JavaScript/TypeScript
JavaScript is a high-level, interpreted programming language primarily used for creating interactive and dynamic web content widely used by developers. Endor Labs supports the scanning and monitoring of JavaScript projects.
Using Endor Labs, developers can:
- Test their software for potential issues and violations of organizational policy
- Prioritize vulnerabilities in the context of their applications
- Understand the relationships between software components in their applications
Scan JavaScript projects
To successfully scan your JavaScript or TypScript applications:
Install software prerequisites
- Endor Labs requires the following pre-requisite software to be installed to successfully perform a scan:
- Yarn: Any version
- npm: 6.14.18 or higher versions
- pnpm: 3.0.0 or higher versions
- Make sure your repository includes one or more files with
.js
or.ts
extension. - Make sure that you have the following minimum system specification requirements:
Processor Memory 4-core 16 GB
Build JavaScript projects
You can choose to build your JavaScript projects before running a scan. This will ensure that either a package-lock.json, yarn.lock, or pnpm-lock.yaml file is created enhancing the scan speed.
Ensure your repository has package.json and run the following command making sure it builds the project successfully.
For npm:
npm install
For Yarn:
yarn install
For pnpm:
pnpm install
If the project is not built, endorctl builds the project during the scan and generate either package-lock.json, yarn.lock, or pnpm-lock.yaml file. Make sure that either npm, Yarn, or pnpm is installed on your system. If your repository includes a lock file, endorctl uses the existing file for dependency resolution and does not create it again.
Run a scan
Perform a scan to get visibility into your software composition and resolve dependencies.
endorctl scan
To detect dependencies when using pnpm:
If you are using pnpm, set the environment variable ENDOR_PNPM_ENABLED
to true
and then run the scan.
export ENDOR_PNPM_ENABLED=true
endorctl scan
To enable dependency reachability:
To enable dependency reachability that detects dependencies used in source code but not declared in the package’s manifest files, set the flag --call-graph-languages
with javascript,typescript
.
endorctl scan --call-graph-languages=javascript,typescript
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Understand the scan process
Dependency analysis tools analyze the lock file of an npm, yarn, or pnpm based package and attempt to resolve dependencies. To resolve dependencies from private repositories, the settings of the .npmrc file in the repository is considered.
Endor Labs surpasses mere manifest file analysis by expertly resolving JavaScript dependencies and identifies:
- Dependencies listed in the manifest file but not used by the application
- Dependencies used by the application but not listed in the manifest file
- Dependencies listed in the manifest as transitive but used directly by the application
- Dependencies categorized as test in the manifest, but used directly by the application
Developers can eliminate the false positives, false negatives, and easily identify test dependencies with this analysis. The dependencies used in source code but not declared in the package’s manifest files are tagged as Phantom.
Endor Labs also supports npm, Yarn, and pnpm workspaces out-of-the-box. If your JavaScript frameworks and packages use workspaces, Endor Labs will automatically take the dependencies from the workspace to ensure that the package successfully builds.
Scan speed is enhanced if the lock file exists in the repository. endorctl does not perform a build and uses the existing files in the repository for analysis.
Known Limitations
- Endor Labs doesn’t currently support local package references
- If a dependency can not be resolved in the lock file, building that specific package may be unsuccessful. This package may have been removed from npm or the .npmrc file is not properly configured. Other packages in the workspace are scanned as usual.
- Call graph generation is not supported for JavaScript
Troubleshoot errors
- Unresolved dependency errors:
The manifest file package.json is not buildable. Try running
npm install
,yarn install
, orpnpm install
in the root project to debug this error. - Resolved dependency errors: A version of a dependency does not exist or it cannot be found. It may have been removed from the repository.
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.