Analyze broken and malicious JavaScript and TypeScript modules.
The analyzer is available for use in Deno. It comes with a default static analyzer and optional (but recommended) runtime analyzer.
import { analyze } from "https://x.nest.land/[email protected]/mod.ts";
// oh no! malicious!
const source_code = `Deno["run"]({ cmd: "shutdown now"})`
// analyzer to the rescue ;)
const diagnostics = await analyze(source_code);
nest_analyzer has a runtime and static analyzer.
The static code analzer was removed recently as module authors with malicious intent can obfuscate their function calls to bypass the static analyzer, it is not ideal to depend on it.
The runtime analyzer comes with the analyzer module published at nest.land
import { analyze } from "https://x.nest.land/[email protected]/mod.ts";
analyze(source_code, {
runtime: true // enable the runtime analyzer
})
Rules are corresponding to the rules in the static analyzer.
Runtime analysis is a tideous process.
Typescript code is compiled and bundled to es6, which is then parsed into its AST.
AST nodes are injected with custom listeners using a fork of Iroh.js
.
Finally the code is safely evaluated and diagnostics are collected based on the inbuilt rules.
The static analyzer uses Sauron to collect quality metrics. It is avaliable as a wasm module for use on the Web and Deno. It collects diagnostics based on linting techniques, project structure, etc which can be used for calculation module score among other modules.
-
If you are going to work on an issue, mention so in the issue comments before you start working on the issue.
-
Please be professional in the forums. Have a problem? Email [email protected]
Before submitting, please make sure the following is done:
- That there is a related issue and it is referenced in the PR text.
- There are tests that cover the changes.
- Ensure
cargo test
anddeno test -A --unstable
passes. - Format your code with
deno run --allow-run tools/format.ts
- Make sure
deno run --allow-run tools/lint.ts
passes.