May 25, 2019

How to use NodeJsScan for SAST – Step-by-step Guide

NodeJsScan is a static code scanner that is used to find security flaws specifically in Node.js applications. In this post, we will look at how you can use NodeJsScan for SAST.

Configuration & Usage

Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/setting.py
Download the NodeJsScan package from the GitHub repository https://github.com/ajinabraham/NodeJsScan.

Figure 1 Cloning the repository

Navigate to the NodeJsScan directory and install all requirements using the command – pip3 install –r requirements.txt.

Figure 2 Installing all requirements to run NodeJsScan

Run this command once to create database entries required – python3 migrate.py
Run this command to test the testing Environment – python3 app.py
Setup gunicorn for the production environment – gunicorn –b 0.0.0.0:9090 app:app.

Figure 3 Executing app.py to run NodeJsScan

This tool will run NodeJsScan on http://0.0.0.0:9090. If you need to debug, set DEBUG = True in core/settings.py. With periodic updates of this tool, it shows a minimum number of false positives.

Figure 4 NodeJsScan running on http://0.0.0.0:9090/

NodeJsScan CLI

The command-line interface (CLI) allows this tool to integrate with DevSecOps CI/CD pipelines. The results are in JSON format.

Figure 5 NodeJsScan CLI is showing optional arguments.

Docker

Docker images can be built for NodeJsScan using the following steps –

First ensure that you have docker installed into your system.
Start the docker service using command – service docker start.
Execute this command – docker build -t nodejsscan.
Then finally execute this command to run the application – docker run -it -p 9090:9090 nodejsscan.

Now, let’s get started with a demo.

I tested this tool on a repository that contains incomplete and vulnerable code.

The NodeJsScan app has compatibility with .zip files to get uploaded. So, first, compress your .js code to a .zip file and then go to your browser and upload the .zip file.