Skip to main content
Dev Blog Dev Blog
  1. All Posts/

electronegativity

Tools JavaScript

Electronegativity

What’s Electronegativity?

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.

It leverages AST and DOM parsing to look for security-relevant configurations, as described in the “Electron Security Checklist – A Guide for Developers and Auditors” whitepaper.
Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.
If you’re interested in Electron Security, have a look at our BlackHat 2017 research Electronegativity – A Study of Electron Security and keep an eye on the Doyensec’s blog.

ElectroNG Improved Version

If you need something more powerful or updated, an improved SAST tool based on Electronegativity is available as the result of many years of applied R&D from Doyensec. At the end of 2020, we sat down to create a project roadmap and created a development team to work on what is now ElectroNG. You can read more some of the major improvements over the OSS version in a recent blog post.

Installation

Major releases are pushed to NPM and can be simply installed using:

$ npm install @doyensec/electronegativity -g

Usage

CLI 

$ electronegativity -h

Option
Description

-V
output the version number

-i, –input
input (directory, .js, .html, .asar)

-l, –checks
only run the specified checks, passed in csv format

-x, –exclude-checks
skip the specified checks list, passed in csv format

-s, –severity
only return findings with the specified level of severity or above

-c, –confidence
only return findings with the specified level of confidence or above

-o, –output <filename[.csv or .sarif]>
save the results to a file in csv or sarif format

-r, –relative
show relative path for files

-v, –verbose
show the description for the findings, defaults to true

-u, –upgrade
run Electron upgrade checks, eg -u 7..8 to check upgrade from Electron 7 to 8

-e, –electron-version
assume the set Electron version, overriding the detected one, eg -e 7.0.0 to treat as using Electron 7

-p, –parser-plugins
specify additional parser plugins to use separated by commas, e.g. -p optionalChaining

-h, –help
output usage information

Using electronegativity to look for issues in a directory containing an Electron app:

$ electronegativity -i /path/to/electron/app

Using electronegativity to look for issues in an asar archive and saving the results in a csv file:

$ electronegativity -i /path/to/asar/archive -o result.csv

Using electronegativity when upgrading from one version of Electron to another to find breaking changes:

$ electronegativity -i /path/to/electron/app -v -u 7..8

Note: if you’re running into the Fatal Error “JavaScript heap out of memory”, you can run node using node --max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csv

Ignoring Lines or Files

Electronegativity lets you disable individual checks using eng-disable comments. For example, if you want a specific check to ignore a line of code, you can disable it as follows:

const res = eval(safeVariable); /* eng-disable DANGEROUS_FUNCTIONS_JS_CHECK */