| Name | njsscan JSON |
| Version |
0.4.3
JSON |
| download |
| home_page | https://github.com/ajinabraham/njsscan |
| Summary | njsscan is a SAST tool that can find insecure code patterns in your Node.js applications. |
| upload_time | 2024-11-14 08:58:25 |
| maintainer | None |
| docs_url | None |
| author | Ajin Abraham |
| requires_python | None |
| license | None |
| keywords |
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# njsscan
**njsscan** is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from [libsast](https://github.com/ajinabraham/libsast) and syntax-aware semantic code pattern search tool [semgrep](https://github.com/returntocorp/semgrep).
Made with  in India [](https://twitter.com/intent/tweet/?text=njsscan%20is%20a%20semantic%20aware%20SAST%20tool%20that%20can%20find%20insecure%20code%20patterns%20in%20your%20Node.js%20applications%20by%20%40ajinabraham%20%40OpenSecurity_IN&url=https://github.com/ajinabraham/njsscan)
[](https://badge.fury.io/py/njsscan)
[](https://github.com/ajinabraham/njsscan)
[](https://www.gnu.org/licenses/lgpl-3.0.en.html)
[](https://www.python.org/downloads/)
[](https://github.com/ajinabraham/njsscan/actions?query=workflow%3ABuild)
### Support njsscan
* **Donate via Paypal:** [](https://paypal.me/ajinabraham)
* **Sponsor the Project:** [](https://github.com/sponsors/ajinabraham)
### e-Learning Courses & Certifications
[](https://opsecx.com/index.php/product/node-js-security-pentesting-and-exploitation/?uid=github) [OpSecX Node.js Security: Pentesting and Exploitation - NJS](https://opsecx.com/index.php/product/node-js-security-pentesting-and-exploitation/?uid=github)
## Installation
`pip install njsscan`
Requires Python 3.7+ and supports only Mac and Linux
## Command Line Options
```bash
$ njsscan
usage: njsscan [-h] [--json] [--sarif] [--sonarqube] [--html] [-o OUTPUT] [-c CONFIG] [--missing-controls] [-w] [-v] [path ...]
positional arguments:
path Path can be file(s) or directories with source code
optional arguments:
-h, --help show this help message and exit
--json set output format as JSON
--sarif set output format as SARIF 2.1.0
--sonarqube set output format compatible with SonarQube
--html set output format as HTML
-o OUTPUT, --output OUTPUT
output filename to save the result
-c CONFIG, --config CONFIG
Location to .njsscan config file
--missing-controls enable missing security controls check
-w, --exit-warning non zero exit code on warning
-v, --version show njsscan version
```
## Example Usage
```bash
$ njsscan test.js
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep ███████████████████████████ 160
njsscan: v0.1.9 | Ajin Abraham | opensecurity.in
╒═════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════╕
│ RULE ID │ express_xss │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ OWASP │ A1: Injection │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CWE │ CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ DESCRIPTION │ Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ SEVERITY │ ERROR │
├─────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ FILES │ ╒════════════════╤═══════════════════════════════════════════════╕ │
│ │ │ File │ test.js │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match Position │ 5 - 46 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Line Number(s) │ 7: 8 │ │
│ │ ├────────────────┼───────────────────────────────────────────────┤ │
│ │ │ Match String │ const { name } = req.query; │ │
│ │ │ │ res.send('<h1> Hello :' + name + "</h1>") │ │
│ │ ╘════════════════╧═══════════════════════════════════════════════╛ │
╘═════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════╛
```
## nodejsscan SAST
**nodejsscan**, built on top of **njsscan** provides a full fledged vulnerability management user interface along with other nifty integrations.
See [nodejsscan](https://github.com/ajinabraham/nodejsscan)
## Python API
```python
>>> from njsscan.njsscan import NJSScan
>>> node_source = '/node_source/true_positives/sqli_node.js'
>>> scanner = NJSScan([node_source], json=True, check_controls=False)
>>> scanner.scan()
{
'templates': {},
'nodejs': {
'node_sqli_injection': {
'files': [{
'file_path': '/node_source/true_positives/sqli_node.js',
'match_position': (1, 24),
'match_lines': (4, 11),
'match_string': 'var employeeId = req.foo;\n\nvar sql = "SELECT * FROM trn_employee WHERE employee_id = " + employeeId;\n\n\n\nconnection.query(sql, function (error, results, fields) {\n\n if (error) {\n\n throw error;\n\n }\n\n console.log(results);'
}],
'metadata': {
'owasp': 'A1: Injection',
'cwe': "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',
'severity': 'ERROR'
}
}
},
'errors': []
}
```
## Configure njsscan
A `.njsscan` file in the root of the source code directory allows you to configure njsscan. You can also use a custom `.njsscan` file using `--config` argument.
```yaml
---
- nodejs-extensions:
- .js
template-extensions:
- .new
- .hbs
- ''
ignore-filenames:
- skip.js
ignore-paths:
- __MACOSX
- skip_dir
- node_modules
ignore-extensions:
- .jsx
ignore-rules:
- regex_injection_dos
- pug_jade_template
severity-filter:
- WARNING
- ERROR
```
## Suppress Findings
You can suppress findings from javascript source files by adding the comment `// njsscan-ignore: rule_id1, rule_id2` to the line that trigger the findings.
Example:
```javascript
app.get('/some/redirect', function (req, res) {
var target = req.param("target");
res.redirect(target); // njsscan-ignore: express_open_redirect
});
```
## CI/CD Integrations
You can enable njsscan in your CI/CD or DevSecOps pipelines.
#### Github Action
Add the following to the file `.github/workflows/njsscan.yml`.
```yaml
name: njsscan
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan check
steps:
- name: Checkout the code
uses: actions/checkout@v4.2.2
- uses: actions/setup-python@v5.3.0
with:
python-version: '3.12'
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
with:
args: '.'
```
Example: [dvna with njsscan github action](https://github.com/ajinabraham/dvna/actions?query=workflow%3Anjsscan)
#### Github Code Scanning Integration
Add the following to the file `.github/workflows/njsscan_sarif.yml`.
```yaml
name: njsscan sarif
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
- name: Checkout the code
uses: actions/checkout@v4.2.2
- uses: actions/setup-python@v5.3.0
with:
python-version: '3.12'
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
```
#### Gitlab CI/CD
Add the following to the file `.gitlab-ci.yml`.
```yaml
stages:
- test
njsscan:
image: python
before_script:
- pip3 install --upgrade njsscan
script:
- njsscan .
```
Example: [dvna with njsscan gitlab](https://gitlab.com/ajinabraham/dvna/-/jobs/602110439)
#### Travis CI
Add the following to the file `.travis.yml`.
```yaml
language: python
install:
- pip3 install --upgrade njsscan
script:
- njsscan .
```
#### Circle CI
Add the following to the file `.circleci/config.yaml`
```yaml
version: 2.1
jobs:
njsscan:
docker:
- image: cimg/python:3.9.6
steps:
- checkout
- run:
name: Install njsscan
command: pip install --upgrade njsscan
- run:
name: njsscan check
command: njsscan .
```
## Docker
### Prebuilt image from [DockerHub](https://hub.docker.com/r/opensecurity/njsscan)
```bash
docker pull opensecurity/njsscan
docker run -v /path-to-source-dir:/src opensecurity/njsscan /src
```
### Build Locally
```
docker build -t njsscan .
docker run -v /path-to-source-dir:/src njsscan /src
```
Raw data
{
"_id": null,
"home_page": "https://github.com/ajinabraham/njsscan",
"name": "njsscan",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": null,
"keywords": null,
"author": "Ajin Abraham",
"author_email": "ajin25@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/01/3c/a3afd67050a72bc45d05e3be4bd07efdf10c5355488e51e8853daa46d273/njsscan-0.4.3.tar.gz",
"platform": null,
"description": "# njsscan\n**njsscan** is a static application testing (SAST) tool that can find insecure code patterns in your node.js applications using simple pattern matcher from [libsast](https://github.com/ajinabraham/libsast) and syntax-aware semantic code pattern search tool [semgrep](https://github.com/returntocorp/semgrep).\n\nMade with  in India [](https://twitter.com/intent/tweet/?text=njsscan%20is%20a%20semantic%20aware%20SAST%20tool%20that%20can%20find%20insecure%20code%20patterns%20in%20your%20Node.js%20applications%20by%20%40ajinabraham%20%40OpenSecurity_IN&url=https://github.com/ajinabraham/njsscan)\n\n[](https://badge.fury.io/py/njsscan)\n[](https://github.com/ajinabraham/njsscan)\n[](https://www.gnu.org/licenses/lgpl-3.0.en.html)\n[](https://www.python.org/downloads/)\n[](https://github.com/ajinabraham/njsscan/actions?query=workflow%3ABuild)\n\n### Support njsscan\n\n* **Donate via Paypal:** [](https://paypal.me/ajinabraham)\n* **Sponsor the Project:** [](https://github.com/sponsors/ajinabraham)\n\n### e-Learning Courses & Certifications\n[](https://opsecx.com/index.php/product/node-js-security-pentesting-and-exploitation/?uid=github) [OpSecX Node.js Security: Pentesting and Exploitation - NJS](https://opsecx.com/index.php/product/node-js-security-pentesting-and-exploitation/?uid=github)\n\n## Installation\n\n`pip install njsscan`\n\nRequires Python 3.7+ and supports only Mac and Linux\n\n## Command Line Options\n\n```bash\n$ njsscan\nusage: njsscan [-h] [--json] [--sarif] [--sonarqube] [--html] [-o OUTPUT] [-c CONFIG] [--missing-controls] [-w] [-v] [path ...]\n\npositional arguments:\n path Path can be file(s) or directories with source code\n\noptional arguments:\n -h, --help show this help message and exit\n --json set output format as JSON\n --sarif set output format as SARIF 2.1.0\n --sonarqube set output format compatible with SonarQube\n --html set output format as HTML\n -o OUTPUT, --output OUTPUT\n output filename to save the result\n -c CONFIG, --config CONFIG\n Location to .njsscan config file\n --missing-controls enable missing security controls check\n -w, --exit-warning non zero exit code on warning\n -v, --version show njsscan version\n```\n\n\n## Example Usage\n\n```bash\n$ njsscan test.js\n- Pattern Match \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 1\n- Semantic Grep \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 160\n\nnjsscan: v0.1.9 | Ajin Abraham | opensecurity.in\n\u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555\n\u2502 RULE ID \u2502 express_xss \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 OWASP \u2502 A1: Injection \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 CWE \u2502 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 DESCRIPTION \u2502 Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability. \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 SEVERITY \u2502 ERROR \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 FILES \u2502 \u2552\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2564\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2555 \u2502\n\u2502 \u2502 \u2502 File \u2502 test.js \u2502 \u2502\n\u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502\n\u2502 \u2502 \u2502 Match Position \u2502 5 - 46 \u2502 \u2502\n\u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502\n\u2502 \u2502 \u2502 Line Number(s) \u2502 7: 8 \u2502 \u2502\n\u2502 \u2502 \u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524 \u2502\n\u2502 \u2502 \u2502 Match String \u2502 const { name } = req.query; \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 res.send('<h1> Hello :' + name + \"</h1>\") \u2502 \u2502\n\u2502 \u2502 \u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2567\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b \u2502\n\u2558\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2567\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255b\n```\n\n## nodejsscan SAST\n\n**nodejsscan**, built on top of **njsscan** provides a full fledged vulnerability management user interface along with other nifty integrations.\n\n\n\nSee [nodejsscan](https://github.com/ajinabraham/nodejsscan)\n\n## Python API\n\n```python\n>>> from njsscan.njsscan import NJSScan\n>>> node_source = '/node_source/true_positives/sqli_node.js'\n>>> scanner = NJSScan([node_source], json=True, check_controls=False)\n>>> scanner.scan()\n{\n 'templates': {},\n 'nodejs': {\n 'node_sqli_injection': {\n 'files': [{\n 'file_path': '/node_source/true_positives/sqli_node.js',\n 'match_position': (1, 24),\n 'match_lines': (4, 11),\n 'match_string': 'var employeeId = req.foo;\\n\\nvar sql = \"SELECT * FROM trn_employee WHERE employee_id = \" + employeeId;\\n\\n\\n\\nconnection.query(sql, function (error, results, fields) {\\n\\n if (error) {\\n\\n throw error;\\n\\n }\\n\\n console.log(results);'\n }],\n 'metadata': {\n 'owasp': 'A1: Injection',\n 'cwe': \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\",\n 'description': 'Untrusted input concatinated with raw SQL query can result in SQL Injection.',\n 'severity': 'ERROR'\n }\n }\n },\n 'errors': []\n}\n```\n\n## Configure njsscan\n\nA `.njsscan` file in the root of the source code directory allows you to configure njsscan. You can also use a custom `.njsscan` file using `--config` argument.\n\n```yaml\n---\n- nodejs-extensions:\n - .js\n\n template-extensions:\n - .new\n - .hbs\n - ''\n\n ignore-filenames:\n - skip.js\n\n ignore-paths:\n - __MACOSX\n - skip_dir\n - node_modules\n\n ignore-extensions:\n - .jsx\n\n ignore-rules:\n - regex_injection_dos\n - pug_jade_template\n\n severity-filter:\n - WARNING\n - ERROR\n```\n\n## Suppress Findings\n\nYou can suppress findings from javascript source files by adding the comment `// njsscan-ignore: rule_id1, rule_id2` to the line that trigger the findings.\n\nExample:\n\n```javascript\napp.get('/some/redirect', function (req, res) {\n var target = req.param(\"target\");\n res.redirect(target); // njsscan-ignore: express_open_redirect\n});\n```\n\n## CI/CD Integrations\n\nYou can enable njsscan in your CI/CD or DevSecOps pipelines.\n\n#### Github Action\n\nAdd the following to the file `.github/workflows/njsscan.yml`.\n\n```yaml\nname: njsscan\non:\n push:\n branches: [ master, main ]\n pull_request:\n branches: [ master, main ]\njobs:\n njsscan:\n runs-on: ubuntu-latest\n name: njsscan check\n steps:\n - name: Checkout the code\n uses: actions/checkout@v4.2.2\n - uses: actions/setup-python@v5.3.0\n with:\n python-version: '3.12'\n - name: nodejsscan scan\n id: njsscan\n uses: ajinabraham/njsscan-action@master\n with:\n args: '.'\n```\nExample: [dvna with njsscan github action](https://github.com/ajinabraham/dvna/actions?query=workflow%3Anjsscan)\n\n#### Github Code Scanning Integration\n\nAdd the following to the file `.github/workflows/njsscan_sarif.yml`.\n\n```yaml\nname: njsscan sarif\non:\n push:\n branches: [ master, main ]\n pull_request:\n branches: [ master, main ]\njobs:\n njsscan:\n runs-on: ubuntu-latest\n name: njsscan code scanning\n steps:\n - name: Checkout the code\n uses: actions/checkout@v4.2.2\n - uses: actions/setup-python@v5.3.0\n with:\n python-version: '3.12'\n - name: nodejsscan scan\n id: njsscan\n uses: ajinabraham/njsscan-action@master\n with:\n args: '. --sarif --output results.sarif || true'\n - name: Upload njsscan report\n uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n```\n\n\n\n#### Gitlab CI/CD\n\nAdd the following to the file `.gitlab-ci.yml`.\n\n```yaml\nstages:\n - test\nnjsscan:\n image: python\n before_script:\n - pip3 install --upgrade njsscan\n script:\n - njsscan .\n```\nExample: [dvna with njsscan gitlab](https://gitlab.com/ajinabraham/dvna/-/jobs/602110439)\n\n\n#### Travis CI\n\nAdd the following to the file `.travis.yml`.\n\n```yaml\nlanguage: python\ninstall:\n - pip3 install --upgrade njsscan\nscript:\n - njsscan .\n```\n\n#### Circle CI\n\nAdd the following to the file `.circleci/config.yaml`\n\n```yaml\nversion: 2.1\njobs:\n njsscan:\n docker:\n - image: cimg/python:3.9.6\n steps:\n - checkout\n - run:\n name: Install njsscan\n command: pip install --upgrade njsscan\n - run:\n name: njsscan check\n command: njsscan .\n```\n\n## Docker\n\n### Prebuilt image from [DockerHub](https://hub.docker.com/r/opensecurity/njsscan)\n\n```bash\ndocker pull opensecurity/njsscan\ndocker run -v /path-to-source-dir:/src opensecurity/njsscan /src\n```\n\n### Build Locally\n\n```\ndocker build -t njsscan .\ndocker run -v /path-to-source-dir:/src njsscan /src\n```\n\n\n\n",
"bugtrack_url": null,
"license": null,
"summary": "njsscan is a SAST tool that can find insecure code patterns in your Node.js applications.",
"version": "0.4.3",
"project_urls": {
"Homepage": "https://github.com/ajinabraham/njsscan"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "898e5d054759f5c957573ab2100459e3634216bdf6661495097a1bbb62cbeabc",
"md5": "379643baa52789989c2222ba3f61284b",
"sha256": "9b678490b5bc808bbc0be09b9c31cbb4e43cb3bd5696465bb95f4159c926628e"
},
"downloads": -1,
"filename": "njsscan-0.4.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "379643baa52789989c2222ba3f61284b",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 68466,
"upload_time": "2024-11-14T08:58:24",
"upload_time_iso_8601": "2024-11-14T08:58:24.010962Z",
"url": "https://files.pythonhosted.org/packages/89/8e/5d054759f5c957573ab2100459e3634216bdf6661495097a1bbb62cbeabc/njsscan-0.4.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "013ca3afd67050a72bc45d05e3be4bd07efdf10c5355488e51e8853daa46d273",
"md5": "b1a22402ba8b7bf00bed610c6e79416f",
"sha256": "0510aab55a3497681b719860f41a52309937d9345c7b54814eef7ee7adbc5a9a"
},
"downloads": -1,
"filename": "njsscan-0.4.3.tar.gz",
"has_sig": false,
"md5_digest": "b1a22402ba8b7bf00bed610c6e79416f",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 42811,
"upload_time": "2024-11-14T08:58:25",
"upload_time_iso_8601": "2024-11-14T08:58:25.708520Z",
"url": "https://files.pythonhosted.org/packages/01/3c/a3afd67050a72bc45d05e3be4bd07efdf10c5355488e51e8853daa46d273/njsscan-0.4.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-11-14 08:58:25",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "ajinabraham",
"github_project": "njsscan",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"tox": true,
"lcname": "njsscan"
}
