Modular call graph construction for security scanning of Node.js applications

Benjamin Barslev Nielsen, Martin Toldam Torp, Anders Møller

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review

39 Citations (Scopus)
404 Downloads (Pure)

Abstract

Most of the code in typical Node.js applications comes from third-party libraries that consist of a large number of interdependent modules. Because of the dynamic features of JavaScript, it is difficult to obtain detailed information about the module dependencies, which is vital for reasoning about the potential consequences of security vulnerabilities in libraries, and for many other software development tasks. The underlying challenge is how to construct precise call graphs that capture the connectivity between functions in the modules. In this work we present a novel approach to call graph construction for Node.js applications that is modular, taking into account the modular structure of Node.js applications, and sufficiently accurate and efficient to be practically useful. We demonstrate experimentally that the constructed call graphs are useful for security scanning, reducing the number of false positives by 81% compared to npm audit and with zero false negatives. Compared to js-callgraph, the call graph construction is significantly more accurate and efficient. The experiments also show that the analysis time is reduced substantially when reusing modular call graphs.

Original languageEnglish
Title of host publicationISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
EditorsCristian Cadar, Xiangyu Zhang
Number of pages13
PublisherAssociation for Computing Machinery
Publication dateJul 2021
Pages29-41
ISBN (Electronic)9781450384599
DOIs
Publication statusPublished - Jul 2021
Event30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021 - Virtual, Online, Denmark
Duration: 11 Jul 202117 Jul 2021

Conference

Conference30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021
Country/TerritoryDenmark
CityVirtual, Online
Period11/07/202117/07/2021
SeriesProceedings of the ACM SIGSOFT International Symposium on the Foundations of Software Engineering
ISSN1539-7521

Keywords

  • JavaScript
  • Modularity
  • Static analysis

Fingerprint

Dive into the research topics of 'Modular call graph construction for security scanning of Node.js applications'. Together they form a unique fingerprint.

Cite this