Vulnerability Exposure Analysis for JavaScript

Typical modern Node.js application consists of hundreds of JavaScript files, with more than 90% of the code coming from such third-party libraries. Reuse of high-quality libraries is thus an important factor in software development. Most libraries, especially the most popular ones, are continuously improved, and new versions are released frequently. However, dependence on other people’s libraries opens the door to security vulnerabilities and programming errors that may exist deeply inside the libraries and have severe consequences to the applications and end users, and breaking changes in new versions often cause problems for the application developers.
The objectives of this project are to further explore the scientific results achieved in the ERC CoG project “Automated Program Analysis for Advanced Web Applications” (PAW) and bring them closer to practical use.

In the PAWJAM project, we have continued the development of the program analyses from PAW, focusing on automated techniques for discovering how vulnerabilities in third-party libraries can affect application code, and we have performed an initial market analysis to explore the innovative aspects towards commercialization.

The main results of the project are: (1) We have performed a large experiment to investigate the potential of the JAM analysis tool in vulnerability exposure analysis, which has led to improvements of the analysis technique and confirmed that the expressiveness is appropriate for practical use. (2) We have developed the new program analysis tool JELLY based on the experiences from the JAM research tool. The JELLY analysis tool is Open Source and now forms the backbone of a commercial product. (3) The initial market analysis has provided insights into the commercial potential of the research results and has led to the creation of a startup company.