@inproceedings{13ddb7caaba84e88b13f5729f0577027,
title = "Modular call graph construction for security scanning of Node.js applications",
abstract = "Most of the code in typical Node.js applications comes from third-party libraries that consist of a large number of interdependent modules. Because of the dynamic features of JavaScript, it is difficult to obtain detailed information about the module dependencies, which is vital for reasoning about the potential consequences of security vulnerabilities in libraries, and for many other software development tasks. The underlying challenge is how to construct precise call graphs that capture the connectivity between functions in the modules. In this work we present a novel approach to call graph construction for Node.js applications that is modular, taking into account the modular structure of Node.js applications, and sufficiently accurate and efficient to be practically useful. We demonstrate experimentally that the constructed call graphs are useful for security scanning, reducing the number of false positives by 81% compared to npm audit and with zero false negatives. Compared to js-callgraph, the call graph construction is significantly more accurate and efficient. The experiments also show that the analysis time is reduced substantially when reusing modular call graphs.",
keywords = "JavaScript, Modularity, Static analysis",
author = "Nielsen, {Benjamin Barslev} and Torp, {Martin Toldam} and Anders M{\o}ller",
note = "Publisher Copyright: {\textcopyright} 2021 ACM.; 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021 ; Conference date: 11-07-2021 Through 17-07-2021",
year = "2021",
month = jul,
doi = "10.1145/3460319.3464836",
language = "English",
series = "Proceedings of the ACM SIGSOFT International Symposium on the Foundations of Software Engineering",
publisher = "Association for Computing Machinery",
pages = "29--41",
editor = "Cristian Cadar and Xiangyu Zhang",
booktitle = "ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis",
address = "United States",
}