Scanning JavaScript for vulnerabilities: How the impossible is now possible

Javascript is everywhere, and it's awesome! But the world most popular language can be riddled with problems if you aren't a careful programmer.

There is a saying that speaks to the incredible popularity of JavaScript as a programming language and it goes like this: “any application that can be written in JavaScript, will eventually be written in JavaScript.”

 

The web is easily the most popular platform for application development – and JavaScript is the engine inside of the browser that makes web apps sizzle. Anyone and everyone building applications rendered inside of a browser uses JavaScript. In fact, recent survey data from Stack Overflow indicates that JavaScript is the world’s most popular language.

 

However, here’s the thing about JavaScript: on one hand, it’s everywhere and it’s awesome; on the other hand, it’s kind of scary and more than a little bit dirty. To understand my point, consider the observation from Dmitry Baranovskiy, author of the blog So You Think You Know JavaScript, who wrote “JavaScript’s global scope is like a public toilet. You can’t avoid going in there, but try to limit your contact with surfaces when you do.”

As revealed in the 2016 State of the Software Supply Chain report, most programming languages contain good and bad parts, but JavaScript has more than its share of the bad. That’s to be expected from a programming language that has an ecosystem with 43 million files and 6 million unique components. Many of the components within this ecosystem contain vulnerabilities, such as Cross-Site Scripting and Cross-Site Request Forgeries[PL2] . Douglas Croxford, author of JavaScript: The Good Parts, stated “fortunately for JavaScript, there is a beautiful, elegant, highly expressive language that is buried under a steaming pile of good intentions and blunders.”

 

Sorting through this “steaming pile” has been historically problematic, to say the least. Until now, there’s simply been no efficient and effective way to scan for vulnerabilities within JavaScript code, so most companies do not even bother; they simply use the code without considering the potential risks. This can introduce unreliable or defective components into their software supply chains and completely undermine efforts to deliver high quality software through agile practices and methodologies, including DevOps.

Fortunately, solutions now exist that allow organizations to easily and quickly sort through the enormous JavaScript pile and weed out vulnerabilities, ensuring that only the highest quality parts make it into their software supply chains. These solutions offer an automated, intelligent, efficient process that precisely identifies all JavaScript contained in the npm, Central, and NuGet repositories.

 

Remember how scientists mapped the human genome? Well, now there’s a way to map the JavaScript genome. A single, definitive database was recently developed that can map tens of millions of unstructured JavaScript files and unique components. Each of these can be identified and sorted by names, versions, vulnerabilities, licenses, and code modifications.

 

The benefits are significant. In addition to ensuring that organizations are using only the highest quality JavaScript components, automation allows teams to scale their efforts more quickly at every phase of the development cycle.

This once impossible process can effectively be done for all JavaScript libraries, including popular and widely used ones such as jQuery. jQuery has been used on more than 50 percent of websites. It has been embedded, modified, and renamed in 72,000 npm packages. The fact that everyone and their best friend uses jQuery has traditionally made it exceptionally difficult to ascertain which parts of the code may contain bad components. Previously, development teams lacked the ability to quickly and reliably identify specific versions of jQuery to even know if it was healthy or vulnerable. Now, organizations can automatically flag potentially harmful vulnerabilities, ensuring that only the best jQuery components are being used in production.

 

Reg Braithwaite wrote in his book JavaScript Allonge, “The strength of JavaScript is that you can do anything. The weakness is that you will.” Fortunately, organizations can now do just about anything with JavaScript without having to worry about those weaknesses. They can create a higher quality and more streamlined software supply chain comprised of JavaScript components.

 

There’s nothing dirty or scary about that.