While working on improving our engine, we struggled to find a publicly available benchmark for JS/TS that could be used to assess the power of our engine. On Java, it was easy; the OWASP Benchmark is public and well-known. But for JS/TS, it’s almost an empty landscape.
We finally decided to rely on a famous training app called OWASP JuiceShop which is written in JS/TS. It wasn't designed to test SAST analyzers, but to train developers. Nevertheless, we’ve adopted it as our measuring stick because it's written to demonstrate exactly the kinds of insecure code we need to find.
Vulnerability Types Supported
- S3649: Database queries should not be vulnerable to injection attacks
- S5334: Dynamic code execution should not be vulnerable to injection attacks
- S5131: Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
- S6096: Extracting archives should not lead to zip slip vulnerabilities
- S5146: HTTP request redirections should not be open to forging attacks
- S2083: I/O function calls should not be vulnerable to path injection attacks
- S5696: Modifying the DOM should not lead to cross-site scripting (XSS) attacks
- S6105: Modifying the DOM should not lead to open redirect vulnerabilities
- S5147: NoSQL operations should not be vulnerable to injection attacks
- S5883: OS commands should not be vulnerable to argument injection attacks
- S2076: OS commands should not be vulnerable to command injection attacks
- S2631: Regular expressions should not be vulnerable to Denial of Service attacks
- S5144: Server-side requests should not be vulnerable to forging attacks
A precise SAST analysis is useless if it provides results hours or days after pull requests were created. Context switching would kill your velocity. If you get results in hours, you are probably already working on something else by the time they arrive. It would cost you precious time to get up to speed on this previous activity. At SonarSource, we consider speed of analysis as a key feature of a SAST solution. We worked hard to keep analysis time under control while exploring more paths and providing more precise results.
The OWASP JuiceShop project is considered by SonarCloud as medium-sized with its 34K LOCs. It can be analyzed very quickly.
SonarCloud and Local Analysis
If you want to reproduce and explore the vulnerabilities we listed here, we invite you to clone the JuiceShop project and run your own scan on SonarCloud.io.
On an average machine made of an Intel Core i5 3570 @ 3.40 GHz + 16Go of RAM, scanning the OWASP JuiceShop should take less than 6 minutes.
With SonarCloud and Automatic Analysis
Ground Truth & Results
As of April 2021, SonarCloud detects 13 of the 16 injection vulnerabilities. It means SonarCloud automatically detects 81% of all the injection vulnerabilities in JuiceShop.
With SonarCloud, you can make sure your Node.js / Express.js contains no injection vulnerabilities and this is proven by the scan of the famous OWASP JuiceShop project. Today, SonarCloud covers the majority of the injection vulnerabilities a developer can introduce on server-side.
In the coming months, we are going to focus on client-side vulnerabilities and detect XSS vulnerabilities, in particular the ones that are highlighted by OWASP JuiceShop. Our goal is 100% detection in Juice Shop. Then we'll move on to get good results on the OpenSSF CVE Benchmark.
Note: if you are a SonarQube user, you have access to the same security engine starting from SonarQube Developer Edition 8.9 LTS