{"id":13537907,"url":"https://github.com/doyensec/electronegativity","last_synced_at":"2025-05-15T10:02:11.312Z","repository":{"id":37431504,"uuid":"97163387","full_name":"doyensec/electronegativity","owner":"doyensec","description":"Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications.","archived":false,"fork":false,"pushed_at":"2024-09-16T15:17:20.000Z","size":10068,"stargazers_count":995,"open_issues_count":13,"forks_count":68,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-05-14T02:51:44.179Z","etag":null,"topics":["electron","electron-app","nodejs","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/doyensec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-07-13T20:44:11.000Z","updated_at":"2025-05-07T03:06:35.000Z","dependencies_parsed_at":"2025-04-14T16:51:16.290Z","dependency_job_id":"6633773d-289a-48ec-bf7f-e30fb3166bd8","html_url":"https://github.com/doyensec/electronegativity","commit_stats":{"total_commits":313,"total_committers":19,"mean_commits":"16.473684210526315","dds":0.5623003194888179,"last_synced_commit":"27e772f7b148aca40f5a91fabbd1f906d11a6e6f"},"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/doyensec%2Felectronegativity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/doyensec%2Felectronegativity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/doyensec%2Felectronegativity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/doyensec%2Felectronegativity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/doyensec","download_url":"https://codeload.github.com/doyensec/electronegativity/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254103406,"owners_count":22015264,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["electron","electron-app","nodejs","security"],"created_at":"2024-08-01T09:01:04.774Z","updated_at":"2025-05-15T10:02:10.378Z","avatar_url":"https://github.com/doyensec.png","language":"JavaScript","readme":"# Electronegativity\n\n⚠️ **We're no longer actively maintaining this project** ⚠️\n\nDepending on the community contributions, we might still do maintenance releases until the end of 2024.   \n\n## What's Electronegativity?\n\n**Electronegativity** is a tool to identify misconfigurations and security anti-patterns in [Electron](https://electronjs.org/)-based applications.\n\u003cp align=\"center\"\u003e\n\t\u003cimg src=\"https://github.com/doyensec/electronegativity/raw/master/docs/resources/img/electronegalogo.png\"\u003e\n\u003c/p\u003e\n\nIt leverages AST and DOM parsing to look for security-relevant configurations, as described in the [\"Electron Security Checklist - A Guide for Developers and Auditors\"](https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf) whitepaper.\n\nSoftware developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.\n\nIf you're interested in Electron Security, have a look at our *BlackHat 2017* research [Electronegativity - A Study of Electron Security](https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf) and keep an eye on the [Doyensec's blog](http://blog.doyensec.com).\n\n![Electronegativity Demo](https://github.com/doyensec/electronegativity/raw/master/docs/resources/img/electrodemo.gif \"Electronegativity Demo\")\n\n\n## ElectroNG Improved Version\nIf you need something more powerful or updated, an improved SAST tool based on Electronegativity is available as the result of many years of applied R\u0026D from [Doyensec](https://doyensec.com/). At the end of 2020, we sat down to create a project roadmap and created a development team to work on what is now [ElectroNG](https://get-electrong.com). You can read more some of the major improvements over the OSS version in a recent [blog post](https://blog.doyensec.com/2022/09/06/electrong-launch.html). \n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://get-electrong.com/img/lead.png\"\u003e\n\u003c/p\u003e\n\n## Installation\n\nMajor releases are pushed to NPM and can be simply installed using:\n\n```\n$ npm install @doyensec/electronegativity -g\n```\n\n## Usage\n\n### CLI\n\n```\n$ electronegativity -h\n```\n\n|    Option    |                 Description                       |\n|:------------:|:-------------------------------------------------:|\n| -V           | output the version number                         |\n| -i, --input  | input (directory, .js, .html, .asar)               |\n| -l, --checks | only run the specified checks, passed in csv format |\n| -x, --exclude-checks \u003cexcludedCheckNames\u003e | skip the specified checks list, passed in csv format |\n| -s, --severity | only return findings with the specified level of severity or above |\n| -c, --confidence | only return findings with the specified level of confidence or above |\n| -o, --output \u003cfilename[.csv or .sarif]\u003e | save the results to a file in csv or sarif format |\n| -r, --relative | show relative path for files |\n| -v, --verbose \u003cbool\u003e | show the description for the findings, defaults to true |\n| -u, --upgrade \u003ccurrent version..target version\u003e | run Electron upgrade checks, eg -u 7..8 to check upgrade from Electron 7 to 8 |\n| -e, --electron-version \u003cversion\u003e | assume the set Electron version, overriding the detected one, eg -e 7.0.0 to treat as using Electron 7 |\n| -p, --parser-plugins \u003cplugins\u003e | specify additional parser plugins to use separated by commas, e.g. -p optionalChaining |\n| -h, --help   | output usage information                          |\n\n\nUsing electronegativity to look for issues in a directory containing an Electron app:\n```\n$ electronegativity -i /path/to/electron/app\n```\n\nUsing electronegativity to look for issues in an `asar` archive and saving the results in a csv file:\n```\n$ electronegativity -i /path/to/asar/archive -o result.csv\n```\n\nUsing electronegativity when upgrading from one version of Electron to another to find breaking changes:\n```\n$ electronegativity -i /path/to/electron/app -v -u 7..8\n```\n\nNote: if you're running into the Fatal Error \"JavaScript heap out of memory\", you can run node using ```node --max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csv```\n\n### Ignoring Lines or Files\n\nElectronegativity lets you disable individual checks using `eng-disable` comments. For example, if you want a specific check to ignore a line of code, you can disable it as follows:\n\n```js\nconst res = eval(safeVariable); /* eng-disable DANGEROUS_FUNCTIONS_JS_CHECK */\n```\n\n```html\n\u003cwebview src=\"https://doyensec.com/\" enableblinkfeatures=\"DangerousFeature\"\u003e\u003c/webview\u003e \u003c!-- eng-disable BLINK_FEATURES_HTML_CHECK --\u003e\n```\n\nAny `eng-disable` inline comment (`// eng-disable`, `/* eng-disable */`, `\u003c!-- eng-disable --\u003e`) will disable the specified check for just that line. It is also possible to provide multiple check names using both their snake case IDs (`DANGEROUS_FUNCTIONS_JS_CHECK`) or their construct names (`dangerousFunctionsJSCheck`):\n\n```js\nshell.openExternal(eval(safeVar)); /* eng-disable OPEN_EXTERNAL_JS_CHECK DANGEROUS_FUNCTIONS_JS_CHECK */\n```\n\nIf you put an `eng-disable` directive before any code at the top of a `.js` or `.html` file, that will disable the passed checks for the *entire* file.\n#### Note on Global Checks and `eng-disable` annotations\nBefore v1.9.0 Global Checks couldn't be disabled using code annotations. If you are still using an old version, use `-x` CLI argument to manually disable a list of checks instead (e.g. `-x LimitNavigationJsCheck,PermissionRequestHandlerJsCheck,CSPGlobalCheck`).\nNote that using annotations may not be applicable for some higher-level checks such as `CSP_GLOBAL_CHECK` or `AVAILABLE_SECURITY_FIXES_GLOBAL_CHECK`. For those cases, you might want to use the `-x` flag to exclude specific checks from your scan.\n\n### CI/CD\n\n[Electronegativity Action](https://github.com/marketplace/actions/electronegativity) may run as part of your GitHub CI/CD pipeline to get \"Code scanning alerts\":\n\n![Code scanning alerts](https://github.com/doyensec/electronegativity/raw/master/docs/resources/img/codescanningalerts.png \"Code scanning alerts\")\n\n### Programmatically\n\nYou can also use electronegativity programmatically, using similar options as for the CLI:\n\n```js\nconst run = require('@doyensec/electronegativity')\n// or: import run from '@doyensec/electronegativity';\n\nrun({\n  // input (directory, .js, .html, .asar)\n  input: '/path/to/electron/app',\n  // save the results to a file in csv or sarif format (optional)\n  output: '/path/for/output/file',\n  // true to save output as sarif, false to save as csv (optional)\n  isSarif: false,\n  // only run the specified checks (optional)\n  customScan: ['dangerousfunctionsjscheck', 'remotemodulejscheck'],\n  // only return findings with the specified level of severity or above (optional)\n  severitySet: 'high',\n  // only return findings with the specified level of confidence or above (optional)\n  confidenceSet: 'certain',\n  // show relative path for files (optional)\n  isRelative: false,\n  // run Electron upgrade checks, eg -u 7..8 to check upgrade from Electron 7 to 8 (optional)\n  electronUpgrade: '7..8',\n  // assume the set Electron version, overriding the detected one\n  electronVersion: '5.0.0',\n  // use additional parser plugins\n  parserPlugins: ['optionalChaining']\n})\n    .then(result =\u003e console.log(result))\n    .catch(err =\u003e console.error(err));\n```\n\nThe result contains the number of global and atomic checks, any errors encountered while parsing and an array of the issues found, like this:\n\n```js\n{\n  globalChecks: 6,\n  atomicChecks: 36,\n  errors: [\n    {\n      file: 'ts/main/main.ts',\n      sample: 'shell.openExternal(url);',\n      location: { line: 328, column: 4 },\n      id: 'OPEN_EXTERNAL_JS_CHECK',\n      description: 'Review the use of openExternal',\n      properties: undefined,\n      severity: { value: 2, name: 'MEDIUM', format: [Function: format] },\n      confidence: { value: 0, name: 'TENTATIVE', format: [Function: format] },\n      manualReview: true,\n      shortenedURL: 'https://git.io/JeuMC'\n    },\n    {\n      file: 'ts/main/main.ts',\n      sample: 'const popup = new BrowserWindow(options);',\n      location: { line: 340, column: 18 },\n      id: 'CONTEXT_ISOLATION_JS_CHECK',\n      description: 'Review the use of the contextIsolation option',\n      properties: undefined,\n      severity: { value: 3, name: 'HIGH', format: [Function: format] },\n      confidence: { value: 1, name: 'FIRM', format: [Function: format] },\n      manualReview: false,\n      shortenedURL: 'https://git.io/Jeu1p'\n    }\n  ]\n}\n```\n\n## Contributing\n\nIf you're thinking about contributing to this project, please take a look at our [CONTRIBUTING.md](https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.md).\n\n## Credits\n\nElectronegativity was made possible thanks to the work of many [contributors](https://github.com/doyensec/electronegativity/graphs/contributors).\n\nThis project has been sponsored by [Doyensec LLC](https://www.doyensec.com). \n\n![Doyensec Research](https://github.com/doyensec/inql/blob/master/docs/doyensec_logo.svg \"Doyensec Logo\")\n\n[Engage us to break](https://doyensec.com/auditing.html) your Electron.js application!\n","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e工具","JavaScript","Tools","Library","Code review","Open-Source \u0026 Commercial Tools"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的","For Electron","Uncategorized","Reverse shell"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoyensec%2Felectronegativity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdoyensec%2Felectronegativity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoyensec%2Felectronegativity/lists"}