Increased false-positive rate with new NPM obfuscation detection

[kam193]

Hi,

I've noticed that the updated NPM obfuscation detection generates quite a few more false positives.

One thing is detecting a lot of minified code, but this is actually intended - just a bit painful in the JavaScript world :D

But I have also noticed some clear code, for example in the following code:

var args = command.payload.args;
value = [];
(Array.isArray(apiName) ? apiName : [apiName]).forEach((f) => {
    console.log(f, args);
    if (isArrayOfArrays(args)) {
        var value2 = [];
        args.forEach((arg2) => {
            if (args) {
                value2.push(api[f](...arg2) || null);
            }
            else {
                value2.push(api[f]() || null);
            }
        });
        value.push(value2);
    }
    else {
        if (args) {
            value.push(api[f](...args) || null);
        }
        else {
            value.push(api[f]() || null);
        }
    }
});

[biagiom]

Hello @kam193,
thank you very much for testing the rule.
I did some tests in the past days and noticed some false positives generated by the $MODULE[$FUNCTION]($...ARGS) pattern.
However, didn't have the chance to do a large-scale analysis.

Do you have some evidence of the FPR related to each pattern checked by the rule?
Those generating many false positives could be removed.

[kam193]

Hey, unfortunately, I don't have anything more than what's in the report. The rule was causing too much noise, and as JS is not my primary goal, unfortunately I've just disabled it - and alerts have already expired 😅