Fixing Vulnerabilities Automatically with Linters

Willard Rafnsson, Rosario Giustolisi, Mark Kragerup, Mathias Høyrup

Publikation: Konference artikel i Proceeding eller bog/rapport kapitelKonferencebidrag i proceedingsForskningpeer review


Static analysis is a tried-and-tested approach to eliminate vulnerabilities in software. However, despite decades of successful use by experts, mainstream programmers often deem static analysis too costly to use. Mainstream programmers do routinely use linters, which are static analysis tools geared towards identifying simple bugs and stylistic issues in software. Can linters serve as a medium for delivering vulnerability detection to mainstream programmers?
We investigate the extent of which linters can be leveraged to help programmers write secure software. We present new rules for ESLint that detect---and automatically fix---certain classes of cross-site scripting, SQL injection, and misconfiguration vulnerabilities in JavaScript. Evaluating our experience, we find that there is enormous potential in using linters to eliminate vulnerabilities in software, due to the relative ease with which linter rules can be implemented and shared to the community. We identify several open challenges, including third-party library dependencies and linter configuration, and propose ways to address them.
Titel14th International Conference on Network and System Security
StatusUdgivet - 2020


Dyk ned i forskningsemnerne om 'Fixing Vulnerabilities Automatically with Linters'. Sammen danner de et unikt fingeraftryk.