021
  ident: ref92
  article-title: Abusing hidden properties to attack the Node.js ecosystem
– volume-title: Proc. USENIX Secur.
  year: 2010
  ident: ref85
  article-title: Toward automated detection of logic vulnerabilities in web applications
– ident: ref51
  doi: 10.1007/978-3-642-03237-0_17
– ident: ref86
  doi: 10.1145/3133956.3133959
– ident: ref89
  doi: 10.14722/ndss.2018.23309
– start-page: 198
  volume-title: Proc. ACM/IEEE 42nd Int. Conf. Soft. Eng.
  year: 2020
  ident: ref71
  article-title: Extracting taint specifications for javascript libraries
  doi: 10.1145/3377811.3380390
– start-page: 143
  volume-title: Proc. USENIX Secur.
  year: 2022
  ident: ref15
  article-title: Mining Node.js vulnerabilities via object dependence graph and query
– start-page: 361
  volume-title: Proc. USENIX Secur.
  year: 2018
  ident: ref5
  article-title: Freezing the web: A study of redos vulnerabilities in javascript-based web servers
– start-page: 94
  volume-title: Proc. ISSTA
  year: 2018
  ident: ref10
  article-title: AFFOGATO: Runtime detection of injection attacks for Node.js
– start-page: 971
  volume-title: Proc. USENIX Secur.
  year: 2017
  ident: ref6
  article-title: How the web tangled itself: Uncovering the history of client-side web (in) security
– ident: ref84
  doi: 10.1145/1315245.1315250
– start-page: 989
  volume-title: Proc. USENIX Secur.
  year: 2014
  ident: ref79
  article-title: Static detection of second-order vulnerabilities in web applications
SSID ssj0014498
Score 2.456768
Snippet With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this...
SourceID proquest
crossref
ieee
SourceType Aggregation Database
Enrichment Source
Index Database
Publisher
StartPage 1324
SubjectTerms Applications programs
Automatic testing
Codes
Computer security
Datasets
Ecosystems
Empirical analysis
Engines
Java
Nodes
Static analysis
Static code analysis
Task analysis
Title Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages
URI https://ieeexplore.ieee.org/document/10168679
https://www.proquest.com/docview/2896028141
Volume 72
WOSCitedRecordID wos001025589500001&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVIEE
  databaseName: IEEE Electronic Library (IEL)
  customDbUrl:
  eissn: 1558-1721
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0014498
  issn: 0018-9529
  databaseCode: RIE
  dateStart: 19630101
  isFulltext: true
  titleUrlDefault: https://ieeexplore.ieee.org/
  providerName: IEEE
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV07T8MwELYAMcDAs4jykgcGlqRxnDr2iIAKIVShUlCZovglFaoENWkl_j2241aVUAe2DHYU3dl33-XuvgPgmlOmFdN5YNwRsWlGFHAteKBjpATSEZbSses_p_0-HY3Yi29Wd70wSilXfKZC--hy-bIUM_urrGMjTUsQtwk205Q0zVrLlEGSMG92zQ3uxszz-KCIdYaD0E4JD3FMCfbjXxYuyM1U-WOInXfp7f_zuw7AnoeR8LbR-yHYUMUR2F0hFzwGH7ZE8AeWGj7l8_zVWQdoseVYwAUVCRyW5aSCBrjC99nEElC7WtkfeK9qV6NVwHEB-6VU4WcFX3LxZcxP1QJvvYfh3WPgBykEAmNUByjFRCciRzxOZCo5TSTVEnNhxKGRENRgQKwsDU1qUCxHKE9jhSglCZKRoAKfgK2iLNQpgHkesYjFPOYCJ5qZYCOSqSaCIEK6SsdtEC5kmwnPMm6HXUwyF21ELBsOMquMzCujDW6WG74bgo31S1tW9ivLGrG3wcVCe5m_gVVmAklisBNK0Nmabedgx769qU25AFv1dKYuwbaY1-NqeuUO1y-ZCcwa
linkProvider IEEE
linkToHtml http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LT9wwEB5RqFQ4AG1B3RZaH3roJSF-rGMfq1IE7bJCNK3oKYpf0rarpCK7SPx7bMeLkCoO3HKwlWjGnvkmM_MNwEclpLPSNZl3RzykGXGmnFaZI9hq7ApqTGTXn5TTqbi6khepWT32wlhrY_GZzcNjzOWbTi_Dr7KjEGkGgrhnsDFmjBRDu9Z90oAxmQyvv8NjIhOTDy7kUXWZhznhOSWC0zQAZuWE4lSV_0xx9C8nO0_8sl3YTkASfR40_xLWbPsKth7QC76G36FI8BZ1Dn1rbpof0T6ggC5nGq3ISFDVdfMeeeiKfi3ngYI6VsveomO7iFVaLZq1aNoZm__p0UWj_3oD1O_Bz5Ov1ZfTLI1SyDSleJHhknLHdIMVYaY0SjAjnKFKe3E4rLXwKJDaQERTehyrMG5KYrEQnGFTaKHpPqy3XWvfAGqaQhaSKKI0ZU76cKMwpeOaY87H1pER5CvZ1jrxjIdxF_M6xhuFrKvLOiijTsoYwaf7Df8Gio3Hl-4F2T9YNoh9BAcr7dXpDva1DyW5R0-Y4bePbPsAL06r80k9OZt-fweb4U1DpcoBrC-ul_YQnuubxay_fh8P2h1io89h
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Study+of+JavaScript+Static+Analysis+Tools+for+Vulnerability+Detection+in+Node.js+Packages&rft.jtitle=IEEE+transactions+on+reliability&rft.au=Brito%2C+Tiago&rft.au=Ferreira%2C+Mafalda&rft.au=Monteiro%2C+Miguel&rft.au=Lopes%2C+Pedro&rft.date=2023-12-01&rft.pub=The+Institute+of+Electrical+and+Electronics+Engineers%2C+Inc.+%28IEEE%29&rft.issn=0018-9529&rft.eissn=1558-1721&rft.volume=72&rft.issue=4&rft.spage=1324&rft_id=info:doi/10.1109%2FTR.2023.3286301&rft.externalDBID=NO_FULL_TEXT
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0018-9529&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0018-9529&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0018-9529&client=summon