Fixing Vulnerabilities Automatically with Linters

Willard Rafnsson, Rosario Giustolisi, Mark Kragerup, Mathias Høyrup

Research output: Conference Article in Proceeding or Book/Report chapterArticle in proceedingsResearchpeer-review

Abstract

Static analysis is a tried-and-tested approach to eliminate vulnerabilities in software. However, despite decades of successful use by experts, mainstream programmers often deem static analysis too costly to use. Mainstream programmers do routinely use linters, which are static analysis tools geared towards identifying simple bugs and stylistic issues in software. Can linters serve as a medium for delivering vulnerability detection to mainstream programmers?
We investigate the extent of which linters can be leveraged to help programmers write secure software. We present new rules for ESLint that detect---and automatically fix---certain classes of cross-site scripting, SQL injection, and misconfiguration vulnerabilities in JavaScript. Evaluating our experience, we find that there is enormous potential in using linters to eliminate vulnerabilities in software, due to the relative ease with which linter rules can be implemented and shared to the community. We identify several open challenges, including third-party library dependencies and linter configuration, and propose ways to address them.
Original languageEnglish
Title of host publication14th International Conference on Network and System Security
PublisherSpringer
Publication date2020
DOIs
Publication statusPublished - 2020

Keywords

  • Static analysis
  • Software vulnerabilities
  • Mainstream programmers
  • Linters
  • JavaScript security

Fingerprint

Dive into the research topics of 'Fixing Vulnerabilities Automatically with Linters'. Together they form a unique fingerprint.

Cite this