Objective

The purpose of this document is to collect JavaScript code analysis tools suitable for including in coming Mozilla projects or for internal use.

Criteria list

Each tool is evaluated by a set of criteria chosen to provide a quick overview of the tool's capabilities and opportunities for integration into existing environments.

Homepage
Code
Target user group
Analysis type
Programming language
License
Operating system
Current version
Interface
Output

Links to check out

• [X] https://air.mozilla.org/static-analysis/
• [X] http://cf.cs.ucsb.edu/static/ (timeout)
• [X] http://jscert.org/tools.html
• [X] http://www.jswebtools.org/
• [X] http://doctorjs.org/ (broken)
• [X] http://www.checkmarx.com/technology/application-security-testing/
• [X] https://github.com/chrisallenlane/watchtower
• [X] http://research.microsoft.com/en-us/projects/nozzle/
• [X] Javascript Code Analysis with Esprima
• [X] http://jscomplexity.org
• [X] Automated Analysis of Security-Critical JavaScript APIs (PDF)
• [X] JavaScript Static Security Analysis made easy with JSPrime (slideshare)
• [X] Secure JavaScript for developers (slideshare)
• [X] https://github.com/brownplt
• [X] http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
• [ ] Automated Analysis of Security-Critical JavaScript APIs (PDF)
• [ ] https://github.com/mishoo/UglifyJS
• [ ] https://github.com/substack/node-falafel
• [ ] https://github.com/substack/node-burrito
• [ ] https://developers.google.com/closure/ (useful JS analysis by compiler)
• [ ] http://www.brics.dk/TAJS/
• [ ] https://github.com/SRA-SiliconValley/jalangi (concolic testing tool out of Berkeley, framework for building dyn. analysis tools via record/replay)

Projects

DOM XSS Scanner

Summary

DOM XSS Scanner is an online tool for scanning web pages and JavaScript code for potential DOM based XSS security vulnerabilities.

Criteria

Homepage	http://www.domxssscanner.com/info/about
Code	https://github.com/yaph/domxssscanner
Target user group	pentesters, reviewers, developers
Analysis type	static
Programming language	Python 2.7 / Django, JavaScript
License	none
Operating system	any
Current version	(2013-02-12)
Interface	Web browser
Output	html

Features

Applications

Links

Esprima

Summary

ECMAScript parsing infrastructure for multipurpose analysis

Criteria

Homepage	http://esprima.org
Code	https://github.com/ariya/esprima
Target user group	Developers, tool writers
Analysis type	static AST
Programming language	JavaScript
License	BSD
Operating system	any
Current version	1.0.3 (2013-05-17)
Interface	node.js, rhino, js
Output

Features

• Full support for ECMAScript 5.1 (ECMA-262)
• Sensible syntax tree format, compatible with Mozilla Parser AST
• Optional tracking of syntax node location (index-based and line-column)
• Heavily tested (> 600 tests with solid statement and branch coverage)
• Experimental support for ES6/Harmony (module, class, destructuring, ...)

Applications

• keyword / statement histogram
• identifier length distribution
• boolean logic checking
• variable scope / pollution checking
• complexity checking
• statement coverage

Links

• Javascript Code Analysis with Esprima (YouTube)

JSCert

Summary

The JSCert project aims to really understand JavaScript. We are building models of ECMAScript semantics in the Coq proof assistant, and automated logical reasoning tools built on those semantics.

Criteria

Homepage	http://jscert.org/
Code
Target user group	researchers
Analysis type	static semantic modelling
Programming language	Coq
License
Operating system
Current version	WIP
Interface	Command line interface
Output	XML

Features

Applications

Links

• Towards a Program Logic for JavaScript (PDF)
• http://jscert.org/publications.html

jsgrep

Summary

grep for the AST

Criteria

Homepage	https://github.com/facebook/jsgrep
Code	https://github.com/facebook/jsgrep
Target user group
Analysis type	static AST
Programming language	node.js
License	Apache License 2.0
Operating system	any
Current version	(2012-04-23)
Interface	comman line interface
Output	stdout, grep-style

Features

Applications

Links

JShint

Summary

JSHint is a community-driven tool to detect errors and potential problems in JavaScript code and to enforce your team's coding conventions. It is very flexible so you can easily adjust it to your particular coding guidelines and the environment you expect your code to execute in.

Criteria

Homepage	http://www.jshint.com
Code	https://github.com/jshint/jshint/
Target user group	Developers
Analysis type	static AST
Programming language	JavaScript
License	MIT variant
Operating system	any
Current version	2.1.10 (2013-08-15)
Interface	node.js, rhino, js
Output	jslint, checkstyle XML

Features

Applications

Links

JSPrime

Summary

JSPrime is a light-weight JavaScript source code scanner for identifying security issues using static analysis, built on Esprima.

Criteria

Homepage	http://www.jsprime.org
Code	https://github.com/dpnishant/jsprime
Target user group	developers, reviewers, pentesting
Analysis type	static AST
Programming language	JavaScript
License	MIT
Operating system	any
Current version	(2013-08-08)
Interface	node.js, js
Output	html report

Features

• Variable & function tracing (part of JSPrime code flow analysis algorithm)
• Variable & function scope-aware analysis (part of JSPrime code flow analysis algorithm)
• Known filter function aware
• OOP & protoype compliant
• Minimum false positive alerts
• Supports minified javascript
• Blazing fast performance
• Point and click
• Upcoming features:
  • Automatic code de-obfuscation & decompression through Hybrid Analysis (link)
  • ECMAScript family support (ActionScript 3, Node.JS, WinJS)
• Limitations
  • It can't learn sinks and sources automatically
  • It can't handle obfuscation
  • It can't handle minified JS, requires beautification
  • It can't analyse dynamically-generated code (using eval et al.)

Applications

Links

• JavaScript Static Security Analysis made easy with JSPrime (PDF)

JSWebTools

Summary

Over the past several years, we've developed semantics foundations for JavaScript, built tools atop these foundations, and applied these tools to Web security problems. We've recently started tackling other Web technologies as well. All our work is open source.

Criteria

Homepage	http://www.jswebtools.org/
Code	https://github.com/brownplt/
Target user group	security researchers
Analysis type	static semantic modelling
Programming language	ML, Haskell, Coq, PLT, probably more
License	BSD
Operating system	any
Current version	WIP
Interface	Command line interface
Output	? (need to run)

Features

Applications

• jQuery-types :: a typechecker for jQuery client programs
• ADsafety :: verifying language-based Web sandboxes
• Static Analysis for Intrusion Detection :: finding attacks on AJAX-based applications
• Flapjax :: a language and library for reactive web applications

Links

• http://www.jswebtools.org/papers/
• Project overview on YouTube

ScanJS

Summary

Static analysis tool for javascript codebases. Scanjs uses Esprima to convert sources to AST, then walks AST looking for patterns. It works on both client and server side.

Criteria

Homepage	https://github.com/freddyb/scanjs
Code	https://github.com/freddyb/scanjs
Target user group	reviewers
Analysis type	static
Programming language	node.js / js
License	MPL
Operating system	any
Current version	(2013-08-05)
Interface	command line interface
Output	html

Features

Applications

Links

Watchtower

Summary

Static Code Analysis tool designed to assist in code reviews. It offers a robust alternative to grep for finding matches on literal and regex-based strings within a project.

Criteria

Homepage	https://github.com/chrisallenlane/watchtower
Code	https://github.com/chrisallenlane/watchtower
Target user group	reviewers
Analysis type	static
Programming language	Ruby
License	GPLv3
Operating system	any
Current version	1.4.8 (2013-09-02)
Interface	command line interface
Output	html, csv, xml, txt

Features

Applications

Links