@doyensec/electronegativity
Advanced tools
Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications
Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
It leverages AST and DOM parsing to look for security-relevant configurations, as described in the "Electron Security Checklist - A Guide for Developers and Auditors" whitepaper.
Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.
If you're interested in Electron Security, have a look at our BlackHat 2017 research Electronegativity - A Study of Electron Security and keep an eye on the Doyensec's blog.
Major releases are pushed to NPM and can be simply installed using:
$ npm install @doyensec/electronegativity -g
$ electronegativity -h
| Option | Description |
|---|---|
| -V | output the version number |
| -i, --input | input (directory, .js, .html, .asar) |
| -l, --checks | only run the specified checks, passed in csv format |
| -s, --severity | only return findings with the specified level of severity or above |
| -c, --confidence | only return findings with the specified level of confidence or above |
| -o, --output <filename[.csv or .sarif]> | save the results to a file in csv or sarif format |
| -r, --relative | show relative path for files |
| -h, --help | output usage information |
Using electronegativity to look for issues in a directory containing an Electron app:
$ electronegativity -i /path/to/electron/app
Using electronegativity to look for issues in an asar archive and saving the results in a csv file:
$ electronegativity -i /path/to/asar/archive -o result.csv
Note: if you're running into the Fatal Error "JavaScript heap out of memory", you can run node using node --max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csv
If you're thinking about contributing to this project, please take a look at our CONTRIBUTING.md.
Electronegativity was made possible thanks to the work of Claudio Merloni, Ibram Marzouk, Jaroslav Lobačevski and many other contributors.
This work has been sponsored by Doyensec LLC.
FAQs
Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications
We found that @doyensec/electronegativity demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
TC39 met in Seattle and advanced 9 JavaScript proposals, including three to Stage 4, introducing new features and enhancements for a future ECMAScript release.
Security News
Deno 2.2 enhances Node.js compatibility, improves dependency management, adds OpenTelemetry support, and expands linting and task automation for developers.
Security News
React's CRA deprecation announcement sparked community criticism over framework recommendations, leading to quick updates acknowledging build tools like Vite as valid alternatives.