salus
salus copied to clipboard
coinbase
Investigate and possibly integrate NodeJsScan
https://github.com/ajinabraham/NodeJsScan
Vuln scannner for JS. Test it out on some codebases and determine if it's worth integrating. If so, make the module and open a PR.
This scanner seems to beautify source code and then run checks against this list https://github.com/ajinabraham/NodeJsScan/blob/master/core/rules.xml
Instead of integrating the whole app, it should be possible to convert these rules to PatternSearch regex rules (however I am not sure about the beautification part). A naive approach would be something like:
- regex: eval\\s*\\(\\s*.{0,150}req\\.
message: User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE).
Interesting, so you're suggesting that we parse the XML rules files and then appropriate it for the PatternSearch module? Pretty cool idea!
In general I don't like forking projects, or doing something similar, because it creates a higher maintenance workload - for example, if the rules are updated, you need to do more than just bump the version of the app to get the most recent set of rules. You could at least get this down to a script that is run a build time and references a version number.
I would say, that if the app performs poorly (e.g. throws lots of exceptions) but the rules are useful, then this would be worth it. Otherwise we could just try the usual approach of integrating the scanner directly.