JavaScript/TypeScript

Learn how to implement Endor Labs in repositories with Javascript or Typescript packages.

JavaScript is a high-level, interpreted programming language primarily used for creating interactive and dynamic web content widely used by developers. Endor Labs supports the scanning and monitoring of JavaScript projects.

Using Endor Labs, developers can:

  • Test their software for potential issues and violations of organizational policy
  • Prioritize vulnerabilities in the context of their applications
  • Understand the relationships between software components in their applications

System specifications for deep scan

Before you proceed to run a deep scan, ensure that your system meets the following specification.

Project Size Processor Memory
Small projects 4-core processor 16 GB
Mid-size projects 8-core processor 32 GB
Large projects 16-core processor 64 GB

Software prerequisites

  • Endor Labs requires the following pre-requisite software to be installed to successfully perform a scan:
    • Yarn: Any version
    • npm: 6.14.18 or higher versions
    • pnpm: 3.0.0 or higher versions
  • Make sure your repository includes one or more files with .js or .ts extension.

Build JavaScript projects

You can choose to build your JavaScript projects before running a scan. This will ensure that either a package-lock.json, yarn.lock, or pnpm-lock.yaml file is created enhancing the scan speed.

Ensure your repository has package.json and run the following command making sure it builds the project successfully.

For npm:

npm install

For Yarn:

yarn install

For pnpm:

pnpm install

If the project is not built, endorctl builds the project during the scan and generate either package-lock.json, yarn.lock, or pnpm-lock.yaml file. Make sure that either npm, Yarn, or pnpm is installed on your system. If your repository includes a lock file, endorctl uses the existing file for dependency resolution and does not create it again.

Run a scan

Perform a scan to get visibility into your software composition and resolve dependencies.

endorctl scan

Detect dependencies with pnpm

If you are using pnpm, set the environment variable ENDOR_PNPM_ENABLED to true and then run the scan.

export ENDOR_PNPM_ENABLED=true

endorctl scan

Enable dependency reachability

To enable dependency reachability that detects dependencies used in source code but not declared in the package’s manifest files, set the flag --call-graph-languages with javascript,typescript.

endorctl scan --call-graph-languages=javascript,typescript --build

You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan -o json | tee /path/to/results.json

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Enable call graphs (Beta)

To enable call graphs for JavaScript and TypeScript projects use the following process.

Prerequisites:

  • Ensure endorctl version is 1.6.594 or higher.
  • Ensure Node.js version 4.2.6 or higher is installed to support TypeScript version 4.9.
  • Ensure TypeScript version 4.7 or higher is installed.

  1. Install tsserver. tsserver is included with TypeScript, so installing the appropriate TypeScript version automatically installs tsserver. Follow these steps based on your Node.js version:

    • For Node.js versions lower than 12.2, install TypeScript version 4.9:

      npm install -g typescript@4.9

    • For Node.js versions between 12.2 and 14.17, install TypeScript version 5.0:

      npm install -g typescript@5.0

    • For Node.js version higher than or equal to 14.17, install the latest TypeScript version:

      npm install -g typescript

    • Check the tssserver installation.

      # Run 'which tsserver' to confirm installation
which tsserver
/opt/homebrew/bin/tsserver

    If you are running the endorctl scan with --install-build-tools, you need not install tssserver. See Manage build tools for more information.

  2. Run the endorctl scan by setting the environment variable ENDOR_JS_ENABLE_TSSERVER=true and the flag --call-graph-languages=javascript,typescript followed by --build.

ENDOR_JS_ENABLE_TSSERVER=true endorctl scan --call-graph-languages=javascript,typescript --build

Understand the scan process

Dependency analysis tools analyze the lock file of an npm, yarn, or pnpm based package and attempt to resolve dependencies. To resolve dependencies from private repositories, the settings of the .npmrc file in the repository is considered.

Endor Labs surpasses mere manifest file analysis by expertly resolving JavaScript dependencies and identifies:

  • Dependencies listed in the manifest file but not used by the application
  • Dependencies used by the application but not listed in the manifest file
  • Dependencies listed in the manifest as transitive but used directly by the application
  • Dependencies categorized as test in the manifest, but used directly by the application

Developers can eliminate the false positives, false negatives, and easily identify test dependencies with this analysis. The dependencies used in source code but not declared in the package’s manifest files are tagged as Phantom.

Endor Labs also supports npm, Yarn, and pnpm workspaces out-of-the-box. If your JavaScript frameworks and packages use workspaces, Endor Labs will automatically take the dependencies from the workspace to ensure that the package successfully builds.

Scan speed is enhanced if the lock file exists in the repository. endorctl does not perform a build and uses the existing files in the repository for analysis.

Known Limitations

  • Endor Labs doesn’t currently support local package references
  • If a dependency can not be resolved in the lock file, building that specific package may be unsuccessful. This package may have been removed from npm or the .npmrc file is not properly configured. Other packages in the workspace are scanned as usual.

Call graph limitations

  • Functions that are passed in as arguments to call expressions might not be included in the call graph.
  • Functions that are returned and then called might not be included in the call graph.
  • Functions that are assigned to a variable based on a runtime value might not be included in the call graph.
  • Functions that are assigned to an array element might not be included in the call graph.

Troubleshoot errors

  • Unresolved dependency errors: The manifest file package.json is not buildable. Try running npm install, yarn install, or pnpm install in the root project to debug this error.
  • Resolved dependency errors: A version of a dependency does not exist or it cannot be found. It may have been removed from the repository.