js-x-ray v6.1 releases: static analysis of detecting most common malicious patterns
The goal is to quickly identify dangerous code and patterns for developers and security researchers. Interpreting the results of this tool will still require you to have a set of security notions.
Most of the time these hackers will try to hide the behavior of their codes as much as possible to avoid being spotted or easily understood… The work of the library is to understand and analyze these patterns that will allow us to detect malicious code.
- Retrieve required dependencies and files for Node.js.
- Detect unsafe RegEx.
- Get warnings when the AST Analysis as a problem or when not able to follow a statement.
- Highlight common attack patterns and API usages.
- Capable to follow the usage of dangerous Node.js globals.
- Detect obfuscated code and when possible the tool that has been used.
This section describes all the possible warnings returned by JSXRay.
|unsafe-import||Unable to follow an import (require, require.resolve) statement/expr.|
|unsafe-regex||A RegEx as been detected as unsafe and may be used for a ReDoS Attack.|
|unsafe-stmt||Usage of a dangerous statement like
|unsafe-assign||Assignment of a protected global like
|encoded-literal||An encoded literal has been detected (it can be an hexa value, Unicode sequence, base64 string, etc)|
|short-identifiers||This mean that all identifiers has an average length below 1.5. Only possible if the file contains more than 5 identifiers.|
|suspicious-literal||This mean that the sum of suspicious score of all Literals is bigger than 3.|
|obfuscated-code (experimental)||There’s a very high probability that the code is obfuscated…|
- docs: add banner and center badges with TML format by @fraxken in #85
- Add dependabot yml configuration by @fabnguess in #86
- chore(deps-dev): bump @slimio/is from 1.5.1 to 2.0.0 by @dependabot in #92
- chore(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.2 by @dependabot in #91
- chore(deps): bump actions/setup-node from 2 to 3 by @dependabot in #90
- chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #89
- chore(deps): bump github/codeql-action from 2.1.27 to 2.1.39 by @dependabot in #88
- chore(deps): bump actions/checkout from 2 to 3 by @dependabot in #87
- chore(StepSecurity): Apply security best practices by @step-security-bot in #94
- chore(deps): bump github/codeql-action from 2.1.39 to 2.2.1 by @dependabot in #96
- chore(deps): bump github/codeql-action from 2.2.1 to 2.2.4 by @dependabot in #99
- ci: disable nsci warnings by @fraxken in #104
- Update dependabot frequency by @fabnguess in #102
- chore(deps): bump github/codeql-action from 2.2.4 to 2.2.5 by @dependabot in #103
- chore(deps): bump step-security/harden-runner from 2.1.0 to 2.2.0 by @dependabot in #101
- feat: add shady-link warning by @PierreDemailly in #105
- docs: add PierreDemailly as a contributor for code, and test by @allcontributors in #106
- fix(security): add missing workflow top level permissions by @fraxken in #107
- feat: add removeHTMLComments option by @fraxken in #114
- chore(deps): bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @dependabot in #110
- chore(deps): bump actions/checkout from 3.3.0 to 3.5.0 by @dependabot in #112
- chore(deps): bump step-security/harden-runner from 2.2.0 to 2.2.1 by @dependabot in #113
- chore(deps): bump github/codeql-action from 2.2.5 to 2.2.9 by @dependabot in #111
Install & Use
Copyright (c) 2021 NodeSecure