JavaScript Analyzer Update: April 2022

We’ve updated the JavaScript analyzer with some bug fixes and some new issues. The complete list of JS issues can be found here.

OWASP security rules.

We now detect security vulnerabilities like remote code execution hatches(JS-S0011), shell injection (JS-S0010) unsigned JWT tokens and weak TLS encryption algorithms(JS-S1009).

// JS-S1009: Usage of an insecure TLS protocol version
const options = {
     secureProtocol: 'TLSv1_method', // insecure version
     minVersion: 'TLSv1.1', // insecure version
     maxVersion: 'TLSv1.2'
 const connection = tls.connect(443, '', options, () => { })
 const req = https.request(options, res => {  })
 const socket = request.get(options)

Syntax errors now shown on the dashboard

Previously, any files with syntactic errors were ignored by DeepSource.
Now they’re reported as issues in the dashboard:

// JS-0833: missing `=>` after arrow function parameters
const myFun = () {
    return "I'm missing a =>!"

Default module system updated to ESModules.

Prior to this update, the default module system was assumed to be CommonJS. This meant that unless the user specified module_system to be "esmodules" in the .deepsource.toml file, import statements would go ignored (or be reported as syntax errors after the above change).

Now, ES6 style imports are assumed to be the default. This also covers the syntax for CommonJS imports which are just calls to the require function.

False positive fixes.

We’ve fixed several false positives reported by our users.
Patched issues include like JS-0128, JS-0378, JS-0377 and several others.

JS-0833 is triggering a false positive for me:

import { Controller } from "@hotwired/stimulus"

// Connects to data-controller="foundry"
export default class extends Controller {
  static targets = ["forgeForm","formButton","forgeLane"] # DeepSource reports Parsing error: Unexpected token =, JS-0833

  connect() {}