Skip to main content

Find vulnerabilities in JavaScript with NPM

You can scan JavaScript in NPM repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis, see Packaging JavaScript and TypeScript applications.

Scan your code

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-javascript

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your NPM code. Some scan directives are specific to NPM projects or, like scope, require NPM-specific configurations.

Before you begin:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the NPM repository.
  • Have NPM 2.10.0 or later installed on the local path.
  • In the repository to scan, include the package.json, package-lock.json, or npm-shrinkwrap.json file with the lockfile format set to version 3 or lower.
  • If neither npm-shrinkwrap.json nor package-lock.json exist, be able to run the npm ls command from the root of the project where you perform scans.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

npm install --only=production
npm ls --only=production --json

To complete this task:

At the command line, run the scan command pointed to the directory of the NPM repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability

When your configuration file specifically references a library, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for a Cross-site Scripting (XSS) Using Non-standard Encodings vulnerability in Express, version 4.1.1 in the example-javascript repository.

To complete this task:

  1. Run this command to edit the package.json file in the root of the project:

    npm install [email protected] --save

  2. Validate the fix.

Fix example transitive vulnerability

Because NPM projects allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.

These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript repository. In this example, the recommended version of cookie-signature is 1.0.4.

Before you begin:

You must have already run a Veracode SCA agent-based scan or run the npm install command to install dependencies. These actions result in a node_modules folder and a package-lock.json appearing in your project.

To complete this task:

  1. Add this resolutions section to your package.json file:

    "resolutions": {
      "cookie-signature": "1.0.4"
    }

    If a resolutions section already exists, add "cookie-signature": "1.0.4" to it.

  2. Add this scripts section to your package.json file:

    "scripts": {
      "preinstall": "npx npm-force-resolutions"
    }

    If a scripts section already exists, add "preinstall": "npx npm-force-resolutions" to it. This change makes the npm install command force the version resolution of the cookie-signature library to 1.0.4, according to the resolutions section using the NPM Force Resolutions package.

  3. Delete the node_modules folder.

  4. Run the npm install command to download the updated dependency and ensure the updated version works with your project.

Next steps:

If you encounter problems using the NPM force-resolutions package, you can use this alternative method.

Fix example transitive vulnerability without force resolutions

If you encounter problems using the NPM force-resolutions package, you can use this alternative method to fix transitive vulnerabilities in NPM projects.

Before you begin:

  • Run a Veracode SCA agent-based scan or run the npm install command to install dependencies. These actions result in a node_modules folder and a package-lock.json appearing in your project.
  • Use NPM version 3.10.4 or later.

To complete this task:

  1. Run the npm shrinkwrap command in the same directory as your package.json file. This command generates a npm-shrinkwrap.json file with all the dependencies currently in use.

  2. Find the cookie-signature library with the version specified in the issue details viewed previously. In this example, version 1.0.3 is vulnerable and the recommended version is 1.0.4.

  3. Edit the npm-shrinkwrap.json file to update the cookie-signature library:

    "cookie-signature": {
      "version": "1.0.4",
      "from": "[email protected]",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.4.tgz"
    }

  4. Delete the node_modules folder.

  5. To download the updated dependency and ensure the updated version works with your project, run npm install.

Fix example vulnerable method

Veracode SCA supports vulnerable method analysis for NPM packages using the NPM and Yarn package managers. It does not support vulnerable method analysis with Bower.

These example steps provide a fix for a Regular Expression Denial Of Service (ReDoS) vulnerable method in the marked library in the example-javascript-vulnerable-methods repository.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select your workspace.

  4. Select Projects.

  5. Select the srcclr/example-javascript-vulnerable-methods project.

  6. Select Regular Expression Denial Of Service (ReDoS) in the Vulnerabilities table. The Vulnerable Methods section shows that the marked.InlineLexer method is the vulnerable part of the library.

  7. To address the identified vulnerable method, do one of these tasks:

    • Change your code to perform in the same manner without relying on this particular method.
    • Follow the provided instructions to update the library to a safe version.

  8. Validate the fix.

Last updated on