Benjamin Barslev Nielsen
Martin Toldam Torp
Anders Møller
ABSTRACT
Most of the code in typical Node.js applications comes from third-party libraries that consist of a large number of interdependent modules. Because of the dynamic features of JavaScript, it is difficult to obtain detailed information about the module dependencies, which is vital for reasoning about the potential consequences of security vulnerabilities in libraries, and for many other software development tasks. The underlying challenge is how to construct precise call graphs that capture the connectivity between functions in the modules.
In this work we present a novel approach to call graph construction for Node.js applications that is modular, taking into account the modular structure of Node.js applications, and sufficiently accurate and efficient to be practically useful. We demonstrate experimentally that the constructed call graphs are useful for security scanning, reducing the number of false positives by 81% compared to npm audit and with zero false negatives. Compared to js-callgraph, the call graph construction is significantly more accurate and efficient. The experiments also show that the analysis time is reduced substantially when reusing modular call graphs.
- Saba Alimadadi, Ali Mesbah, and Karthik Pattabiraman. 2015. Hybrid DOM-Sensitive Change Impact Analysis for JavaScript. In 29th European Conference on Object-Oriented Programming, ECOOP 2015, July 5-10, 2015, Prague, Czech Republic (LIPIcs, Vol. 37). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 321–345. https://doi.org/10.4230/LIPIcs.ECOOP.2015.321 Google Scholar
Cross Ref
- Gabor Antal, Péter Hegedüs, Zoltán Tóth, Rudolf Ferenc, and Tibor Gyimóthy. 2018. Static JavaScript Call Graphs: A Comparative Study. In 18th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2018, Madrid, Spain, September 23-24, 2018. IEEE Computer Society, 177–186. https://doi.org/10.1109/SCAM.2018.00028 Google ScholarCross Ref
- Bodin Chinthanet, Serena Elisa Ponta, Henrik Plate, Antonino Sabetta, Raula Gaikovina Kula, Takashi Ishio, and Kenichi Matsumoto. 2020. Code-based Vulnerability Detection in Node.js Applications: How far are we? CoRR, abs/2008.04568 (2020), arxiv:2008.04568.Google Scholar
- Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the Evolution of Technical Lag in the npm Package Dependency Network. In 2018 IEEE International Conference on Software Maintenance and Evolution, ICSME 2018, Madrid, Spain, September 23-29, 2018. IEEE Computer Society, 404–414. https://doi.org/10.1109/ICSME.2018.00050 Google ScholarCross Ref
- Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the impact of security vulnerabilities in the npm package dependency network. In Proceedings of the 15th International Conference on Mining Software Repositories, MSR 2018, Gothenburg, Sweden, May 28-29, 2018. ACM, 181–191. https://doi.org/10.1145/3196398.3196401 Google ScholarDigital Library
- Asger Feldthaus, Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Efficient construction of approximate call graphs for JavaScript IDE services. In 35th International Conference on Software Engineering, ICSE ’13, San Francisco, CA, USA, May 18-26, 2013. IEEE Computer Society, 752–761. https://doi.org/10.1109/ICSE.2013.6606621 Google ScholarCross Ref
- Cormac Flanagan and Matthias Felleisen. 1999. Componential Set-Based Analysis. ACM Trans. Program. Lang. Syst., 21, 2 (1999), 370–416. https://doi.org/10.1145/316686.316703 Google ScholarDigital Library
- Quinn Hanam, Ali Mesbah, and Reid Holmes. 2019. Aiding Code Change Understanding with Semantic Change Impact Analysis. In 2019 IEEE International Conference on Software Maintenance and Evolution, ICSME 2019, Cleveland, OH, USA, September 29 - October 4, 2019. IEEE, 202–212. https://doi.org/10.1109/ICSME.2019.00031 Google ScholarCross Ref
- Joseph Hejderup, Moritz Beller, and Georgios Gousios. 2018. Präzi: From Package-based to Precise Call-based Dependency Network Analyses. TU Delft.Google Scholar
- Joseph Hejderup, Arie van Deursen, and Georgios Gousios. 2018. Software ecosystem call graph for dependency management. In Proceedings of the 40th International Conference on Software Engineering: New Ideas and Emerging Results, ICSE (NIER) 2018, Gothenburg, Sweden, May 27 - June 03, 2018. ACM, 101–104. https://doi.org/10.1145/3183399.3183417 Google ScholarDigital Library
- Zoltán Herczeg, Gábor Lóki, and Ákos Kiss. 2019. Towards the Efficient Use of Dynamic Call Graph Generators of Node.js Applications. In Evaluation of Novel Approaches to Software Engineering - 14th International Conference, ENASE 2019, Heraklion, Crete, Greece, May 4-5, 2019, Revised Selected Papers (Communications in Computer and Information Science, Vol. 1172). Springer, 286–302. https://doi.org/10.1007/978-3-030-40223-5_14 Google ScholarCross Ref
- IBM Research. 2018. T.J. Watson Libraries for Analysis (WALA).Google Scholar
- Simon Holm Jensen, Anders Møller, and Peter Thiemann. 2009. Type Analysis for JavaScript. In Static Analysis, 16th International Symposium, SAS 2009, Los Angeles, CA, USA, August 9-11, 2009 (Lecture Notes in Computer Science, Vol. 5673). Springer, 238–255. https://doi.org/10.1007/978-3-642-03237-0_17 Google ScholarDigital Library
- Riivo Kikas, Georgios Gousios, Marlon Dumas, and Dietmar Pfahl. 2017. Structure and evolution of package dependency networks. In Proceedings of the 14th International Conference on Mining Software Repositories, MSR 2017, Buenos Aires, Argentina, May 20-28, 2017. IEEE Computer Society, 102–112. https://doi.org/10.1109/MSR.2017.55 Google ScholarDigital Library
- Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID).Google Scholar
- Erik Krogh Kristensen and Anders Møller. 2019. Reasonably-most-general clients for JavaScript library analysis. In Proceedings of the 41st International Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May 25-31, 2019. IEEE / ACM, 83–93. https://doi.org/10.1109/ICSE.2019.00026 Google ScholarDigital Library
- Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society.Google Scholar
- Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012. SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript. In Proc. International Workshop on Foundations of Object Oriented Languages.Google Scholar
- Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondrej Lhoták, José Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In defense of soundiness: a manifesto. Commun. ACM, 58, 2 (2015), 44–46. https://doi.org/10.1145/2644805 Google ScholarDigital Library
- Magnus Madsen, Benjamin Livshits, and Michael Fanning. 2013. Practical static analysis of JavaScript applications in the presence of frameworks and libraries. In Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE’13, Saint Petersburg, Russian Federation, August 18-26, 2013. ACM, 499–509. https://doi.org/10.1145/2491411.2491417 Google ScholarDigital Library
- Magnus Madsen, Frank Tip, and Ondrej Lhoták. 2015. Static analysis of event-driven Node.js JavaScript applications. In Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2015, part of SPLASH 2015, Pittsburgh, PA, USA, October 25-30, 2015. ACM, 505–519. https://doi.org/10.1145/2814270.2814272 Google ScholarDigital Library
- Gianluca Mezzetti, Anders Møller, and Martin Toldam Torp. 2018. Type Regression Testing to Detect Breaking Changes in Node.js Libraries. In 32nd European Conference on Object-Oriented Programming, ECOOP 2018, July 16-21, 2018, Amsterdam, The Netherlands (LIPIcs, Vol. 109). 7:1–7:24.Google Scholar
- Anders Møller, Benjamin Barslev Nielsen, and Martin Toldam Torp. 2020. Detecting locations in JavaScript programs affected by breaking library changes. Proc. ACM Program. Lang., 4, OOPSLA (2020), 187:1–187:25. https://doi.org/10.1145/3428255 Google ScholarDigital Library
- Anders Møller and Martin Toldam Torp. 2019. Model-based testing of breaking changes in Node.js libraries. In Proceedings of the ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/SIGSOFT FSE 2019, Tallinn, Estonia, August 26-30, 2019. ACM, 409–419.Google ScholarDigital Library
- Benjamin Barslev Nielsen, Behnaz Hassanshahi, and François Gauthier. 2019. Nodest: feedback-driven static analysis of Node.js applications. In Proceedings of the ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/SIGSOFT FSE 2019, Tallinn, Estonia, August 26-30, 2019. ACM, 455–465. https://doi.org/10.1145/3338906.3338933 Google ScholarDigital Library
- Changhee Park and Sukyoung Ryu. 2015. Scalable and Precise Static Analysis of JavaScript Applications via Loop-Sensitivity. In 29th European Conference on Object-Oriented Programming, ECOOP 2015, July 5-10, 2015, Prague, Czech Republic, John Tang Boyland (Ed.) (LIPIcs, Vol. 37). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 735–756. https://doi.org/10.4230/LIPIcs.ECOOP.2015.735 Google ScholarCross Ref
- Serena Elisa Ponta, Henrik Plate, and Antonino Sabetta. 2020. Detection, assessment and mitigation of vulnerabilities in open source dependencies. Empirical Software Engineering, https://doi.org/10.1007/s10664-020-09830-x Google ScholarDigital Library
- Barbara G. Ryder. 1979. Constructing the Call Graph of a Program. IEEE Trans. Software Eng., 5, 3 (1979), 216–226. https://doi.org/10.1109/TSE.1979.234183 Google ScholarDigital Library
- Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society.Google Scholar
- Cristian-Alexandru Staicu, Martin Toldam Torp, Max Schäfer, Anders Møller, and Michael Pradel. 2020. Extracting Taint Specifications for JavaScript Libraries. In Proc. 42nd International Conference on Software Engineering (ICSE).Google ScholarDigital Library
- Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang, and Anders Møller. 2019. Static analysis with demand-driven value refinement. Proc. ACM Program. Lang., 3, OOPSLA (2019), 140:1–140:29. https://doi.org/10.1145/3360566 Google ScholarDigital Library
- Haiyang Sun, Daniele Bonetta, Christian Humer, and Walter Binder. 2018. Efficient dynamic analysis for Node.js. In Proceedings of the 27th International Conference on Compiler Construction, CC 2018, February 24-25, 2018, Vienna, Austria. ACM, 196–206. https://doi.org/10.1145/3178372.3179527 Google ScholarDigital Library
- Erik Wittern, Philippe Suter, and Shriram Rajagopalan. 2016. A look at the dynamics of the JavaScript package ecosystem. In Proceedings of the 13th International Conference on Mining Software Repositories, MSR 2016, Austin, TX, USA, May 14-22, 2016. ACM, 351–361. https://doi.org/10.1145/2901739.2901743 Google ScholarDigital Library
- Rodrigo Elizalde Zapata, Raula Gaikovina Kula, Bodin Chinthanet, Takashi Ishio, Kenichi Matsumoto, and Akinori Ihara. 2018. Towards Smoother Library Migrations: A Look at Vulnerable Dependency Migrations at Function Level for npm JavaScript Packages. In 2018 IEEE International Conference on Software Maintenance and Evolution, ICSME 2018, Madrid, Spain, September 23-29, 2018. IEEE Computer Society, 559–563. https://doi.org/10.1109/ICSME.2018.00067 Google ScholarCross Ref
- Ahmed Zerouali, Valerio Cosentino, Tom Mens, Gregorio Robles, and Jesús M. González-Barahona. 2019. On the Impact of Outdated and Vulnerable JavaScript Packages in Docker Images. In 26th IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2019, Hangzhou, China, February 24-27, 2019. IEEE, 619–623. https://doi.org/10.1109/SANER.2019.8667984 Google ScholarCross Ref
- Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019. USENIX Association, 995–1010.Google Scholar
Index Terms
- Modular call graph construction for security scanning of Node.js applications
Comments