Skip to content
Compare
Choose a tag to compare
  • Improved SecurityWarningsDisabledJSONCheck and CustomArgumentsJSONCheck, closes #94
  • Added better docs for the eng-disable annotations for GlobalChecks
  • Upgraded most dependencies
  • Removed npm-shrinkwrap.json, closes #91
Compare
Choose a tag to compare
  • A new Github Action for the tool is available at doyensec/electronegativity-action to easily integrate Electronegativity in your continuous integration pipeline
  • Improved LimitNavigationGlobalCheck 6a8639e
  • Global checks can now be disabled using inline annotations #78
  • Dependencies upgrade dc2a6b2, 2dca108
Compare
Choose a tag to compare
  • Fix broken sarif export #80
  • Fix console output #81
  • Fix error code and unhandled promise #82
Compare
Choose a tag to compare
  • Allow inline annotations in source code to ignore a check (// eng-disable) #78
  • Introduce a new exclusion flag (-x) to exclude specific checks 1497db6
  • The verbose flag (-v) is now enabled by default, the checks descriptions will now be shown in the results table 733e44a
  • Add options for parser plugins (-p or --parser-plugins <plugins>) #76
  • Fix false positive for global navigation check in typescript #77
  • Upgrade npm dependencies

Thanks to @bchurchill for the last two PRs!

Compare
Choose a tag to compare
  • Don't require customScan when running programmatically #72
  • Don't fail in CSPGlobalCheck if CSP is invalid #68, 86fb1ed
  • Better Electron version detection #67
  • Consider Electron version and update checks according to new defaults (fixes #23, #58) #66
  • Update NodeIntegrationJSCheck to respect the default changes 3d1beb7
  • Pass webPreferences defaults to checkers 29a8627
  • Don't fail in version check if Electron version is unknown #65
    ...and other non-tracked issues

Thanks @baltpeter for the valuable contributions on this release! <3

b9048ec
Compare
Choose a tag to compare
  • Electronegativity now features a Node API-friendly function that can be used programmatically (thanks @baltpeter!) #59
const run = require('@doyensec/electronegativity')
// or: import run from '@doyensec/electronegativity';

run({
  // input (directory, .js, .html, .asar)
  input: '/path/to/electron/app',
  // save the results to a file in csv or sarif format (optional)
  output: '/path/for/output/file',
  // true to save output as sarif, false to save as csv (optional)
  isSarif: false,
  // only run the specified checks
  customScan: ['dangerousfunctionsjscheck', 'remotemodulejscheck'],
  // only return findings with the specified level of severity or above (optional)
  severitySet: 'high',
  // only return findings with the specified level of confidence or above (optional)
  confidenceSet: 'certain',
  // show relative path for files (optional)
  isRelative: false,
  // run Electron upgrade checks, eg -u 7..8 to check upgrade from Electron 7 to 8 (optional)
  electronUpgrade: '7..8'
})
    .then(result => console.log(result))
    .catch(err => console.error(err));
Compare
Choose a tag to compare
  • Add Electron upgrade checks to Electronegativity. The intention of this feature is for developers to discover the breaking changes that will affect them when they upgrade to a newer version of Electron. As it currently stands this feature will add checks for Electron versions 5-8. To use this feature a new argument -u or --upgrade has been added (thanks @jkleinsc!) #60
  • Add new Remote Module Check #57
  • Fix a dependency issue of Electronegativity preventing it from running properly #63
  • The Electron releases' file is now stored in the correct temporary path for every OS #54
Compare
Choose a tag to compare
  • This minor release includes several bug fixes for #56, #54, 81d48a8, and other non-tracked issues
  • Support for nodeintegrationinsubframes both for JS/HTML resources #52
  • Introduced of a global check called HTTP_RESOURCES_WITH_NODE_INTEGRATION_GLOBAL_CHECK to review the use of plain HTTP resources loaded in node-integrated contexts 71acdd8
  • Migrated to cli-table3, word wrapping in columns is now working correctly
  • Introduced the -v (--verbose) flag to display the issues' short description 6e14dc8
Compare
Choose a tag to compare
  • This patch release includes a fix for #53. Weak etags were occasionally returned by Github Raw CDN, breaking the syncing routine of the releases.json file. (0ed8287)
Compare
Choose a tag to compare
  • Variable scoping analysis capabilities have been added to inspect the Function and Global variable content, when available.
  • Every check now has an importance and accuracy attribute which helps the auditor to determine the importance of each finding. Consequently, we also introduced some new command line flags to filter the results by severity (--severity) and by confidence (--confidence), useful for tailored Electronegativity integration in your application security pipelines or build systems.
  • Add support for BrowserView and nodeIntegrationInSubFrames
  • Add the -r, --relative flag to display relative path for files
  • Upgraded typescript-estree to @typescript-eslint/typescript-estree
    in order to support newer versions of TypeScript
  • Several bug fixes and improvements (#49, #50, 84316b1, b32b81b, 04016b3)

The official manual for this 1.3.0 release is also available.