Fixing Vulnerabilities Automatically with Linters

Research output: Conference Article in Proceeding or Book/Report chapterArticle in proceedingsResearchpeer-review

View graph of relations

Static analysis is a tried-and-tested approach to eliminate vulnerabilities in software. However, despite decades of successful use by experts, mainstream programmers often deem static analysis too costly to use. Mainstream programmers do routinely use linters, which are static analysis tools geared towards identifying simple bugs and stylistic issues in software. Can linters serve as a medium for delivering vulnerability detection to mainstream programmers?
We investigate the extent of which linters can be leveraged to help programmers write secure software. We present new rules for ESLint that detect---and automatically fix---certain classes of cross-site scripting, SQL injection, and misconfiguration vulnerabilities in JavaScript. Evaluating our experience, we find that there is enormous potential in using linters to eliminate vulnerabilities in software, due to the relative ease with which linter rules can be implemented and shared to the community. We identify several open challenges, including third-party library dependencies and linter configuration, and propose ways to address them.
Original languageEnglish
Title of host publication14th International Conference on Network and System Security
Publication date2020
Publication statusPublished - 2020


No data available

ID: 85509678