JavaScript is a high-level, interpreted programming language primarily used for creating interactive and dynamic web content widely used by developers. Endor Labs supports the scanning and monitoring of JavaScript projects.
Using Endor Labs, developers can:
- Test their software for potential issues and violations of organizational policy
- Prioritize vulnerabilities in the context of their applications
- Understand the relationships between software components in their applications
System specifications for deep scan
Before you proceed to run a deep scan, ensure that your system meets the following specification.
Project Size | Processor | Memory |
---|---|---|
Small projects | 4-core processor | 16 GB |
Mid-size projects | 8-core processor | 32 GB |
Large projects | 16-core processor | 64 GB |
Software prerequisites
- Endor Labs requires the following pre-requisite software to be installed to successfully perform a scan:
- Yarn: Any version
- npm: 6.14.18 or higher versions
- pnpm: 3.0.0 or higher versions
- Make sure your repository includes one or more files with
.js
or.ts
extension.
Build JavaScript projects
You can choose to build your JavaScript projects before running a scan. This will ensure that either a package-lock.json, yarn.lock, or pnpm-lock.yaml file is created enhancing the scan speed.
Ensure your repository has package.json and run the following command making sure it builds the project successfully.
For npm:
npm install
For Yarn:
yarn install
For pnpm:
pnpm install
If the project is not built, endorctl builds the project during the scan and generate either package-lock.json, yarn.lock, or pnpm-lock.yaml file. Make sure that either npm, Yarn, or pnpm is installed on your system. If your repository includes a lock file, endorctl uses the existing file for dependency resolution and does not create it again.
Run a scan
Perform a scan to get visibility into your software composition and resolve dependencies.
endorctl scan
Detect dependencies with pnpm
If you are using pnpm, set the environment variable ENDOR_PNPM_ENABLED
to true
and then run the scan.
export ENDOR_PNPM_ENABLED=true
endorctl scan
Enable dependency reachability
To enable dependency reachability that detects dependencies used in source code but not declared in the package’s manifest files, set the flag --call-graph-languages
with javascript,typescript
.
endorctl scan --call-graph-languages=javascript,typescript --build
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Enable call graphs (Beta)
To enable call graphs for JavaScript and TypeScript projects use the following process.
Prerequisites:
- Ensure endorctl version is 1.6.594 or higher.
- Ensure Node.js version 4.2.6 or higher is installed to support TypeScript version 4.9.
- Ensure TypeScript version 4.7 or higher is installed.
-
Install
tsserver
.tsserver
is included with TypeScript, so installing the appropriate TypeScript version automatically installstsserver
. Follow these steps based on your Node.js version:-
For Node.js versions lower than 12.2, install TypeScript version 4.9:
npm install -g typescript@4.9
-
For Node.js versions between 12.2 and 14.17, install TypeScript version 5.0:
npm install -g typescript@5.0
-
For Node.js version higher than or equal to 14.17, install the latest TypeScript version:
npm install -g typescript
-
Check the
tssserver
installation.# Run 'which tsserver' to confirm installation which tsserver /opt/homebrew/bin/tsserver
If you are running the endorctl scan with
--install-build-tools
, you need not installtssserver
. See Manage build tools for more information. -
-
Run the endorctl scan by setting the environment variable
ENDOR_JS_ENABLE_TSSERVER=true
and the flag--call-graph-languages=javascript,typescript
followed by--build
.
ENDOR_JS_ENABLE_TSSERVER=true endorctl scan --call-graph-languages=javascript,typescript --build
Important
In a multi-language repository, you must explicitly list each language for call graph generation using the--call-graph-languages
flag. For example, --call-graph-languages=javascript,typescript,c#,go,java,python,rust,kotlin,scala
.
Understand the scan process
Dependency analysis tools analyze the lock file of an npm, yarn, or pnpm based package and attempt to resolve dependencies. To resolve dependencies from private repositories, the settings of the .npmrc file in the repository is considered.
Endor Labs surpasses mere manifest file analysis by expertly resolving JavaScript dependencies and identifies:
- Dependencies listed in the manifest file but not used by the application
- Dependencies used by the application but not listed in the manifest file
- Dependencies listed in the manifest as transitive but used directly by the application
- Dependencies categorized as test in the manifest, but used directly by the application
Developers can eliminate the false positives, false negatives, and easily identify test dependencies with this analysis. The dependencies used in source code but not declared in the package’s manifest files are tagged as Phantom.
Endor Labs also supports npm, Yarn, and pnpm workspaces out-of-the-box. If your JavaScript frameworks and packages use workspaces, Endor Labs will automatically take the dependencies from the workspace to ensure that the package successfully builds.
Scan speed is enhanced if the lock file exists in the repository. endorctl does not perform a build and uses the existing files in the repository for analysis.
Known Limitations
- Endor Labs doesn’t currently support local package references
- If a dependency can not be resolved in the lock file, building that specific package may be unsuccessful. This package may have been removed from npm or the .npmrc file is not properly configured. Other packages in the workspace are scanned as usual.
Call graph limitations
- Functions that are passed in as arguments to call expressions might not be included in the call graph.
- Functions that are returned and then called might not be included in the call graph.
- Functions that are assigned to a variable based on a runtime value might not be included in the call graph.
- Functions that are assigned to an array element might not be included in the call graph.
Troubleshoot errors
- Unresolved dependency errors:
The manifest file package.json is not buildable. Try running
npm install
,yarn install
, orpnpm install
in the root project to debug this error. - Resolved dependency errors: A version of a dependency does not exist or it cannot be found. It may have been removed from the repository.