This article presents a step-by-step guide to setting up and using Nodejsscan for SAST. Readers will be able to familiarize themselves with the practical example of the program installation.
Nodejsscan is a static code scanner that is used to search for security deficiencies in Node.js applications. It should be accurately understood how nodejsscan for SATS can be used if such a need arose.
Installation, Setup and Using Nodejsscan Scanner- The user installs Postgres and configures it (SQLALCHEMY_DATABASE_URL) in core / setting.py
- Next, it downloads the Nodejsscan package from the GitHub repository by turning on this link.
After that you need to go to the nodejsscan directory and install all the necessary components using the command:
PIP3 Install -R Requirements.txt
- You must execute this command (Python3 Migrate.py) once to create the necessary entries in the database.
- The "python3 app.py" command is performed in order to test the medium.
- Install the GUNICORN required for the correct operation of Nodejsscan, you can use the "GUNICORN -B 0.0.0.0.0: 19090 AP: App: App" command. It is needed for the production environment.
This tool will run Nodejsscan at: http://0.0.0:9090. If you need to fix, install Debug to "True" in core / settings.py. With the periodic update of this tool, the Nodejsscan has a minimum number of false positives.
Command Line Interface or "CLI" allows this tool to integrate with DevSecops CI / CD conveyors. The results will be presented to the user in JSON format.
Docker images can be configured for Nodejsscan using the following steps:
- First, you need to make sure that the Docker itself is installed in the system.
- The user launches the Docker service using the command:
Service Docker Start.
- Next, it performs the following command:
Docker Build -t Nodejsscan
- Then, finally, it enters this command to run the application:
Docker Run -it -p 9090: 9090 Nodejsscan
Demonstration of the whole process on a practical example- The user tested this tool on a repository containing incomplete and vulnerable code.
- The Nodejsscan application is compatible with the .zip format files that have been loaded into it. So, you first need to compress your .JS code to the .zip archive, and then open the browser and download a compressed file.
- After downloading the zip file, the tool will show the user a list of all vulnerabilities.
The author of the translated article: Sudhansu Shekhar.
More interesting material on cisoclub.ru. Subscribe to us: Facebook | Vk | Twitter | Instagram | Telegram | Zen | Messenger | Icq new | YouTube | Pulse.