Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

With the emergence of the Node.js ecosystem, JavaScript has become a widely-used programming language for implementing server-side web applications. In this paper, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehen...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:arXiv.org 2023-01
Hauptverfasser: Brito, Tiago, Ferreira, Mafalda, Monteiro, Miguel, Lopes, Pedro, Barros, Miguel, José Fragoso Santos, Santos, Nuno
Format: Artikel
Sprache:eng
Schlagworte:
Applications programs
Computer Science - Cryptography and Security
Datasets
Empirical analysis
Java
Nodes
Static code analysis
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page
container_title arXiv.org
container_volume
creator Brito, Tiago
Ferreira, Mafalda
Monteiro, Miguel
Lopes, Pedro
Barros, Miguel
José Fragoso Santos
Santos, Nuno
description With the emergence of the Node.js ecosystem, JavaScript has become a widely-used programming language for implementing server-side web applications. In this paper, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP Top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.
doi_str_mv 10.48550/arxiv.2301.05097
format Article
fullrecord <record><control><sourceid>proquest_arxiv</sourceid><recordid>TN_cdi_arxiv_primary_2301_05097</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2765221699</sourcerecordid><originalsourceid>FETCH-LOGICAL-a957-232004dfa79808e9b5cc9894b912354ef4ccc9f45b3f727efc2b81c5a1c87c8d3</originalsourceid><addsrcrecordid>eNotz1tLwzAABeAgCI65H-CTAZ9bc12SxzHvDBU6BJ9KmiaSWZuZpMP-e-fm04HD4cAHwAVGJZOco2sdf_yuJBThEnGkxAmYEEpxIRkhZ2CW0gYhROaCcE4n4L3KQzvC4OCT3unKRL_NsMo6ewMXve7G5BNch9Al6EKEb0PX26gb3_k8whubrck-9ND38Dm0ttwk-KrNp_6w6RycOt0lO_vPKVjf3a6XD8Xq5f5xuVgVWnFREEoQYq3TQkkkrWq4MUoq1ihMKGfWMbMvHOMNdYII6wxpJDZcYyOFkS2dgsvj7cFdb6P_0nGs__z1wb9fXB0X2xi-B5tyvQlD3NtSTcScE4LnStFf-mVd5w</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2765221699</pqid></control><display><type>article</type><title>Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages</title><source>arXiv.org</source><source>Free E- Journals</source><creator>Brito, Tiago ; Ferreira, Mafalda ; Monteiro, Miguel ; Lopes, Pedro ; Barros, Miguel ; José Fragoso Santos ; Santos, Nuno</creator><creatorcontrib>Brito, Tiago ; Ferreira, Mafalda ; Monteiro, Miguel ; Lopes, Pedro ; Barros, Miguel ; José Fragoso Santos ; Santos, Nuno</creatorcontrib><description>With the emergence of the Node.js ecosystem, JavaScript has become a widely-used programming language for implementing server-side web applications. In this paper, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP Top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.</description><identifier>EISSN: 2331-8422</identifier><identifier>DOI: 10.48550/arxiv.2301.05097</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Applications programs ; Computer Science - Cryptography and Security ; Datasets ; Empirical analysis ; Java ; Nodes ; Static code analysis</subject><ispartof>arXiv.org, 2023-01</ispartof><rights>2023. This work is published under http://creativecommons.org/licenses/by-nc-nd/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><rights>http://creativecommons.org/licenses/by-nc-nd/4.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,784,885,27925</link.rule.ids><backlink>$$Uhttps://doi.org/10.48550/arXiv.2301.05097$$DView paper in arXiv$$Hfree_for_read</backlink><backlink>$$Uhttps://doi.org/10.1109/TR.2023.3286301$$DView published paper (Access to full text may be restricted)$$Hfree_for_read</backlink></links><search><creatorcontrib>Brito, Tiago</creatorcontrib><creatorcontrib>Ferreira, Mafalda</creatorcontrib><creatorcontrib>Monteiro, Miguel</creatorcontrib><creatorcontrib>Lopes, Pedro</creatorcontrib><creatorcontrib>Barros, Miguel</creatorcontrib><creatorcontrib>José Fragoso Santos</creatorcontrib><creatorcontrib>Santos, Nuno</creatorcontrib><title>Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages</title><title>arXiv.org</title><description>With the emergence of the Node.js ecosystem, JavaScript has become a widely-used programming language for implementing server-side web applications. In this paper, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP Top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.</description><subject>Applications programs</subject><subject>Computer Science - Cryptography and Security</subject><subject>Datasets</subject><subject>Empirical analysis</subject><subject>Java</subject><subject>Nodes</subject><subject>Static code analysis</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GOX</sourceid><recordid>eNotz1tLwzAABeAgCI65H-CTAZ9bc12SxzHvDBU6BJ9KmiaSWZuZpMP-e-fm04HD4cAHwAVGJZOco2sdf_yuJBThEnGkxAmYEEpxIRkhZ2CW0gYhROaCcE4n4L3KQzvC4OCT3unKRL_NsMo6ewMXve7G5BNch9Al6EKEb0PX26gb3_k8whubrck-9ND38Dm0ttwk-KrNp_6w6RycOt0lO_vPKVjf3a6XD8Xq5f5xuVgVWnFREEoQYq3TQkkkrWq4MUoq1ihMKGfWMbMvHOMNdYII6wxpJDZcYyOFkS2dgsvj7cFdb6P_0nGs__z1wb9fXB0X2xi-B5tyvQlD3NtSTcScE4LnStFf-mVd5w</recordid><startdate>20230112</startdate><enddate>20230112</enddate><creator>Brito, Tiago</creator><creator>Ferreira, Mafalda</creator><creator>Monteiro, Miguel</creator><creator>Lopes, Pedro</creator><creator>Barros, Miguel</creator><creator>José Fragoso Santos</creator><creator>Santos, Nuno</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PTHSS</scope><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20230112</creationdate><title>Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages</title><author>Brito, Tiago ; Ferreira, Mafalda ; Monteiro, Miguel ; Lopes, Pedro ; Barros, Miguel ; José Fragoso Santos ; Santos, Nuno</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a957-232004dfa79808e9b5cc9894b912354ef4ccc9f45b3f727efc2b81c5a1c87c8d3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Applications programs</topic><topic>Computer Science - Cryptography and Security</topic><topic>Datasets</topic><topic>Empirical analysis</topic><topic>Java</topic><topic>Nodes</topic><topic>Static code analysis</topic><toplevel>online_resources</toplevel><creatorcontrib>Brito, Tiago</creatorcontrib><creatorcontrib>Ferreira, Mafalda</creatorcontrib><creatorcontrib>Monteiro, Miguel</creatorcontrib><creatorcontrib>Lopes, Pedro</creatorcontrib><creatorcontrib>Barros, Miguel</creatorcontrib><creatorcontrib>José Fragoso Santos</creatorcontrib><creatorcontrib>Santos, Nuno</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science &amp; Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>Engineering Collection</collection><collection>arXiv Computer Science</collection><collection>arXiv.org</collection><jtitle>arXiv.org</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Brito, Tiago</au><au>Ferreira, Mafalda</au><au>Monteiro, Miguel</au><au>Lopes, Pedro</au><au>Barros, Miguel</au><au>José Fragoso Santos</au><au>Santos, Nuno</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages</atitle><jtitle>arXiv.org</jtitle><date>2023-01-12</date><risdate>2023</risdate><eissn>2331-8422</eissn><abstract>With the emergence of the Node.js ecosystem, JavaScript has become a widely-used programming language for implementing server-side web applications. In this paper, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP Top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><doi>10.48550/arxiv.2301.05097</doi><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier EISSN: 2331-8422
ispartof arXiv.org, 2023-01
issn 2331-8422
language eng
recordid cdi_arxiv_primary_2301_05097
source arXiv.org; Free E- Journals
subjects Applications programs
Computer Science - Cryptography and Security
Datasets
Empirical analysis
Java
Nodes
Static code analysis
title Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-03T00%3A05%3A16IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_arxiv&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Study%20of%20JavaScript%20Static%20Analysis%20Tools%20for%20Vulnerability%20Detection%20in%20Node.js%20Packages&rft.jtitle=arXiv.org&rft.au=Brito,%20Tiago&rft.date=2023-01-12&rft.eissn=2331-8422&rft_id=info:doi/10.48550/arxiv.2301.05097&rft_dat=%3Cproquest_arxiv%3E2765221699%3C/proquest_arxiv%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2765221699&rft_id=info:pmid/&rfr_iscdi=true