@doyensec/electronegativity
Advanced tools
Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications
Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications.
It leverages AST parsing to look for security-relevant configurations, as described in the "Electron Security Checklist - A Guide for Developers and Auditors" whitepaper.
Software developers and security auditors can use this tool to mitigate potential weaknesses and implementation bugs when developing applications using Electron.
If you're interested in Electron Security, have a look at our research - Electronegativity - A Study of Electron Security.
$ npm install @doyensec/electronegativity -g
| Option | Description |
|---|---|
| -V | output the version number |
| -i, --input | input (directory, .js, .htm, .asar) |
| -o, --output | save the results in csv format to a file |
| -h, --help | output usage information |
Using electronegativity to look for issues in a directory containing an Electron app:
$ electronegativity -i /path/to/electron/app
Using electronegativity to look for issues in an asar archive and saving the results in a csv file:
$ electronegativity -i /path/to/asar/archive -o result.csv
Electronegativity is build in such a way to allow any developer/hacker to add their own checks to the tool. All you need to do is create a new file in /src/finder/checks and creating a new class with one method, match(data), and a constructor that specifies the check details such as the name, the description, etc. For example:
import { sourceTypes } from '../../parser/types';
export default class MyCheck {
constructor() {
this.id = 'MY_CUSTOM_CHECK';
this.description = `this is a custom check`;
this.type = sourceTypes.JAVASCRIPT;
}
match(data) {
//do magic
//either return an object with row and col, or null meaning no issues were identified
}
}
Feel free to take a look at some of the already implemented checks to get an idea on how things work.
Electronegativity was made possible thanks to the work of Claudio Merloni and Ibram Marzouk
This tool is based on a Doyensec sponsored research published at Black Hat USA 2017.
FAQs
Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications
We found that @doyensec/electronegativity demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Ransomware payment rates hit an all-time low in 2024 as law enforcement crackdowns, stronger defenses, and shifting policies make attacks riskier and less profitable.
Security News
require(esm) backported to Node.js 20, easing the transition to ESM-only packages and reducing complexity for developers as Node 18 nears end-of-life.
Security News
PyPI now supports iOS and Android wheels, making it easier for Python developers to distribute mobile packages.