We are using ESLint instead. Your options:
Thank you.
ScanJS was was a Static analysis tool for javascript code. ScanJS was created as an aid for security review, to help identify security issues in client-side web applications.
ScanJS used Acorn to convert sources to AST, then walks AST looking for source patterns. You could use the rules file supplied, or load your own rules.
Rules are specified in JSON format - for an example see /common/template_rules.json
At a minimum, each must have rule is made up of 2 attributes:
Optionally a rule may have the following attirbutes:
For the source
attribute, the following basic statements are supported:
foo
: matches any identifier , "foo"$_any.foo
: $_any is wildcard, matches anything.foofoo.bar
: matches object and property, i.e. foo.barYou can also matches function calls based on the same syntax:
foo()
: matches function calls with this name$_any.foo
: matches anything.foo() but not foo()foo.bar()
: matches foo.bar() onlyYou can also search for functions with matching literal arguments:
foo('test',ignored,42)
: matches a function called foo, with 'test' as the first argument, anything as the second argument, and the number 42 as the third argument (i.e. matches ONLY literal arguments).$_any.foo('test',ignored,42)
: same as above, but function has to be a property.foo.bar('test',ignored,42)
: same as above, but matches both object and propertyYou can also search for assignment to a specifically named identifier:
foo=$_any
: matches when foo is assigned to something$_any.foo=$_any
: matches when anything.foo is assigned to somethingfoo.bar=$_any
: matches when foo.bar is assigned to somethingIf you specify $_unsafe
on the right hand side (e.g. foo.innerHTML=$_unsafe), it will only match if the RHS contains at least one identifier.
Tips:
Examples: See /common/template_rules.json and /common/rules.json
nodejs server.js
scanner.js -t DIRECTORY_PATH
Tests use the mocha testing framework.
npm test
http://127.0.0.1:4000/tests/
Tests are included in the rules declaration (see common/rules.json) by specifying the following two attributes, which are specified in the form of a series of javascript statements: