Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this article, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a compreh...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:IEEE transactions on reliability Ročník 72; číslo 4; s. 1324 - 1339
Hlavní autori: Brito, Tiago, Ferreira, Mafalda, Monteiro, Miguel, Lopes, Pedro, Barros, Miguel, Santos, Jose Fragoso, Santos, Nuno
Médium: Journal Article
Jazyk:English
Vydavateľské údaje: New York IEEE 01.12.2023
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Predmet:
Applications programs
Automatic testing
Codes
Computer security
Datasets
Ecosystems
Empirical analysis
Engines
Java
Nodes
Static analysis
Static code analysis
Task analysis
ISSN:0018-9529, 1558-1721
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this article, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.
Bibliografia:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0018-9529
1558-1721
DOI:10.1109/TR.2023.3286301