Rework SourceFile analysis strategy #237
Assignees
Labels
help wanted
Extra attention is needed
Comments
|
I take this one. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now JS-X-Ray is only capable to scan one sourcefile by one sourcefile. The Scanner package is currently responsible of listing and iterating all JavaScript files from a given NPM tarball (for example).
What's the issue with that?
In the example above we will scan every files. But in reality there is a high probability that
test/foobar.jswill never be executed (and it will also be the biggest vector of false positives).My idea is to add a new strategy that will take entry files as input. We will then only scan files imported from these entry points.
Eventually, we could combine the two ways of doing things to ensure greater security while reducing false positives overall.
The text was updated successfully, but these errors were encountered: