electronegativity v1.3.2 releases: identify misconfigurations and security anti-patterns in Electron applications
It is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
It leverages AST and DOM parsing to look for security-relevant configurations, as described in the “Electron Security Checklist – A Guide for Developers and Auditors” whitepaper.
Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.
- This patch release includes a fix for #53. Weak etags were occasionally returned by Github Raw CDN, breaking the syncing routine of the
$ npm install @doyensec/electronegativity -g
|-V||output the version number|
|-i, –input||input (directory, .js, .htm, .asar)|
|-o, –output||save the results to a file in csv or sarif format|
|-h, –help||output usage information|
Using electronegativity to look for issues in a directory containing an Electron app:
$ electronegativity -i /path/to/electron/app
Using electronegativity to look for issues in an asar archive and saving the results in a csv file:
$ electronegativity -i /path/to/asar/archive -o result.csv
node --max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csv
Copyright (C) 2018