Have a Question About the BreachLock Cloud Platform? Enter it below.
25 May, 2019
How to use NodeJsScan for SAST – Step-by-step Guide
NodeJsScan is a static code scanner that is used to find security flaws specifically in Node.js applications. In this post, we will look at how you can use NodeJsScan for SAST.
Configuration & Usage
- Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py
- Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan.
Figure 1 Cloning the repository
- Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt.
Figure 2 Installing all requirements to run NodeJsScan
- Run this command once to create database entries required – python3 migrate.py
- Run this command to test the testing Environment – python3 app.py
- Setup gunicorn for the production environment – gunicorn –b 0.0.0.0:9090 app:app.
Figure 3 Executing app.py to run NodeJsScan
This tool will run NodeJsScan on http://0.0.0.0:9090. If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives.
Figure 4 NodeJsScan running on http://0.0.0.0:9090/
The command-line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format.
Figure 5 NodeJsScan CLI is showing optional arguments.
Docker images can be built for NodeJsScan using the following steps –
- First, ensure that you have docker installed into your system.
- Start the docker service using command – service docker start.
- Execute this command – docker build -t nodejsscan.
- Then finally execute this command to run the application – docker run -it -p 9090:9090 nodejsscan.
Now, let’s get started with a demo.
- I tested this tool on a repository that contains incomplete and vulnerable code.
- The NodeJsScan app has compatibility with .zip files to get uploaded. So, first, compress your .js code to a .zip file and then go to your browser and upload the .zip file.
- After uploading the .zip file, the tool will list all the vulnerabilities for you.
Figure 6 Vulnerabilities listed for app.js
Figure 7 NodeJsScan giving a detailed description of the vulnerability
Check out our post on Top 3 Open Source Tools for SAST.Back To Other Posts