Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron.
A good understanding of Electron (in)security is still required when using it, as some of the potential issues detected by the tool require manual investigation.
Also Read : PHP : Security Check List 2019
Installation
Major releases are pushed to NPM and can be simply installed using:
$ npm install @doyensec/electronegativity -g
Usage
$ electronegativity -h
| Option | Description |
|---|---|
| -V | output the version number |
| -i, –input | input (directory, .js, .html, .asar) |
| -o, –output | save the results to a file in csv or sarif format |
| -c, –checks | only run the specified checks, passed in csv format |
| -h, –help | output usage information |
Using it to look for issues in a directory containing an Electron app:
$ electronegativity -i /path/to/electron/app
Using the tool to look for issues in an asar archive and saving the results in a csv file:
$ electronegativity -i /path/to/asar/archive -o result.csv
Note: If you’re running into the Fatal Error “JavaScript heap out of memory”, you can run node using node –max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csv
Credit : Claudio Merloni, Ibram Marzouk, Jaroslav Lobačevski and many other contributors.
