{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 forever°为你锁心 的问题《Static-analysis with custom rules for JavaScript?》','https://www.manongdao.com/q-540492.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Does JSLint, JSHint, or some other open-source static code analysis tool support adding custom rules for code compliance, or are there some ECMAScript compliant parsers that I can use to get the results as close as possible to the ones seen in the snippet below?
For example, I’d like to look into JavaScript code and list what functions are called, if it calls a library (or APIs provided by smartphones for HTML5 widgets) to register all that fall under the namespaces of that API, to make a tree of the objects and their properties to see if function is called out from what object can be traced back to, maybe with an output in XML, JSON or other structured format.
Say for example I have this JavaScript code (it does nothing and is just for the sake of the argument):
jobs = mylibrary.getJobs();
found = jobs.find("Python");
list = found.convert("html");
I want my analyzer tool to get this:
{
"mylibrary": {
"jobs": {"maker":"getJobs", "parent": "mylibrary"},
"found": {"maker": "find", "parent": "jobs", "parameters": "Python"},
"list": {"maker": "convert", "parent": "found"}
}
}
I tried something with a javascript interpreter that can be accessed from code (in my case python). So interpreters like
pynoceros,pynarcissusorpyv8might help me.There is an answer here on how to install py8: https://stackoverflow.com/a/11879224/1577343
Since with the above approach I didn't had much success I prefer a static analysis solution that uses a ECMAScript compliant parser.
With static analysis as far I could get is using JSLINT parser( Run JSLint on a .js file from debugging console in chrome or firefox): But I don't know how to use this further.
You should be able to build something like this using substack's burrito, which uses the parser from Uglify-JS and gives, I think, you all you need. A quick sample:
src.js:
ast.js:
Exactly how you would build your requested structure, I'm not too sure (I'm not very well versed in AST parsing myself) but I'm sure it would entail some effort on your part. Perhaps you wouldn't need a structure in-between, so to speak, but could just validate each node from burrito, where each
callnode would be validated against it's values (function name, object name etc), with a warning raised if it doesn't validate.Here is the output from the
burritocall above (note: every[Object]or such has been truncated by node.js'console.log. Values are actually nodes in the parse tree from burrito, so each value has it's associated state etc).Update:
Another option is the newer(?) ES parser Esprima, which seems to be both more actively developed and better documented. It's also reportedly faster than Uglify. You can try out e.g. parsing on the Parsing Demo page. You sould be able to build a good solution using this, methinks.
PMD supports ECMAScript static analysis with custom rules:
References
pmd/pmd-javascript/src/main/resources/rulesets/ecmascript at master · pmd/pmd
Analyzing Javascript with PMD Maven
PMD – PMD Properties
PMD – How to make a rule set
combine two PMD checks
Using regular expressions in PMD rules
PMD – IDE Integrations