Original Post: New, high-signal rules for the JavaScript ecosystem
The Semgrep registry has introduced three new rulesets specifically for the JavaScript ecosystem:
- p/javascript: Enhanced to cover a broader range of targets including both client-side and server-side vulnerabilities.
- p/nodejs: Features high-quality rules tailored for the Node.js API.
- p/expressjs: Designed to address common misconfigurations and vulnerabilities in Express.js applications.
Previously, a single ruleset targeted multiple aspects of JavaScript usage, including client-side vulnerabilities, code correctness, JWT mistakes, and Node.js bugs. However, this approach did not always meet users’ expectations due to JavaScript’s wide usage scenarios. Hence, multiple dedicated rulesets were created for clarity and better focus.
The JavaScript ruleset covers issues like bracket object injection, prototype pollution, risky RegExp() usage, and hardcoded secrets.
The Node.js ruleset focuses on threats such as command injection via shell settings, use of weak random number generators, TLS misconfigurations, and weak hashes.
The Express.js ruleset tackles misconfigurations like CORS, default cookie settings, and XSS vulnerabilities.
Users can run these rulesets locally or in CI/CD environments to enhance their code security. Future updates and expansions are planned, and user feedback is welcomed through their Slack community.
Go here to read the Original Post