The source code for the automated analysis of security indicators of Electron apps from my bachelor's thesis.
For my bachelor's thesis, I developed a series of scripts to automatically fetch, download, (if necessary) extract, and analyse Electron apps for indicators of potential security problems. The scripts first collect a list of open and closed source apps from GitHub and the Electron app list. In the next step, these apps are then downloaded and the closed source ones are extracted. Finally, the apps are scanned using npm audit
and a custom fork of Doyensec's great Electronegativity.
These instructions have been tested on Ubuntu 18.04 and 20.04. Other systems will also work but the steps might vary slightly.
First, install Git:
sudo apt install git
Then, install Postgres which is used as the database backend and create the user and database ba
:
sudo apt install postgresql postgresql-contrib -y
sudo -u postgres createuser -EPd ba
sudo -u postgres createdb ba
sudo adduser ba
Login to the database (sudo -u ba psql -d ba
) and create the following tables:
create table apps (
slug text primary key,
name text,
url text,
repository text unique,
skip boolean
);
create table app_downloads (
slug text primary key
references apps
on update cascade on delete cascade,
repository_override text,
windows_download text,
mac_download text,
linux_download text
);
create table apps_meta
(
slug text primary key
references apps
on update cascade on delete cascade,
downloaded boolean default false,
extracted_dir text,
download_strategy text
);
create table app_scans
(
slug text primary key
references apps
on update cascade on delete cascade,
stats jsonb,
electronegativity_results jsonb,
electronegativity_errors jsonb,
audit_result jsonb,
scanned boolean
);
Install Node.js and Yarn:
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt update
sudo apt install build-essential nodejs yarn libkrb5-dev p7zip-full -y
Create a personal access token on GitHub, it needs to have the repo
and read:packages
permissions. Then, export the token and the database password like so:
export GITHUB_AUTH_TOKEN=token
export PG_PASSWORD=password
Login to the GitHub package repository with Yarn using your username, the access token as the password and an email address:
npm login --registry=https://npm.pkg.github.com
Clone the source code and install the required packages:
git clone https://github.com/baltpeter/thesis-electron-analysis-src.git
cd thesis-electron-analysis-src
yarn
Clone the Electron apps list:
cd app-list
git clone --depth 1 https://github.com/electron/apps.git
cd ..
Create the output directory for the apps and make sure you have the permission to read and write there (alternatively, you can also change the output directory in download/fetch-apps.js
):
sudo mkdir -p /data/apps
sudo chown -R youruser:yourgroup /data/apps
To collect apps from GitHub and the Electron apps list, run:
cd app-list
node collect-apps.js
cd ..
The found apps are saved in the apps
table. For the apps on the Electron app list without a repository, download links need to be collected manually and saved in the app_downloads
table.
To download the apps and extract the closed source ones, run:
cd download
node fetch-apps.js
cd ..
The extracted apps are saved in /data/apps
and their metadata can be found in the apps_meta
table.
To analyse the apps, run:
cd scan
node scan-apps.js
cd ..
The results are saved in the app_scans
table.
This code is licensed under the MIT license, see the LICENSE
file for details.
Electronegativity and my fork are licensed under the Apache license.