Dissertação de Mestrado

Graph.js 2.0: Efficient and Trustworthy Code Property Graphs for JavaScript

Tomás de Araújo Tavares2024

Informações chave

Autores:

Tomás de Araújo Tavares (Tomás de Araújo Tavares)

Orientadores:

José Faustino Fragoso Femenin dos Santos (José Faustino Fragoso Femenin dos Santos); Nuno Miguel Carvalho dos Santos (Nuno Miguel Carvalho dos Santos)

Publicado em

11/11/2024

Resumo

JavaScript and Node.js have become central to modern web development, powering a vast ecosystem of applications and frameworks. As their popularity grows, so does the need for robust static analysis tools capable of detecting security vulnerabilities in these environments. Over the years, several tools have been developed for this purpose, with Code Property Graph (CPG) approaches gaining significant traction due to their flexibility and extensibility. One such tool, Graph.js, was recently introduced as a CPG-based solution for vulnerability detection in JavaScript codebases. However, despite the advancements it made to the field, Graph.js faces notable limitations in terms of soundness, precision, and efficiency, which affect its practical effectiveness. In this thesis, we propose Graph.js 2.0 a new version of Graph.js designed to overcome its predecessor's limitations. The key contributions introduced by Graph.js 2.0 are as follows: (i) a new transpiler that converts JavaScript programs into a simplified core language, optimized for more efficient analysis; (ii) a new graph construction engine, closely aligned with the formal specification from the original Graph.js, which also offers better performance than its predecessor; and (iii) a new built-in engine optimized for Graph.js queries. Our evaluation demonstrates that: (i) the new transpiler is significantly faster and more accurate than the original; and that (ii) the new graph construction engine not only performs faster but also produces more compact graphs without losing essential information.

Detalhes da publicação

Autores da comunidade :

Orientadores desta instituição:

Domínio Científico (FOS)

electrical-engineering-electronic-engineering-information-engineering - Engenharia Eletrotécnica, Eletrónica e Informática

Idioma da publicação (código ISO)

eng - Inglês

Acesso à publicação:

Acesso Embargado

Data do fim do embargo:

30/08/2025

Nome da instituição

Instituto Superior Técnico