The standard of the JavaScript code is usually verified with the normal actions of unit and practical testing. There are nonetheless instruments that enable checking code earlier than or throughout its execution to evaluate its high quality and its adherence to coding requirements utilizing a course of known as code evaluation. This text presents a listing of open supply instruments to carry out static and dynamic code evaluation on JavaScript packages.
If static code evaluation may be carried out individually on each bit of JavaScript code, trendy software program growth organizations will combine these instruments of their steady integration or supply course of. This automated method prevents code that’s dangerous or doesn’t respect the coding requirements to achieve the manufacturing stage. Dynamic code evaluation the software program when it’s carried out by executing packages on an actual or digital processor.
The 2 fundamental know open supply instruments used for JavaScript code evaluation are JSLint and JSHint, the second being a fork of the primary one. Developed by the well-known Douglas Crockford, JSLint may be thought of as the primary inspiration of the JavaScript open supply code evaluation instruments household. There are nonetheless many various instruments that attempt to obtain the identical purpose and also you may discover one thing extra suited to your individual wants within the checklist under, particularly when you work in particular JavaScript frameworks and contexts like Node.js, Angular, React, Vue, Categorical or TypeScript.
Updates
March 2023
* added Hegel, Lizard, MegaLinter
December 13 2021
* added Codehawk, Codemodel-Rifle, Insider
December 15 2020
* added Nocuous, JScent, JSDeodorant, Semgrep
April 2019
* added Codelyzer, CodeClimmate-Duplication, NodeJsScan, SourceCodeSniffer
* eliminated JSCS JavaScript Code Fashion (merged with ESLint)
* up to date ESLint (description)
Could 9 2018:
* added Iroh.js, SonarJS, ts-simple-ast, twly
* CodeClimmate-Duplication
CodeClimmate-Duplication is an engine that wraps flay and helps Java, Ruby, Python, JavaScript, and PHP. You’ll be able to run it on the command line utilizing the Code Local weather CLI
Web site: https://github.com/codeclimate/codeclimate-duplication
* Codehawk CLI
Codehawk is an open supply static evaluation device for JavaScript tasks. It’s meant as a warning system, to determine advanced areas of code that want particular consideration by builders. JavaScript (together with TypeScript and Stream) tasks are supported for evaluation. The CLI device helps unix and home windows filesystems (there’s a cheap quantity of Home windows compatibility code). Codehawk works by traversing a listing and discovering all supported filetypes, runs a static evaluation routine on every file, then performs project-wide evaluation reminiscent of inter-dependency counting and take a look at protection mapping. The CLI runs as a Node.js course of.
Web site: https://github.com/sgb-io/codehawk-cli
* Codelyzer
Codelyzer is an open supply undertaking that gives a set of tslint guidelines for static code evaluation of Angular TypeScript tasks. You’ll be able to run the static code analyzer over internet apps, NativeScript, Ionic, and many others.
Web site: http://codelyzer.com/
* Codemodel-Rifle
Codemodel-Rifle is an open supply device that analyses ECMAScript 6 code repositories incrementally. The final word purpose of the undertaking is to provide insights of ECMAScript 6 code repositories by performing static evaluation on not solely particular person modules, however on a number of associated JavaScript-modules linked to one another, offering a wider vary of discovering human errors.
Web site: https://github.com/ftsrg/codemodel-rifle
* Crawljax
Crawljax is an open supply Java device for robotically crawling and testing trendy internet purposes. Crawljax explores JavaScript-based Ajax internet software via an event-driven dynamic crawling engine. It robotically creates a state-flow graph of the dynamic DOM states and the event-based transitions between them. This inferred state-flow graph kinds a really highly effective car for automating many sorts of internet evaluation and testing methods.
Web site: http://crawljax.com/
* ESLint
ESLint is an open supply device static evaluation device for figuring out and reporting on patterns present in ECMAScript/JavaScript code. In some ways, it’s just like JSLint and JSHint with a number of exceptions. ESLint is designed to have all guidelines fully pluggable. The default guidelines are written identical to any plugin guidelines could be. They will all observe the identical sample, each for the principles themselves in addition to assessments. Whereas ESLint will ship with some built-in guidelines to make it helpful from the beginning, you’ll have the ability to dynamically load guidelines at any cut-off date. ESLint is written utilizing Node.js to supply a quick runtime setting and straightforward set up through npm.
Web page: http://eslint.org/
* Esprima
Esprima is a excessive efficiency, standard-compliant JavaScript parser. As soon as the total syntax tree is obtained, varied static code evaluation may be utilized to provide an perception to the code: syntax visualization, code validation, modifying autocomplete with kind inferencing and plenty of others.
Web page: http://esprima.org/
* Stream
Stream is an open supply static kind checker developed by Fb, designed to seek out kind errors in JavaScript program. Stream provides static typing to JavaScript to enhance developer productiveness and code high quality. Particularly, static typing affords advantages like early error checking, which helps you keep away from sure sorts of runtime failures, and code intelligence, which aids code upkeep, navigation, transformation, and optimization.
Web site: http://flowtype.org/
* Hegel
Hegel is an open supply kind checker for JavaScript with optionally available kind annotations and stopping runtime kind errors.
* No Runtime Kind Errors. Hegel has a robust kind system and soundness checks. Which means that he finds any TypeError that could be thrown in runtime.
* Elective Kind Annotation. Hegel has a high-level kind inference which supplies you the flexibility to drop a kind annotation.
* Typed Errors. Hegel has a mechanism to inference and annotates which errors must be thrown by features.
* Utilizing d.ts as libraries definitions. Hegel has not a customized language for library typings description. We use a number of existed .d.ts recordsdata because the supply of typings for any libraries.
* Solely JavaScript with varieties. Hegel has solely kind syntax, with none extra onerous syntax sugar.
Web site: https://hegel.js.org/, https://github.com/JSMonk/hegel
* Insider
Insider is an open supply Static Software Safety Testing (SAST) engine centered on masking the OWASP Prime 10, to make supply code evaluation to seek out vulnerabilities proper within the supply code, centered on a agile and straightforward to implement software program inside your DevOps pipeline. It presently helps the next applied sciences: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
Web site: https://github.com/insidersec/insider
* Iroh.js
Iroh is an open supply dynamic code evaluation device for JavaScript. Iroh permits to report your code stream in realtime, intercept runtime data and manipulate program habits on the fly. In distinction to static evaluation (e.g. utilized in Babel and ESlint), dynamic evaluation permits to gather information which is barely out there at runtime. Iroh makes it doable to gather kind data of your working program, analyze it’s habits, seize and manipulate runtime values like parameters or variables – and all this whereas your code is definitely working!
Web site: https://maierfelix.github.io/Iroh/
* JavaScript Lint
JavaScript Lint is an open supply code evaluation device for JavaScript. You’ll be able to verify all of your supply code for widespread errors with out truly working the script or opening the online web page. JavaScript Lint relies on JSLint. JavaScript Lint holds a bonus over competing lints as a result of it’s based mostly on the JavaScript engine for the Firefox browser. This offers a strong framework that may not solely verify JavaScript syntax but additionally look at the coding methods used within the script and warn in opposition to questionable practices.
Web site: http://www.javascriptlint.com/
* JScent
JScent is a program analyzer that detects code smells. Code smells are potential points with supply code that may correspond to a deeper drawback in this system. For instance, JScent can detect points reminiscent of lengthy strategies, too many feedback, characteristic envy, message chains, lifeless code and extra. JScent produces a report that summarizes all of the code smells present in a concise and usable approach – simply accessible within the console. The JScent evaluation may be categorized each as a value-agnostic static evaluation and a meta-properties evaluation, as some code smells lean extra towards syntax and others extra towards semantics and high-level software program engineering rules. JScent is aimed toward builders and groups who’re attempting to construct code that’s maintainable, extensible, and properly structured. The stories generated should not meant to be prescriptive however fairly level out areas that could be trigger for concern as a undertaking grows in measurement and scope. JScent is structured in a approach that it’s simply extensible so as to add new code smells sooner or later. Subsequent steps for the group embody including extra nuanced, troublesome to identify smells to the evaluation report.
Web site: https://github.com/moseskirathe/JScent
* JSDeodorant
JSDeodorant is an open supply code evaluation device that’s aimed toward detecting JavaScript class emulation constructions with respect to standard class/namespace emulation patterns launched by main JavaScript books, blogs and authors. The device leverages AST tree generated by Closure Compiler and is ready to discover class emulation constructions, namespaces and CommonsJS fashion modules with making use of a lightweight data-flow evaluation.
Web site: https://github.com/sshishe/jsdeodorant
* JSHint
JSHint is an open supply device to detect errors in JavaScript code and implement your group’s coding conventions. It was forked from Douglas Crockford’s JSLint undertaking JavaScript code may be analyzed on-line on the JSHint website. There may be additionally an Eclipse plugin at http://github.eclipsesource.com/jshint-eclipse/.
Web site: http://jshint.com
* JSLint
JSLint is an open supply JavaScript code high quality device that appears for issues in JavaScript packages. JavaScript code may be analyzed on-line on the JSLint website.
Web site: http://www.jslint.com/
* JSPrime
JSPrime is an open supply JavaScript static safety evaluation device. It’s a really light-weight and really straightforward to make use of point-and-click device based mostly on the favored Esprima ECMAScript parser.
Web site: https://github.com/dpnishant/jsprime
* Lizard
Lizard is an open supply extensible Cyclomatic Complexity Analyzer for a lot of programming languages together with C/C++ (doesn’t require all of the header recordsdata or Java imports). It additionally does copy-paste detection (code clone detection/code duplicate detection) and plenty of different types of static code evaluation. Lizard truly calculates how advanced the code ‘appears’ fairly than how advanced the code actually ‘is’. Individuals will want this device as a result of it’s usually very onerous to get all of the included folders and recordsdata proper when they’re sophisticated. However we don’t really want that sort of accuracy for cyclomatic complexity. It requires python2.7 or above
Web site: https://github.com/terryyin/lizard
* MegaLinter
MegaLinter is an Open-Supply device for CI/CD workflows that analyzes the consistency of your code, IAC, configuration, and scripts in your repository sources, to make sure all of your tasks sources are clear and formatted no matter IDE/toolbox is utilized by their builders. MegaLinter helps 53 languages, 24 codecs, 22 tooling codecs and able to use out of the field, as a GitHub motion or any CI system.
Web site: https://github.com/oxsecurity/megalinter
* Nocuous
Nocuous is an open supply static code evaluation device for JavaScript and TypeScript. At the moment the one command (which can also be the default command) is stat. stat offers code toxicity statistics for a JavaScript or TypeScript undertaking.
Web site: https://github.com/h-o-t/nocuous
* NodeJsScan
NodeJsScan is a static safety code scanner for Node.js purposes.
Web site: https://github.com/ajinabraham/NodeJsScan
* PHP_CodeSniffer
PHP_CodeSniffer is a set of two PHP scripts; the primary phpcs script that tokenizes PHP, JavaScript and CSS recordsdata to detect violations of an outlined coding customary, and a second phpcbf script to robotically appropriate coding customary violations. PHP_CodeSniffer is a necessary growth device that ensures your code stays clear and constant.
Web site: http://pear.php.internet/package deal/PHP_CodeSniffer/
* Plato
Plato is an open supply device that permits JavaScript supply code visualization, static and complexity evaluation.
Determine supply: http://es-analysis.github.io/plato/examples/jquery/
Web site: https://github.com/es-analysis/plato
* Semgrep
Semgrep is a quick, open-source, static code evaluation device that excels at expressing code requirements — with out sophisticated queries — and surfacing bugs early at editor, commit, and CI time. Exact guidelines seem like the code you might be looking out; no extra traversing summary syntax timber or wrestling with regexes. The Semgrep Registry has 1,000+ guidelines written by the Semgrep group masking safety, correctness, and efficiency bugs. No have to DIY except you wish to. Semgrep runs offline, on uncompiled code. Semgrep helps Go, Java, JavaScript, JSON and Python. In December 2020, Typescript is supported as a beta characteristic.
Web site: https://semgrep.dev/, https://github.com/returntocorp/semgrep
* SonarJS
SonarJS is an open supply static code analyser for the JavaScript language. It’ll let you produce steady and simply supported code by serving to you to seek out and to appropriate bugs, vulnerabilities and smells in your code.
Web site: https://github.com/SonarSource/SonarJS
* SourceCodeSniffer
The Supply Code Sniffer is a poor man’s static code evaluation device (SCA) based mostly on common expressions. The Supply Code Sniffer makes use of search patterns to attain widespread excessive danger features (Injection, LFI/RFI, file uploads and many others) throughout a number of software growth languages (C#, C/C++,Java, PHP, Perl, Python, JavaScript, HTML and many others) in a extremely configurable method. When performing a supply code evaluate, it may possibly assist to prioritize the code recordsdata that must be reviewed. Supply Code Sniffer is written in Python 2.7 and helps each Home windows and Linux.
Web page: https://github.com/frizb/SourceCodeSniffer
* srclib
srclib is a polyglot code evaluation library, constructed for hackability. It consists of language evaluation toolchains (presently for Go, Java, Python, JavaScript, Ruby, and Haskell) with a typical output format, and developer instruments (reminiscent of editor plugins) that eat this format.
Web page: https://srclib.org
* Tern
Tern is a stand-alone open supply code-analysis engine for JavaScript. It’s meant for use with a code editor plugin to boost the editor’s assist for clever JavaScript modifying.
Web page: http://ternjs.internet/
* ts-simple-ast
ts-simple-ast is an open supply TypeScript compiler API wrapper. It offers a easy approach to navigate and manipulate TypeScript and JavaScript code.
Web page: https://github.com/dsherret/ts-simple-ast
* twly
twly (pronounced “towel-E”) is an open supply static evaluation device which will help you retain your code DRY (Don’t Repeat Your self) by letting you recognize the place you will have copy and pasted whole recordsdata or parts of them. Run twly on a listing, and twly will magically generate a report for you indicating what has been repeated and wherein recordsdata. twly is language agnostic and can be utilized on any textual content doc.
Web page: https://github.com/rdgd/twly
References
Record of instruments for static code evaluation in Wikipedia
Supply Code Evaluation Instruments by OWASP Basis
Superior Static Evaluation A curated checklist of static evaluation instruments, linters and code high quality checkers for varied programming languages
Supply Code Evaluation Instruments
Movies
Static Evaluation of Occasion-Pushed Node.js JavaScript Functions
JavaScript Static Safety Evaluation made straightforward with JSPrime
PHP_CodeSniffer Static Evaluation of PHP and JavaScript
JavaScript Code Evaluation with Esprima
