S\=ojiTantei: Function-Call Reachability Detection of Vulnerable Code for npm Packages

TL;DR

This paper introduces SjiTantei, a tool for detecting reachability of vulnerable code in JavaScript npm packages, demonstrating high accuracy and efficiency in large-scale vulnerability analysis.

Contribution

The paper presents a novel automated approach and prototype for function-call reachability detection of vulnerable code in JavaScript projects, improving over manual methods.

Findings

SjiTantei achieves 83.3% accuracy in reachability detection.

Analysis of 780 clients shows most vulnerabilities have at least one unaffected client.

The approach is fast, taking less than a second per client.

Abstract

It has become common practice for software projects to adopt third-party dependencies. Developers are encouraged to update any outdated dependency to remain safe from potential threats of vulnerabilities. In this study, we present an approach to aid developers show whether or not a vulnerable code is reachable for JavaScript projects. Our prototype, S\=ojiTantei, is evaluated in two ways (i) the accuracy when compared to a manual approach and (ii) a larger-scale analysis of 780 clients from 78 security vulnerability cases. The first evaluation shows that S\=ojiTantei has a high accuracy of 83.3%, with a speed of less than a second analysis per client. The second evaluation reveals that 68 out of the studied 78 vulnerabilities reported having at least one clean client. The study proves that automation is promising with the potential for further improvement.