Investigate and possibly integrate NodeJsScan #16
Comments
jborrey
added
enhancement
|
This scanner seems to beautify source code and then run checks against this list https://github.com/ajinabraham/NodeJsScan/blob/master/core/rules.xml Instead of integrating the whole app, it should be possible to convert these rules to PatternSearch regex rules (however I am not sure about the beautification part). A naive approach would be something like: |
|
Interesting, so you're suggesting that we parse the XML rules files and then appropriate it for the PatternSearch module? Pretty cool idea! In general I don't like forking projects, or doing something similar, because it creates a higher maintenance workload - for example, if the rules are updated, you need to do more than just bump the version of the app to get the most recent set of rules. You could at least get this down to a script that is run a build time and references a version number. I would say, that if the app performs poorly (e.g. throws lots of exceptions) but the rules are useful, then this would be worth it. Otherwise we could just try the usual approach of integrating the scanner directly. |
and others
https://github.com/ajinabraham/NodeJsScan
Vuln scannner for JS.
Test it out on some codebases and determine if it's worth integrating.
If so, make the module and open a PR.
The text was updated successfully, but these errors were encountered: