JavaScript/TypeScript

JavaScript is a high-level, interpreted programming language primarily used for creating interactive and dynamic web content widely used by developers. Endor Labs supports the scanning and monitoring of JavaScript projects.

Using Endor Labs, application security engineers and developers can:

• Scan their software for potential security issues and violations of organizational policy.
• Prioritize vulnerabilities in the context of their applications.
• Understand the relationships between software components in their applications.

System specifications for deep scan

Software prerequisites

• Install the following software before you scan:
  • Yarn: Any version
  • npm: 6.14.18 or higher versions
  • pnpm: 3.0.0 or higher versions
  • Rush: 5.90.0 or higher versions. To enable Rush support, set the environment variable ENDOR_RUSH_ENABLED=true.
• Make sure your repository includes one or more files with .js or .ts extension.

To run deep scanning for JavaScript and TypeScript projects make sure you have the following prerequisites installed:

• Install endorctl version 1.7.0 or higher.

• Install Node.js version 4.2.6 or higher to support TypeScript version 4.9.

• Install TypeScript version 4.9 or higher.

• Install tsserver. TypeScript includes tsserver, so installing the right TypeScript version also installs tsserver.

  Install the appropriate TypeScript version based on your Node.js version.

• Use the following command based on your Node.js version to install typescript:

  • 14.17 or higher
  • Between 12.2 and 14.17
  • Lower than 12.2

      npm install -g typescript
      

      npm install -g typescript@5.0
      

      npm install -g typescript@4.9
      

• Run the following command to verify the tsserver installation

  which tsserver
  

  If you are running the endorctl scan with --install-build-tools, you don’t need to install tsserver. See Configure build tools for more information.

Build JavaScript projects

You can build your JavaScript projects before running a scan. Building first creates a package-lock.json, yarn.lock, or pnpm-lock.yaml file, which speeds up the scan.

Ensure your repository has package.json and run the following command making sure it builds the project successfully.

• For npm
• For Yarn
• For pnpm

npm install

yarn install

pnpm install

If the project is not built, endorctl builds the project during the scan and generates package-lock.json, yarn.lock, or pnpm-lock.yaml file. Make sure that npm, Yarn, or pnpm is available on your system. If your repository includes a lock file, endorctl uses the existing file for dependency resolution and does not create it again.

The npm install command may fail in a subdirectory if your project has a package-lock.json file at the root of the repository but not in sub-packages. See the following example.

 .
 ├── package.json
 ├── package-lock.json
 └── sub-package/
     └── package.json

You need to instruct endorctl to use the root-level lock file to avoid scan failures in monorepo setups where dependencies are centrally managed at the root.

Set the following environment variable before you run the scan.

export ENDOR_JS_USE_ROOT_DIR_LOCK_FILE=true

Scan Rush monorepos

Rush is a monorepo management tool for JavaScript/TypeScript that works on top of npm, pnpm, or Yarn and manages multiple projects in a single repository using a centralized configuration.

Endor Labs detects Rush repositories using the rush.json file at the repository root and scans them with the standard JavaScript workflow. Endor Labs infers the package manager and uses the corresponding lock file for dependency resolution.

Run the following command at the repository root to build the repository before a scan and to ensure the appropriate lock file exists.

rush install

To scan Rush monorepos, you must first enable Rush detection.

export ENDOR_RUSH_ENABLED=true

Run endorctl scan to discover Rush dependencies.

endorctl scan

Configure call graph generation timeout

When generating call graphs for JavaScript/TypeScript projects, endorctl uses tsserver to analyze the code. By default, tsserver waits 15 seconds for a response before timing out. For large or complex projects, you may need to increase this timeout.

Set the ENDOR_JS_TSSERVER_TIMEOUT environment variable to specify the timeout in seconds.

export ENDOR_JS_TSSERVER_TIMEOUT=30

Increasing the timeout might be beneficial in the following scenarios:

• Large monorepos with many TypeScript files
• Projects with complex type hierarchies
• Projects with extensive type checking requirements

Override JavaScript package manager detection

endorctl detects the JavaScript package manager automatically. You can override this detection by setting the ENDOR_JS_PACKAGE_MANAGER environment variable to npm, yarn, pnpm, or lerna.

For example, to use npm as the package manager run the following command.

export ENDOR_JS_PACKAGE_MANAGER=npm

This setting forces endorctl to use the specified package manager and overrides all other JavaScript package manager configuration variables.

Run a scan

Perform a scan to get visibility into your software composition and resolve dependencies.

endorctl scan

Understand the scan process

Dependency analysis tools analyze the lock file of an npm, yarn, pnpm, or Rush based package and attempt to resolve dependencies. To resolve dependencies from private repositories, Endor Labs reads the .npmrc settings from the repository.

Endor Labs surpasses mere manifest file analysis by expertly resolving JavaScript dependencies and identifies:

• Dependencies listed in the manifest file but not used by the application
• Dependencies used by the application but not listed in the manifest file
• Dependencies listed in the manifest as transitive but used directly by the application
• Dependencies categorized as test in the manifest, but used directly by the application

Developers can eliminate false positives, false negatives, and easily identify test dependencies with this analysis. Endor Labs tags dependencies found in source code but not declared in the manifest files as Phantom.

Endor Labs also supports npm, Yarn, pnpm, and Rush workspaces out-of-the-box. If your JavaScript frameworks and packages use workspaces, Endor Labs will automatically take the dependencies from the workspace to ensure that the package successfully builds.

The lock file speeds up the scan when it exists in the repository. endorctl skips the build step and uses the existing files for analysis.

Configure private npm package repositories

Endor Labs supports fetching and scanning dependencies from private npm package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See npm package manager integrations for more information on configuring private registries.

Known Limitations

• Endor Labs doesn’t currently support local package references
• If a dependency cannot resolve from the lock file, building that specific package may fail. The package may no longer exist in npm, or the .npmrc file may not be properly configured. Other packages in the workspace are scanned as usual.

Call graph limitations

• The call graph might not include functions passed as arguments to call expressions.
• The call graph might not include functions that return and then execute.
• The call graph might not include functions assigned to a variable based on a runtime value.
• The call graph might not include functions assigned to an array element.

Troubleshoot errors

• Unresolved dependency errors: The manifest file package.json is not buildable. Try running npm install, yarn install, pnpm install, or rush install in the root project to debug this error.
• Resolved dependency errors: A dependency version does not exist or cannot be found. The package may no longer exist in the repository.