NodeJsScan is a static code scanner which is used to find security flaws specifically in Node.js applications. In this post, we will look at how you can use NodeJsScan for SAST.  

Configuration & Usage 

• Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py 
• Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan. 

Figure 1 Cloning the repository

• Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt. 

Figure 2 Installing all requirements to run NodeJsScan

• Run this command once to create database entries required – python3 migrate.py 
• Run this command to test the testing Environment – python3 app.py 
• Setup gunicorn for the production environment  – gunicorn –b 0.0.0.0:9090 app:app. 

Figure 3 Executing app.py to run NodeJsScan

This tool will run NodeJsScan on http://0.0.0.0:9090. If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives. 

Figure 4 NodeJsScan running on http://0.0.0.0:9090/

NodeJsScan CLI 

The command line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format.  

Figure 5 NodeJsScan CLI is showing optional arguments.

Docker 

Docker images can be built for NodeJsScan using the following steps – 

• First, ensure that you have docker installed into your system. 
• Start the docker service using command – service docker start. 
• Execute this command – docker build -t nodejsscan. 
• Then finally execute this command to run the application – docker run -it -p 9090:9090 nodejsscan. 

Now, let’s get started with a demo. 

• I tested this tool on a repository that contains incomplete and vulnerable code. 
• The NodeJsScan app has compatibility with .zip files to get uploaded. So, first, compress your .js code to .zip file and then go to your browser and upload the .zip file. 
• After uploading the .zip file, the tool will list all the vulnerabilities for you. 

Figure 6 Vulnerabilities listed for app.js

Figure 7 NodeJsScan giving a detailed description of the vulnerability

Check out our post on Top 3 Open Source Tools for SAST.