Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs

Explore a groundbreaking approach to static vulnerability analysis for JavaScript in this 20-minute conference talk from PLDI 2024. Delve into the innovative Multiversion Dependency Graph (MDG), a novel graph-based data structure designed to capture object state evolution during program execution. Learn how this new technique improves upon existing Code Property Graph (CPG) methods, offering a balance between scalability and effectiveness in identifying vulnerability patterns. Discover the implementation of Graph.js, a specialized MDG-based static vulnerability scanner for npm packages, and its superior performance in detecting taint-style and prototype pollution vulnerabilities. Gain insights into how this approach significantly reduces false negatives and analysis time compared to current state-of-the-art tools, and uncover its potential in identifying previously undiscovered vulnerabilities in npm packages.

[PLDI24] Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs