[2301.05097] Study of JavaScript Static Analysis Tools for Vulnerability Detecti...
source link: https://arxiv.org/abs/2301.05097
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
[Submitted on 12 Jan 2023]
Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages
With the emergence of the Node.js ecosystem, JavaScript has become a widely-used programming language for implementing server-side web applications. In this paper, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP Top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.
| Subjects: | Cryptography and Security (cs.CR) |
| Cite as: | arXiv:2301.05097 [cs.CR] |
| (or arXiv:2301.05097v1 [cs.CR] for this version) | |
| https://doi.org/10.48550/arXiv.2301.05097 |
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK