@nodesecure/js-x-ray 6.2.0 → 6.3.0

package/README.md

@@ -20,12 +20,10 @@
     </a>
 </p>
 
-JavaScript AST analysis. This package has been created to export the [Node-Secure](https://github.com/ES-Community/nsecure) AST Analysis to enable better code evolution and allow better access to developers and researchers.
+JavaScript AST analysis. This package has been created to export the [NodeSecure](https://github.com/NodeSecure/cli) AST Analysis to enable better code evolution and allow better access to developers and researchers.
 
 The goal is to quickly identify dangerous code and patterns for developers and Security researchers. Interpreting the results of this tool will still require you to have a set of security notions.
 
-> **Note** I have no particular background in security. I'm simply becoming more and more interested and passionate about static code analysis. But I would be more than happy to learn that my work can help prevent potential future attacks (or leaks).
-
 ## Goals
 The objective of the project is to successfully detect all potentially suspicious JavaScript codes.. The target is obviously codes that are added or injected for malicious purposes..
 
@@ -85,7 +83,8 @@ console.log(warnings);
 
 The analysis will return: `http` (in try), `crypto`, `util` and `fs`.
 
-> **Warning** There is also a lot of suspicious code example in the `./examples` cases directory. Feel free to try the tool on these files.
+> [!NOTE]
+> There is also a lot of suspicious code example in the `./examples` cases directory. Feel free to try the tool on these files.
 
 ## Warnings
 
@@ -122,8 +121,6 @@ console.log(i18n.getTokenSync(jsxray.warnings["parsing-error"].i18n));
 
 ## Warnings Legends
 
-> **Warning** versions of NodeSecure greather than v0.7.0 are no longer compatible with the warnings table below.
-
 This section describe all the possible warnings returned by JSXRay. Click on the warning **name** for additional information and examples.
 
 | name | experimental | description |
@@ -194,6 +191,21 @@ export type ReportOnFile = {
 
 </details>
 
+## Workspaces
+
+Click on one of the links to access the documentation of the workspace:
+
+| name | package and link |
+| --- | --- |
+| estree-ast-util | [@nodesecure/estree-ast-util](./workspaces/estree-ast-util) |
+| sec-literal | [@nodesecure/sec-literal ](./workspaces/sec-literal) |
+
+These packages are available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
+```bash
+$ npm i @nodesecure/estree-ast-util
+# or
+$ yarn add @nodesecure/estree-ast-util
+```
 
 ## Contributors ✨
 

package/index.js

@@ -122,15 +122,19 @@ function parseScriptExtended(strToAnalyze, options = {}) {
     return body;
   }
   catch (error) {
+    const isIllegalReturn = error.description.includes("Illegal return statement");
+
     if (error.name === "SyntaxError" && (
       error.description.includes("The import keyword") ||
-      error.description.includes("The export keyword")
+      error.description.includes("The export keyword") ||
+      isIllegalReturn
     )) {
       const { body } = meriyah.parseScript(
         cleanedStrToAnalyze,
         {
           ...kMeriyahDefaultOptions,
-          module: true
+          module: true,
+          globalReturn: isIllegalReturn
         }
       );
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/js-x-ray",
-  "version": "6.2.0",
+  "version": "6.3.0",
   "description": "JavaScript AST XRay analysis",
   "type": "module",
   "exports": "./index.js",
@@ -18,6 +18,10 @@
     "type": "git",
     "url": "git+https://github.com/NodeSecure/js-x-ray.git"
   },
+  "workspaces": [
+    "workspaces/estree-ast-utils",
+    "workspaces/sec-literal"
+  ],
   "keywords": [
     "ast",
     "nsecure",
@@ -48,10 +52,15 @@
   },
   "devDependencies": {
     "@nodesecure/eslint-config": "^1.6.0",
+    "@small-tech/esm-tape-runner": "^2.0.0",
+    "@small-tech/tap-monkey": "^1.4.0",
     "@types/node": "^20.6.2",
     "c8": "^8.0.1",
+    "cross-env": "^7.0.3",
     "eslint": "^8.31.0",
     "glob": "^10.3.4",
-    "pkg-ok": "^3.0.0"
+    "iterator-matcher": "^2.1.0",
+    "pkg-ok": "^3.0.0",
+    "tape": "^5.7.2"
   }
 }

package/src/probes/isRequire.js

@@ -146,7 +146,6 @@ function walkRequireCallExpression(nodeToWalk, tracer) {
           break;
         }
         case "require.resolve": {
-          console.log("require.resolve!");
           if (rootArgument.type === "Literal") {
             dependencies.add(rootArgument.value);
           }

package/types/astdeps.d.ts

@@ -26,6 +26,7 @@ declare class ASTDeps {
   removeByName(name: string): void;
   add(depName: string): void;
   getDependenciesInTryStatement(): IterableIterator<string>;
+  [Symbol.iterator]: IterableIterator<string>;
 
   public isInTryStmt: boolean;
   public dependencies: Record<string, Dependency>;

package/types/warnings.d.ts

@@ -21,15 +21,16 @@ type WarningName = WarningNameWithValue | "unsafe-import";
 
 type WarningLocation = [[number, number], [number, number]];
 
-interface WarningDefault {
-  kind: WarningName;
+interface WarningDefault<T = WarningName> {
+  kind: T;
   file?: string;
   value: string;
-  source: string; 
-  location: WarningLocation | WarningLocation[];
+  source: string;
+  location: null | WarningLocation | WarningLocation[];
   i18n: string;
   severity: "Information" | "Warning" | "Critical";
   experimental?: boolean;
 }
 
-type Warning<T extends WarningDefault = WarningDefault> = T extends { kind: WarningNameWithValue } ? T : Omit<T, "value">;
+type Warning<T extends WarningDefault = WarningDefault> =
+  T extends { kind: WarningNameWithValue } ? T : Omit<T, "value">;