Home Unlabelled Nodejsscan - A Static Safety Code Scanner For Node.Js Applications

Nodejsscan - A Static Safety Code Scanner For Node.Js Applications

By
Tuesday, September 24, 2019
Read
Add Comment

Static safety code scanner (SAST) for Node.js applications.

Configure & Run NodeJsScan
Install Postgres as well as configure SQLALCHEMY_DATABASE_URI inwards core/settings.py
pip3 install -r requirements.txt python3 migrate.py # Run 1 time to practise database entries required python3 app.py # Testing Environment gunicorn -b 0.0.0.0:9090 app:app # Production Environment
This volition run NodeJsScan on http://0.0.0.0:9090
If you lot take away to debug, gear upwardly DEBUG = True inwards core/settings.py

NodeJsScan CLI
The command line interface (CLI) allows you lot to integrate NodeJsScan amongst DevSecOps CI/CD pipelines. The results are inwards JSON format. When you lot usage CLI the results are never stored amongst NodeJsScan backend.
virtualenv venv -p python3 source venv/bin/activate (venv)pip install nodejsscan (venv)$ nodejsscan usage: nodejsscan [-h] [-f FILE [FILE ...]] [-d DIRECTORY [DIRECTORY ...]]                   [-o OUTPUT] [-v]  optional arguments:   -h, --help            present this assist message as well as leave of absence   -f FILE [FILE ...], --file FILE [FILE ...]                         Node.js file(s) to scan   -d DIRECTORY [DIRECTORY ...], --directory DIRECTORY [DIRECTORY ...]                         Node.js source code directory/directories to scan   -o OUTPUT, --output OUTPUT                         Output file to salvage JSON study   -v, --version         Show nodejsscan version

Python API
import core.scanner every bit njsscan res_dir = njsscan.scan_dirs(['/Code/Node.Js-Security-Course']) res_file = njsscan.scan_file(['/Code/Node.Js-Security-Course/deserialization.js']) print(res_file)  [{'title': 'Deserialization Remote Code Injection', 'description': "User controlled information inwards 'unserialize()' or 'deserialize()' component subdivision tin effect inwards Object Injection or Remote Code Injection.", 'tag': 'rci', 'line': 11, 'lines': 'app.use(cookieParser())\n\napp.get(\'/\', function(req, res) {\n            if (req.cookies.profile) {\n                var str = novel Buffer(req.cookies.profile, \'base64\').toString();\n                var obj = serialize.unserialize(str);\n                if (obj.username) {\n                    res.send("Hello " + escape(obj.username));\n                }\n            } else {', 'filename': 'deserialization.js', 'path': '/Users/ajin/Code/Node.Js-Security-Course/deserialization.js', 'sha2': '06f3f0ff3deed27aeb95955a17abc7722895d3538c14648af97789d8777cee50'}]

Docker
docker construct -t nodejsscan . docker run -it -p 9090:9090 nodejsscan

DockerHub
docker push clit opensecurity/nodejsscan docker run -it -p 9090:9090 opensecurity/nodejsscan:latest

NodeJsScan Web UI


Static Analysis





Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us