Master's Thesis

Graph.js 2.0: Efficient and Trustworthy Code Property Graphs for JavaScript

Tomás de Araújo Tavares2024

Key information

Authors:

Tomás de Araújo Tavares (Tomás de Araújo Tavares)

Supervisors:

José Faustino Fragoso Femenin dos Santos (José Faustino Fragoso Femenin dos Santos); Nuno Miguel Carvalho dos Santos (Nuno Miguel Carvalho dos Santos)

Published in

11/11/2024

Abstract

JavaScript and Node.js have become central to modern web development, powering a vast ecosystem of applications and frameworks. As their popularity grows, so does the need for robust static analysis tools capable of detecting security vulnerabilities in these environments. Over the years, several tools have been developed for this purpose, with Code Property Graph (CPG) approaches gaining significant traction due to their flexibility and extensibility. One such tool, Graph.js, was recently introduced as a CPG-based solution for vulnerability detection in JavaScript codebases. However, despite the advancements it made to the field, Graph.js faces notable limitations in terms of soundness, precision, and efficiency, which affect its practical effectiveness. In this thesis, we propose Graph.js 2.0 a new version of Graph.js designed to overcome its predecessor's limitations. The key contributions introduced by Graph.js 2.0 are as follows: (i) a new transpiler that converts JavaScript programs into a simplified core language, optimized for more efficient analysis; (ii) a new graph construction engine, closely aligned with the formal specification from the original Graph.js, which also offers better performance than its predecessor; and (iii) a new built-in engine optimized for Graph.js queries. Our evaluation demonstrates that: (i) the new transpiler is significantly faster and more accurate than the original; and that (ii) the new graph construction engine not only performs faster but also produces more compact graphs without losing essential information.

Publication details

Authors in the community:

Supervisors of this institution:

Fields of Science and Technology (FOS)

electrical-engineering-electronic-engineering-information-engineering - Electrical engineering, electronic engineering, information engineering

Publication language (ISO code)

eng - English

Rights type:

Embargoed access

Date available:

08/30/2025

Institution name

Instituto Superior Técnico