Static analysis for Javascript

eslint

Installation

$ npm install --save-dev eslint eslint-plugin-security eslint-plugin-scanjs-rules eslint-plugin-no-unsafe-innerhtml

Configuration

Here is a sample .eslintrc.json file, for use with those plugins:

{
    //adjust these as necessary for your application
    "env": {
        "es6": true,
        "node": true
    },
    //uncomment this line if you are getting errors like "Parsing error: Unexpected token"
    //"parser": "babel-eslint",
    "parserOptions": {
        "ecmaFeatures": {
            "jsx": true
        },
        "sourceType": "module"
    },
    "plugins": [
        //"react",
        "no-unsafe-innerhtml",
        "security"
    ],
    "rules": {
    /** useful rules from eslint, if you want them **/

    /** security plugin rules **/
    "no-unsafe-innerhtml/no-unsafe-innerhtml" : 2,
    "security/detect-non-literal-fs-filename": 2,
    "security/detect-non-literal-regexp": 2,
    "security/detect-unsafe-regex": 2,
    "security/detect-buffer-noassert": 2,
    "security/detect-child-process": 2,
    "security/detect-disable-mustache-escape": 2,
    "security/detect-eval-with-expression": 2,
    "security/detect-no-csrf-before-method-override": 2,
    "security/detect-non-literal-require": 2,
    "security/detect-object-injection": 2,
    "security/detect-possible-timing-attacks": 1,
    "security/detect-pseudoRandomBytes": 2
  }
}

Alternately, you can run $ eslint --init with your project-specific details and include the plugins and rules from our config file.

If you are using the eslint specific to your project, you might have to run $ ./node_modules/eslint/bin/eslint.js --init. This will result in many non-security related linting rules which you can disable by commenting out "extends": "blah", in the .eslintrc file generated by your init.

You might want to create a file called .eslintignore (or something) containing the line node_modules/. You can then specify the option --ignore-path .eslintignore when you run eslint. This will save you a lot of false positives.

Usage

For a quick start, try:

$ cd my_project
$ eslint .

To create an HTML output file you can view in your browser, try:

$ eslint --ignore-path .eslintignore -f html -o eslint-report.html .