With the emergence of the Node.js ecosystem, JavaScript has become a widely-used programming language for implementing server-side web applications. In this paper, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP Top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.
@article{arxiv.2301.05097,
title = {Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages},
author = {Tiago Brito and Mafalda Ferreira and Miguel Monteiro and Pedro Lopes and Miguel Barros and José Fragoso Santos and Nuno Santos},
journal= {arXiv preprint arXiv:2301.05097},
year = {2023}
}