Aarhus University Seal

Modular call graph construction for security scanning of Node.js applications

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review



Most of the code in typical Node.js applications comes from third-party libraries that consist of a large number of interdependent modules. Because of the dynamic features of JavaScript, it is difficult to obtain detailed information about the module dependencies, which is vital for reasoning about the potential consequences of security vulnerabilities in libraries, and for many other software development tasks. The underlying challenge is how to construct precise call graphs that capture the connectivity between functions in the modules. In this work we present a novel approach to call graph construction for Node.js applications that is modular, taking into account the modular structure of Node.js applications, and sufficiently accurate and efficient to be practically useful. We demonstrate experimentally that the constructed call graphs are useful for security scanning, reducing the number of false positives by 81% compared to npm audit and with zero false negatives. Compared to js-callgraph, the call graph construction is significantly more accurate and efficient. The experiments also show that the analysis time is reduced substantially when reusing modular call graphs.

Original languageEnglish
Title of host publicationISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
EditorsCristian Cadar, Xiangyu Zhang
Number of pages13
PublisherAssociation for Computing Machinery
Publication yearJul 2021
ISBN (Electronic)9781450384599
Publication statusPublished - Jul 2021
Event30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021 - Virtual, Online, Denmark
Duration: 11 Jul 202117 Jul 2021


Conference30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021
ByVirtual, Online
SeriesProceedings of the ACM SIGSOFT International Symposium on the Foundations of Software Engineering

Bibliographical note

Publisher Copyright:
© 2021 ACM.

    Research areas

  • JavaScript, Modularity, Static analysis

See relations at Aarhus University Citationformats

Download statistics

No data available

ID: 221008128