Pass electron version to checkers

doyensec / electronegativity

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications.

Apache License 2.0

972 stars 66 forks source link

Pass electron version to checkers #23

Closed JarLob closed 4 years ago

JarLob commented 6 years ago

Some differences between electron versions were already found like https://github.com/electron/electron/blob/master/docs/api/breaking-changes.md#browserwindow and it is likely more will be found in the future.

ikkisoft commented 5 years ago

Just a quick summary of the current state and this issue:

Electron is quickly evolving, and many APIs are changing between major versions
Checks require precise naming for detecting misconfigurations. The current implementation is simply looking for multiple setting names
Ideally, we could detect the specific version in use and limit checks to the valid API names / syntax
As we may not be able to understand the specific version used (e.g. scan of a single file), we would need to check for all syntaxes anyway

Is this going to increase the overall complexity for just a minor performance gain? What do you think? Any additional benefit?

JarLob commented 5 years ago

It should increase complexity only slightly in some checkers as the number of differences in electron versions is still low. Plus an additional scan step is needed to read version first. However it is not about performance gain but about precision of analysis. For example it is planned in the future to change the default values of webpreferences. Settings parsing was fixed https://github.com/electron/electron/issues/15594 although not sure in what version, so technically two settings parsing functions are needed for older and newer electrons.

phosphore commented 4 years ago

A design proposal for this issue was submitted in #58 (comment).