Monday, May 28, 2018

NodeJS static code security analysis

Use the ESLint security plugin to find out potential vulnerabilities in your nodejs code and the node security package (nsp) to find vulnerabilities in your dependencies. Here is a quickest way to get an idea where you are: Install eslint and the security plugin:
npm i -g eslint
npm i -g eslint-plugin-security
Have a minimal eslint-sec.json file somewhere locally. Note that there is an issue I reported with one of the rules:
{
"parserOptions": {
"ecmaVersion": 2017
},
"env": {
"es6": true,
"browser": true,
"node": true
},
"plugins": [
"security"
],
"extends": [
"plugin:security/recommended"
],
"rules": {
"security/detect-child-process": "off"
}
}
view raw eslint-sec.json hosted with ❤ by GitHub
Without messing with your project details use the plugin to get a report of where your code is in terms of common possible vulnerabilities:
eslint --no-eslintrc -c /path/to/eslint-sec.json /path/to/project/source/code/dir/
Here is a quick intro to nsp:
$ npm install -g nsp
$ cd /path/to/project
$ nsp check
# To exclude errors create a file with exceptions (not recommended):
$ cat .nsprc
{
"exceptions": [
"https://nodesecurity.io/advisories/532",
"https://nodesecurity.io/advisories/536"
]
}
Up to you to automate this and include it in your pipeline. No kidding, do it!

No comments:

Followers