Security News > 2022 > August > JavaScript bugs aplenty in Node.js ecosystem – found automatically
That's where you aim to review source code for likely coding blunders and security holes without actually running it at all.
If someone has copied-and-pasted that buggy code into other software components in your company repository, you might be able to find them with a text search, assuming that the overall structure of the code was retained, and that comments and variable names weren't changed too much.
Well, in the USENIX paper we're discussing here, the authors have attempted to build a static analysis tool that combines a number of different code characteristics into a compact representation denoting "How the code turns its inputs into its outputs, and which other parts of the code get to influence the results".
In other words, you may be able to detect if coder A has produced a similar bug to the one you just found from coder B, regardless of whether A literally copied B's code, followed B's flawed advice, or simply picked the same bad workplace habits as B. Loosely speaking, good static analysis of code, despite the fact that it never watches the software running in real life, can help to identify poor programming right at the start, before you inject your own project with bugs that might be subtle enough in real life that they never show up, even under extensive and rigorous live testing.
In those, they discovered 180 harmful security bugs, including 80 command injection vulnerabilities, and 14 further code execution bugs.
Static tools can not only find latent bugs in code you're already using, even in JavaScript, but also help to judge the underlying quality of the code in any packages you're thinking of adopting.