electronegativity v1.3.0 releases: identify misconfigurations and security anti-patterns in Electron applications
It is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
It leverages AST and DOM parsing to look for security-relevant configurations, as described in the “Electron Security Checklist – A Guide for Developers and Auditors” whitepaper.
Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.
- Variable scoping analysis capabilities have been added to inspect the Function and Global variable content, when available.
- Every check now has an importance and accuracy attribute which helps the auditor to determine the importance of each finding. Consequently, we also introduced some new command line flags to filter the results by severity (
--severity) and by confidence (
--confidence), useful for tailored Electronegativity integration in your application security pipelines or build systems.
- Add support for
- Add the
-r, --relativeflag to display relative path for files
in order to support newer versions of TypeScript
- Several bug fixes and improvements (#49, #50, 84316b1, b32b81b, 04016b3)
$ npm install @doyensec/electronegativity -g
|-V||output the version number|
|-i, –input||input (directory, .js, .htm, .asar)|
|-o, –output||save the results to a file in csv or sarif format|
|-h, –help||output usage information|
Using electronegativity to look for issues in a directory containing an Electron app:
$ electronegativity -i /path/to/electron/app
Using electronegativity to look for issues in an asar archive and saving the results in a csv file:
$ electronegativity -i /path/to/asar/archive -o result.csv
node --max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csv
Copyright (C) 2018