Are there any JavaScript static analysis tools? [closed] - javascript

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I'm used to having my compiler complain when I do something stupid like a typo on a variable name but JavaScript has a habit of letting this pass.
Are there any static analysis tools for JavaScript?

UPDATED ANSWER, 2017: Yes. Use ESLint. http://eslint.org
In addition to JSLint (already mentioned in Flash Sheridan's answer) and the Closure compiler (previously mentioned in awhyte's answer) I have have also gotten a lot of benefit from running JSHint and PHP CodeSniffer. As of 2012, all four tools are free open-source and have a large and active developer community behind them. They're each a bit different (and I think, complementary) in the kinds of checks they perform:
JSLint was designed to be, and still is Douglas Crockford's personal linting tool. It ships with a great default ruleset -- Crockford's own, constantly updated as he continues to learn about JavaScript and its pitfalls. JSLint is highly opinionated and this is generally seen as a good thing. Thus there's (intentionally) a limited amount you can do to configure or disable individual rules. But this can make it tough to apply JSLint to legacy code.
JSHint is very similar to JSLint (in fact it began life as JSLint fork) but it is easier/possible to configure or disable all of JSLint's checks via command line options or via a .jshintrc file.
I particularly like that I can tell JSHint to report all of the errors in a file, even if there are hundreds of errors. By contrast, although JSLint does have a maxerr configuration option, it will generally bail out relatively early when attempting to process files that contain large numbers of errors.
The Closure compiler is extremely useful in that, if code won't compile with Closure, you can feel very certain said code is deeply hosed in some fundamental way. Closure compilation is possibly the closest thing that there is in the JS world to an "interpreter" syntax check like php -l or ruby -c
Closure also warns you about potential issues such as missing parameters and undeclared or redefined variables. If you aren't seeing the warnings you expect, try increasing the warning level by invoking Closure with an option of --warning_level VERBOSE
PHP CodeSniffer can parse JavaScript as well as PHP and CSS. CodeSniffer ships with several different coding standards, (say phpcs -i to see them) which include many useful sniffs for JavaScript code including checks against inline control structures and superfluous whitespace.
Here is a list of JavaScript sniffs available in PHP CodeSniffer as of version 1.3.6 and here is a custom ruleset that would allow you to run them all at once. Using custom rulesets, it's easy to pick and choose the rules you want to apply. And you can even write your own sniffs if you want to enforce a particular "house style" that isn't supported out of the box. Afaik CodeSniffer is the only tool of the four mentioned here that supports customization and creation of new static analysis rules. One caveat though: CodeSniffer is also the slowest-running of any of the tools mentioned.

I agree that JSLint is the best place to start. Note that JavaScript Lint is distinct from JSLint. I’d also suggest checking out JSure, which in my limited testing did better than either of them, though with some rough edges in the implementation—the Intel Mac version crashed on startup for me, though the PowerPC version ran fine even on Intel, and the Linux version ran fine as well. (The developer, Berke Durak, said he'd get back to me when this was fixed, but I haven't heard from him.)
Don’t expect as much from JavaScript static analysis as you get from a good C checker. As Durak told me, “any non-trivial analysis is very difficult due to Javascript's dynamic nature.”
(Another, even more obscure Mac-only bug, this time with JSLint’s Konfabulator widget: Dragging a BBEdit document icon onto the widget moves the document to the trash. The developer, Douglas Crockford, hadn’t tried the widget on a Mac.)
10 August 2009: Today at the Static Analysis Symposium, Simon Holm Jensen presented a paper on TAJS: Type Analyzer for JavaScript, written with Anders Møller and Peter Thiemann. The paper doesn’t mention the above tools, but Jensen told me he’d looked at some of them and wasn’t impressed. The code for TAJS should be available sometime this summer.

Google's "Closure" JS compiler produces configurable warnings and errors at compile-time. It definitely finds misspelled variables and methods, plus arity mistakes. If you're willing to write JsDoc the Closure way, it can do a lot with type information, too.
The YUI "Compressor" tool can produce warnings too, but haven't tried it yet.
I haven't had much luck with the Aptana IDE, built on Eclipse, but other people like it. See Stack Overflow discussion of JS IDEs.
The IntelliJ IDE, which isn't free last I checked, has frickin' excellent JS support. It will detect and highlight misspelled vars and methods as you type, and more. It's got autocomplete, too.

In summary, JSLint, JSHint, Plato, ESLint, Google Closure-Linter are the tools available.
I faced installation issues while trying out Google Closure-Linter for Windows. But, it does mention on the web page that its support for Windows is experimental.
I found and tried another tool which works well. Here is the link for it:
http://esprima.org/
Also, this is the github link for the tool Esprima:
https://github.com/ariya/esprima

You can see some tools for JavaScript static code analysis in this Wiki.
A tool in the Wiki, but not mentioned in this post, is DeepScan.
Its focus is to find runtime errors and quality issues rather than coding conventions of linters. It covers also TypeScript, React and Vue.js.
You can try it out for your GitHub project.

I tried out ESlint and found it good..you can also add custom rules there..Here is the github repo: https://github.com/nzakas/eslint and here is the introduction to it: http://www.nczonline.net/blog/2013/07/16/introducing-eslint/

More security focused than general purpose list can be found on the Mozilla Wiki at Security/B2G/JavaScript code analysis
The purpose of this document is to collect JavaScript code analysis
tools suitable for including in coming Mozilla projects or for
internal use.
Also there is at least one commercial product that does security analysis: Burp gets new JavaScript analysis capabilities
The latest release of Burp includes a new engine for static analysis of JavaScript code. This enables Burp Scanner to report a range of new vulnerabilities, including:
DOM-based XSS
JavaScript injection
Client-side SQL injection
WebSocket hijacking
Local file path manipulation
DOM-based open redirection
Cookie manipulation
Ajax request header manipulation
DOM-based denial of service
Web message manipulation
HTML5 storage manipulation

In the commercial realm, Coverity Static Analysis supports analysis of JavaScript as of version 7.7 (mid-2015). Regarding your specific inquiry about typos, my pet project appearing in the latest release (8.0, beginning of 2016) does find typos in names of program elements.
As a key developer on the project, please accept my shameless plug: Though not yet as mature as the venerated C/C++ analysis, Coverity's JavaScript analysis shares much of the same engine, with the same focus on finding high-value defects with a low rate of false positive defect reports. We are increasing our focus on finding security defects in JavaScript (and other languages), in addition to finding general programming errors.
Now, here are some typos it finds (exact typo left as an exercise for the reader, to emphasize how easily these can be overlooked):
merge.js: (stable link) (latest revision)
commands-packages-query.js: (stable link) (latest revision)
series-pie-tests.js: (stable link) (latest revision)
outline_case.js: (stable link) (latest revision)

I like Jslint for this sort of thing...

Flow does static analysis with and without annotations.
If you need annotations, the syntax is compatible to TypeScript.
Install the package with :
npm install --global flow-bin
There's also some tooling. Have a look at gulp-flowtype and perhaps SublimeLinter-flow

JSAnalyse has just been published on codeplex.
It is a tool which analyses the dependencies between javascript files. You can even define the allowed dependencies and JSAnalysis checks whether the defined rules are fulfilled or not. That allows to keep track about the javascript dependencies even in big projects and have a clean architecture.
JSAnalyse can be executed as a command line tool or configured via the Visual Studio Layer Diagramm. It is also easy to integrate into the build. With gated check-ins you can keep the dependencies under control.
http://jsanalyse.codeplex.com/

Our SD ECMAScript CloneDR is a tool for finding exact and near-miss copies of duplicated code across large JavaScript source code bases.
It uses the language syntax to guide the detection, so it will find clones in spite of format changes, inserted/deleted comments, renamed variables and even some inserted/deleted statements.
The site has a sample CloneDR run on Google's Closure library.

Full disclosure, I'm behind this: http://www.toptensoftware.com/minime which does minification, obfuscation and a reasonable set of lint style checks.

Related

Javascript plugin for Eclipse?

I am very happy with Eclipse and don't want to change my IDE, but find the pre-bundled Eclipse plugin for JavaScript too difficult to work with.
Too many of the features that I got used to developing Java (not JavaScript) in Eclipse seem to be missing or incomplete, such as an intelligent code analysis, smart refactorings, a truly language-related (not full-text) reference search, class inheritance trees, etc.
Any suggestions for alternative Eclipse plugins for JavaScript development?
Admittedly, it is a lot more difficult to analyze JavaScript code (compared to Java) not only for a plugin but also for any human programmer, because JavaScript comes with fewer structural elements, and because there are so many different ways to do common things like inheritance or modularization. But there's got to be something, right?
As Nodeclipse lead, I am always looking for what is available in Eclipse ecosystem.
JavaScript support is Eclipse JSDT project.
It gives Editor, and JSDoc support.
For ES5 support, JSDT validation is to be disabled and JSHint-Eclipse used.
Also there is new Tern-IDE plugins, that gives hints and go to definition by using Tern.js.
The same author leads AngularJS plugin
All mention plugins can be got via Enide Studio 2014 (installed as plugins or downloaded as stand-alone product).
Nodeclipse site has even more links,
and I am inviting to collaborate on the JavaScript tools on GitHub
There are also JSON Editor and Json Tools.
Unfortunately VJET is no longer continued as there is no backing company now.
All effort are community driven. The simplest contribution is reporting bug or taking own issue to research and share.
Any suggestions for alternative Eclipse plugins for JavaScript development?
No alternative plugins, just get more of them.
The VJET plugin seems to provide better JavaScript support, although I haven't tested it very extensively.
http://eclipse.org/vjet/
For necessary code hygiene I recommend to use JSHint (a sane version of JSLint).
http://marketplace.eclipse.org/content/jshint-eclipse
Both are installable through the built-in Eclipse Marketplace.
The popular Aptana IDE, which is based on Eclipse, is also available as plugin, but I haven't tested it as plugin.
http://www.aptana.com/products/studio3/download
My personal opinion: Eclipse has outdated syntax validators (no ECMAScript 5 support) and non of the plugins can fix that. The problem is known for years (Bug Report), but nothing is done about it. Code completion seems to be a lot better in the WebStorm IDE or Sublime Text with certain plugins. Right now, I'm quite happy using Eclipse for my backend Java stuff and WebStorm for the frontend code for the same project.
A. In the Eclipse world...in my opinion... the best JavaScript support is currently given by Eclipse Orion, a web based variant of Eclipse:
https://orionhub.org
Orion applies tern.js to get JavaScript features like highlighting and completion:
Eclipse orion code completion
The JavaScript library tern.js seems to be up to date:
https://github.com/ternjs/tern
And it is applied by several Source Code Editor plugins:
https://ternjs.net/#plugins
B. On the other hand, all JavaScript plugins for Eclipse seem to be outdated.
See for example
http://www.eclipse.org/webtools/development/news/main.php (last updated 2016)
The Eclipse Plugin for tern.js seems to be out of date, too:
https://marketplace.eclipse.org/content/tern-eclipse-ide
I was not able to install it on the current Eclipse version Photon.
Also see https://github.com/angelozerr/tern.java/issues/463
C. If you are open for a commercial JavaScript editor, try to use WebStorm, als already suggested by Tilman.
If there is a good Eclipse based JavaScript solution, that I am not aware of and that is able to compete with the features of WebStorm, please let me know.

What's the best tool for Javascript security auditing?

Something that can at least scan a batch of .js files looking for eval statements and other questionable code. Maybe just a regex pattern would do it, but I'd like to find a more sophisticated (and regularly maintained) tool.
old topic but new tool :
ScanJS, developed by mozilla in order to check the Firefox OS security.
https://github.com/mozilla/scanjs
Have you tried Douglas Crockford's JSLint? Although it doesn't scan your code for security problems, however, it does alert you on "eval" statements. OTOH, Predrag Tomasevic has wrote a JavaScript Verifier based on JSLint that can be integrated with Visual Studio (read more on this here).
I'm not aware of any Open Source tools that conduct static analysis of JavaScript.
Grepping for eval() likely isn't going to help for anything other than very simple, very obvious mistakes. It'll be even more difficult to analyze if the script has been minified or obfuscated because you'll be hard-pressed to determine if the argument is being used safely or not.
There are plenty of security problems in JavaScript that rely on the interaction with the DOM. Grepping for eval() might work, but it'll miss other execution points like hrefs or event handlers that might be attacked, e.g. href=javascript:xss or onFoo=xss. You really need a tool that deals with JavaScript and the DOM, not just a JavaScript console.
IBM/Watchfire recently released a paper about a JavaScript analyzer they've created. The paper provides details on results rather than implementation. A commercial tool might not be the way you want to go, but the paper should help shed more light on the challenges of doing this well.
This tool from Facebook seems promising.
https://github.com/facebook/jsgrep

Is there a good javascript plugin for visual studio?

I think that Visual Studio's biggest let down is the Javascript editor. I have been told to use Aptana as an editor for my javascript files, but I would prefer to stick with visual studio if possible.
I have read other similar plugin posts, but none focus specifically on Javascript.
VS2010 may offer some improvements, but will they be up to Apatana standards? I have briefly tested the beta, but I'm not overly impressed.
Is there anything out there that will bring Javascript closer to c# development? Considering the wide spread use of Javascript I think there must be something....... I hope! :)
Many thanks in advance... this is something that has always bugged me!
There's a couple recent plugins that may be helpful :
From Microsoft :
JScript Editor Extensions
Brace Matching
Outlining / Cold-folding
Current Word Highlighting
IntelliSense Doc-Comments Support
JSEnhancements
Outlining and matching braces highlighting
(I wouldn't think installing both of these is a good idea - and the Microsoft plugin has more features so try that one first)
VS is a pretty good IDE (especially when coupled with Resharper) but not so hot with Javascript. The debugger is good and there's the JSLint plugin but other than that I'm not sure. Aptana (based on Eclipse) is an excellent javascript IDE but it doesn't like it much when the javascript is embedded in aspx files (unless they updated the support recently). So far I'm not sure there's an ideal .net platform IDE for both client and server side stuff just yet.
Update: Resharper 6 added pretty good JavaScript support - so now I'd recommend that combination if you're doing a lot of debugging across client and server at the same time. If you're focussing on pure client code then I find WebStorm to be an excellent JavaScript/HTML IDE - even better than Aptana.
I'd really like to recommend Webstorm. It does not! treat your JS as text files.
Its a full blown JS editor and has become my favourite JS editor working in parallel with VS to handle my server side stuff.
WS has actual object intellisense across JS files. That means when I press . (dot) it shows me the functions on that objects, even if its located physically in another file.
It will recognize my objects (or their type if you will) created in other JS files referred to in the file I'm working on.
I have 'Find usages' on JS functions
I have 'find all references' on JS object / function / class / variable or whatever you want to search on. In the end its all objects but Webstorm knows this.
If I change the short/cut to F12, I can press F12 on my function call and it will jump to the implementation of that JS functon. Even if its located in another file.
Ofc. you have code folding and colouring, extract method and other neat code re factoring, overview creating tools.
Oh. And by the way.
I'd like to kill off a rumour going around in the cloud on forums I come across from time to time, looking for better ways to handle JS.
reSharper DO NOT SUPPORT JAVASCRIPT! A little piece of me dies every time I read some guy repeating what he saw on the reSharper site. It may have a some poor intellisense and some low level syntax check, but that has nothing to do with support.
Notepad++ supports JS better than VS in my opinion.
Münster
Don't forget to grab Chirpy to handle minifying your scripts in VS.
If you use Visual Studio, add the
/// <reference path="myOtherJsFile.js" />
directive at top of your js files and install Web Essentials you get pretty decent (but not perfect) intellisense, go to definition by using F12 and find all references (sort of..) by using SHIFT+F12

IDE for JavaScript development [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
Improve this question
What do you suggest for JS development IDE. Is there something similar to VisualStudio IDE, so I can run/debug my application in it?
At JetBrains we've just developed lightweight HTML/Javascript/CSS IDE WebStorm that includes very smart JavaScript Editor with DOM-based autocompletion and HTML5 API support.
It allows you to debug(breakpoints supported) and run your scripts directly from IDE.
A few options:
Visual Studio 2008 (including VWD Express, http://blog.berniesumption.com/software/how-to-debug-javascript-in-internet-explorer/)
Adobe Dreamweaver CS4
Notepad++ (or any other text editor), Firefox and Firebug
I think IntellJ's JavaScript support is excellent, just like everything else that they do.
Netbeans 6.x and Firefox+Firebug
In the past I used Aptana Standalone or as a Eclipse plugin. The Pro version has some nice addons like the embedded IE (to the always embedded Firefox) and debugging support for both browsers.
I found after hours of testing, that Suns Netbeans is the best PHP and Python IDE for Windows and Linux. I was surprised that also Javascript support can hold the candle to Aptana.
So Netbeans is my recommendation (not only for Javascript).
Give it a try, its free!
I've found Aptana Studio to be good.
I tend to recommend more and more Netbeans that has not been proposed yet (I am blind sometimes). Netbeans is developed by Sun and support not only Java but also a few other languages (PHP,Ruby,Python, Javascript).
I use it for a while now and I am very satisfied. It is fast, provides code completion and integrates easily major JS libraries (Prototype, YUI). It has also a debugger that you can tied to FF or IE.
Try it you won't be disappointed!
Here's a good list of IDEs you can use for writing JavaScript:
http://www.programmerfish.com/top-8-ide-integrated-development-environment-for-java-script-html5-ajax/
Nowadays I am using JetBrains' PHPStorm and I can easily say, this is the best editor I've ever tried. Comes with lots of features that I have not seen at other editors like,
find a word in a directory (grep equivalent)
extended and useful intellisense feature with multiple files and parent classes
internal GIT support
a tree view for application structure
an awesome version history support that works with GIT and your local history. This is very useful when you want to take a look at a GIT untracked file, you can see all history details of the file for weeks.
with a great addon named CSSXFire that works with Firebug and tracks the CSS changes and import them to editor and allows you easily reproduce the same changes that you've done in Firebug CSS Console. This is really awesome
another useful feature is, when you want to delete or rename a file, editor searches the file has been used in this directory and notifies you. This is called safe-refactor
intellisense for files, while you typing a css background-image, a src or an href attribute
Sometimes I deal with PHP so I prefer PHPStorm, so Front End Developers should prefer WebStrorm that is specialized for us.
I think, every FE Developer should try PHPStorm or WebStorm with Firefox and Firebug.
Komodo IDE (or the free Komodo Edit if you can live without an integrated debugger) are pretty nice.
I tried few IDE last week and NetBeans is my winner. It got silent upload option for file upload in background. And very good code completion, folding, etc.
Here is my experience with the applications based on Extjs in UI with Java as server side language. I am a big supporter of open source technologies/products.
I so far I have used Eclipse, Netbeans, Webstorm and notepad++ with some added plugins.
And I feel Netbeans is best in terms of Syntax highlighting and formating. It recognizes missing commas, global variables, duplicate keys for object literals in a very impressive way.
Almost similar things can be achieved by adding some pligins like Spket in eclipse too, but it asks for licence when you go for advance level of settings.
If you are not so much concern about an integrated environment with web server then Web storm is best in all the aspects, but the biggest drawback of it is, "Its paid". ( Even if it asks for 1000 Rs ).
Firebug and a good syntax highlighting text editor is about the best combo. It's not necessary to add in much else. With just this combo you get:
Ability to set breakpoints
Inspect objects
Traverse the DOM
Alter CSS rules on the fly
See network traffic/responses
Evaluate and substitute code on the fly in production
And there are tools which add on to Firebug:
YSlow - Determine "why" your page is slow
Fireunit - Run unit tests
One of the advantage of Javascript development is that it's flexible and you can get instantaneous feedback while developing. I see no reason to get in the way of that by adding an IDE which includes a "deployment" step.
Notepad++ comes with built-in javascript syntax highlighting and JSlint plugin is very handy. IMHO for debugging there is nothing better than Chrome developer tools or Firebug.
This page reviews the most advanced Javascript IDEs (in terms of refactoring and intellisense anyway) :
http://blue-walrus.com/2013/08/review-javascript-ides/
Eclipse and JSEclipse plugin and of course Firefox + Firebug the ultimate duo. You'll find this development setup satisfactory.
Aptana is a great IDE as it will provide intelli-sense for CSS, javascript, html, java, etc. The debugger gives you the choice to run in FF or IE and is a full featured debugger. The community edition allows you to run a server side javascript as well. A very solid and feature rich platform for free.

JavaScript Source Code Analyzer [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
Does anyone know of a good, extensible source code analyzer that examines JavaScript files?
In the interest of keeping this question up-to-date, there is a fork of JSLint called JSHint. An explanation of why JSHint was created can be found here, but to summarize:
JSHint is a fork of JSLint, the tool
written and maintained by Douglas
Crockford. JSLint served me well for
quite some time but in the past few
months it has gotten uncomfortably
opinionated and hostile towards your
code. It is quickly transforming from
a tool that helps developers to
prevent bugs to a tool that makes sure
you write your code like Douglas
Crockford.
JSLint has historically been the main tool for this, but several more now exist:
JSHint - a fork of JSLint that is said to be a little less opinionated
Closure Linter - a linter that checks against the Google Javascript Style Guide
ESLint - a more flexible tool, but newer, and not yet as stable.
If you haven't found it yet, you should take a look at Google Closure Compiler. Compiles your JavaScript and finds errors in code. http://code.google.com/closure/compiler/docs/gettingstarted_api.html
I tried out ESlint and found it good..you can also add custom rules there..Here is the github repo: https://github.com/nzakas/eslint
JSAnalyse has just been published on codeplex. It is a tool which analyses the dependencies between javascript files. You can even define the allowed dependencies and JSAnalysis checks whether the defined rules are fulfilled or not. That allows to keep track about the javascript dependencies even in big projects and to have a clean architecture.
JSAnalyse can be executed as a command line tool or configured via the Visual Studio Layer Diagramm. It is also easy to integrate into the build. With gated check-ins you can keep the dependencies under control.
There exist a parser called ECMAScript parsing infrastructure for multipurpose analysis (esprima) located at http://esprima.org/ with several example tools that can be used in some analysis
ECMAScript parsing infrastructure for multipurpose analysis
Apart from JSLint, JSHint, ESLint, Plato, Google Closure-Linter there's another tool named Esprima.
Here is the link for it: http://esprima.org/
Also, this is the github link for the tool Esprima: https://github.com/ariya/esprima
I faced installation issues while trying out Google Closure-Linter for Windows. But, it does mention on the web page that its support for Windows is experimental. All other tools are easy to use.
I have found JSLint which helps correct a lot of common errors and such; however, I'm hoping to find something that I can add my own rules and such to help automate some coding standards stuff that my company is wanting to implement into JavaScript.
http://www.jslint.com/
I need to look into it's extensibility model more.
There's a few tools on the list of tools for static code analysis at wikipedia that has JavaScript support, you can allso see JavaScript Debugging if any of the tools mentioned would help. There's allso a few good tools at YUI (Yahoo! Developer Network), as well as a lot of helpful components.
I've allways used JSLint myself, and that's the only analysis tool for JS I've tried. I've grown more and more fond of JavaScript, but good tools is still a problem. :(
I use Aptana for JavaScript file analysis. It catches alot of goofs (if condition with a single =). It also describes the class layout. I believe it has a jslint implementation embedded in it.

Categories

Resources