Page tree
Skip to end of metadata
Go to start of metadata

Summary: This document provides basic information about the extension Node.js + Express support for Web applications.

Extension ID


What's new?

Please see Node.js - 2.3 - Release Notes for more information.


This extension provides support for Node.jsNode.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. 

CAST recommends using this extension with HTML5 and JavaScript ≥ 2.0.0 for the best results.

In what situation should you install this extension?

Regarding Front-End to Back-End connections, we do support the following cross-technology stacks:

iOS Front-End connected to Node.js/PostgreSQL Back-endiOS Front-End connected to Node.js/MSSQL Back-endAngularJS Front-End connected to Node.js/MongoDB Back-end

If your Web application contains Node.js source code and you want to view these object types and their links with other objects, then you should install this extension:

  • creates a Node.js application object when an instance has been found
  • creates Node.js operations which represent entry-points of web services

Express framework

 Click here to expand...

The following declarations will create a Node.js Get Operation:

app.get('/login', function (req, res) {
    "use strict";
    console.log('login ' + req.url);
    console.log('login ' + req.query.pseudo);
    var currentSession = getSessionId(req, res);
    datab.userExists(currentSession, req.query.pseudo, res, cbLogin);

and this one will create a NodeJS Service Operation:

var admin = express();

app.use('/admin', admin);

Hapi.js framework

 Click here to expand...

Create a server - index.js:

const Hapi = require('hapi');

// Create Server
const server = new Hapi.Server();

Routes: create a route for server:

        method: 'GET',
        path: '/api/directors/{id}',
        handler: api.directors.get,
        config: {
            tags: ['api'],
            description: 'Get one director by id',
            notes: 'Get one director by id',
            validate: {
                params: {
                    id: Joi.number().required()
            cors: {
                origin: ['*']

Sails.js framework

 Click here to expand...

Create a server: app.js.

  // Start server

Routes control at config/routes.js:

'GET /site/:idSite' : {controller: "Site", action: "getSite", rel: RelServices.REL_ENUM.GET_VIEWED_SITE},
'PUT /alert' : {controller: "Alert", action: "putAlert", rel: RelServices.REL_ENUM.PUT_ALERT, profile: ProfileServices.PROFILE_ENUM.OPERER},

Controller actions:

self.getSite = function (req, res) {
  var promise = Site.findOne({
    idSite: idSite

self.putAlert = function (req, res) {
  var promise = Alert.findOne({
    alertId: alertId

Model definition:

self.connection = 'postgresqlServer';

self.tableName = 'T_SITE';

self.attributes = {
self.connection = 'postgresqlServer';

self.tableName = 'T_ALERT';

self.attributes = {

Transaction from get operation method to database when using SQL analyzer:

Loopback framework

 Click here to expand...

Create webservice from Express API

The App extends and supports Express Middleware. Webservice can be supported as API Express framework:

var loopback = require('loopback');
var app = loopback();

// Create get method
app.get('/', function(req,res){
res.send('hello wor;ld')


Create webservice from model

Model todo.js:

module.exports = function(Todo) {
  Todo.stats = function(filter, cb) {
  Todo.remoteMethod('stats', {
    accepts: {arg: 'filter', type: 'object'},
    returns: {arg: 'stats', type: 'object'},
    http: { path: '/stats' }
  }, Todo.stats);

Exposing models over REST: LoopBack models automatically have a standard set of HTTP endpoints that provide REST APIs.

Example: todo.json:

  "name": "Todo",
  "base": "PersistedModel",
  "strict": "throw",
  "persisteUndefinedAsNull": true,
  "trackChanges": true,
  "properties": {
    "id": {
      "id": true,
      "type": "string",
      "defaultFn": "guid"
    "title": "string",
    "completed": {
      "type": "boolean",
      "default": false
    "created": {
      "type": "number"


Koa.js framework

 Click here to expand...

Webservice application from Koa:

var koa = require('koa'),
  router = require('koa-router'),
  cors = require('koa-cors'),
  json = require('koa-json'),
  errorHandler = require('koa-onerror'),
  bodyParser = require('koa-body')(),
  app = koa(),
  routes = new router();

function render(controller, action) {

/* routes start */

routes.get(  '/todos',                     render('todos',     'all')); '/todos',        bodyParser,  render('todos',     'create'));
routes.get(  '/todos/:id',                 render('todos',     'show'));
routes.del(  '/todos/:id',                 render('todos',     'delete'));
routes.patch('/todos/:id',    bodyParser,  render('todos',     'update'));
routes.del(  '/todos',                     render('todos',     'deleteAll'));

app.use(cors({methods: ['GET', 'PUT', 'POST', 'PATCH', 'DELETE']}));


app.listen(Number(process.env.PORT || 9000));

Knex.js framework

 Click here to expand...

Knex.js is a "batteries included" SQL query builder for Postgres, MSSQL, MySQL, MariaDB, SQLite3, Oracle, and Amazon Redshift designed to be flexible, portable, and fun to use. We do not support the creation of tables for this framework. Example:

Define database config:

const Config = require('../config');

module.exports = {
  client: 'postgresql',
  connection: Config.DATABASE_URL || {
    database: Config.DB_NAME,
    host: Config.DB_HOST,
    username: Config.DB_USER,
    password: Config.DB_PASSWORD

Create bookshelf from Knex and Bookshelf:

const DatabaseConfig = require('../../db');

const Bookshelf = require('bookshelf');
const Knex      = require('knex')(DatabaseConfig);

module.exports = Bookshelf(Knex);

Add model for bookshelf:

const Bookshelf = require('../util/bookshelf');

const Config = require('../../config');

module.exports = Bookshelf.Model.extend({
  tableName: 'todos',
  url: function () {
    return `${Config.DOMAIN}/${this.get('id')}`;
  serialize: function () {
    return {
      id: this.get('id'),
      title: this.get('title'),
      url: this.url(),
      completed: this.get('completed'),
      order: this.get('order'),
      object: 'todo'

Define method for model:

const Todo = require('../../models/todo');

exports.deleteAll = () => {
  // hack to get around Bookshelf's lacking destroyAll
  return new Todo().where('id', '!=', 0).destroy()
  .then(() => []);

Access model from webservice method:

exports.register = (server, options, next) => {

    method: 'DELETE',
    path: '/',
    config: {
      handler: (request, reply) => {

If table isn't found from external, an unknown database table will be created:

Node.js MQTT

 Click here to expand...

Controller.js defines a publisher with a messager:

function openGarageDoor () {
  // can only open door if we're connected to mqtt and door isn't already open
  if (connected && garageState !== 'open') {
    // Ask the door to open
    client.publish('garage/open', 'true')

function closeGarageDoor () {
  // can only close door if we're connected to mqtt and door isn't already closed
  if (connected && garageState !== 'closed') {
    // Ask the door to close
    client.publish('garage/close', 'true')

garage.js defines a subscriber as:

client.on('connect', () => {

  // Inform controllers that garage is connected
  client.publish('garage/connected', 'true')

client.on('message', (topic, message) => {
  console.log('received message %s %s', topic, message)
  switch (topic) {
    case 'garage/open':
      return handleOpenRequest(message)
    case 'garage/close':
      return handleCloseRequest(message)

Node.js Seneca Microservice

 Click here to expand...

Create a service:


var seneca = require('seneca')()


var app = express()

app.use( bodyParser.json() )
app.use( seneca.export('web') )
app.use( express.static('./public') )




Define the api.js:

module.exports = function( options ) {
var seneca = this
var plugin = 'api'

seneca.add( {role:plugin, end:'offer'}, end_offer) 

function end_offer( args, done ) {
var user = args.req$.seneca.user || {}


seneca.act({role:'web', use:{
'offer': { GET:true },

return {name:plugin};


module.exports = function( options ) {
  var seneca = this
  var plugin = 'offer'

  seneca.add( {role:plugin, cmd:'provide'}, cmd_provide)

  function cmd_provide( args, done ) {
    if( args.nick ) return done(null,{product:'Apple'});

    return done(null,{product:'Orange'});

  return {name:plugin};

When a service sends an action (seneca.act()):

Click to enlarge

Webservice RestAPI:


      startware: verify_token,
        star: { 

Click to enlarge

Supported Node.js versions

v0.x(error)No longer supported
v5.x(tick)Based on Javascript ES6
v6.x(tick)Based on Javascript ES6


(tick)Based on Javascript ES6

Function Point, Quality and Sizing support

This extension provides the following support:

  • Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
  • Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Function Points
Quality and Sizing(tick)

Comparison with existing support for JavaScript in CAST AIP

CAST AIP has provided support for analyzing JavaScript via its JEE and .NET analyzers (provided out of box in CAST AIP) for some time now. The HTML5/JavaScript extension (on which the Node.js extension depends) also provides support for JavaScript but with a focus on web applications. CAST highly recommends that you use this extension if your Application contains JavaScript and more specifically if you want to analyze a web application, however you should take note of the following:

  • You should ensure that you configure the extension to NOT analyze the back end web client part of a .NET or JEE application.
  • You should ensure that you configure the extension to ONLY analyze the front end web application built with the HTML5/JavaScript that communicates with the back end web client part of a .NET or JEE application.
  • If the back end web client part of a .NET or JEE application is analyzed with the Node.js extension and with the native .NET/JEE analyzers, then your results will reflect this - there will be duplicate objects and links (i.e. from the analyzer and from the extension) therefore impacting results and creating erroneous Function Point data.

In CAST AIP 8.3.x support for analyzing JavaScript has been withdrawn from the JEE and .NET analyzers.

CAST AIP compatibility

This extension is compatible with:

CAST AIP release
7.3.4 and all higher 7.3.x releases(tick)

Supported DBMS servers

Microsoft SQL Server(error)


(tick)An installation of any compatible release of CAST AIP (see table above)

Dependencies with other extensions

Some CAST extensions require the presence of other CAST extensions in order to function correctly. The Node.js extension requires that the following other CAST extensions are also installed:

Note that when using the CAST Extension Downloader to download the extension and the Manage Extensions interface in CAST Server Manager to install the extension, any dependent extensions are automatically downloaded and installed for you. You do not need to do anything.

Download and installation instructions

Please see:

The latest release status of this extension can be seen when downloading it from the CAST Extend server.

Packaging, delivering and analyzing your source code

Once the extension is downloaded and installed, you can nowpackage your source code and run an analysis. The process of packaging, delivering and analyzing your source code is described below:

 Click here to expand...

Packaging and delivery

Note that the jQuery extension does not contain any CAST Delivery Manager Tool discoverers or extractors, therefore, no "jQuery" projects will be detected. However, the Web Files Discoverer extension will be automatically installed (it is a "shipped" extension which means it is delivered with AIP Core) and will automatically detect projects as HTML5 if specific files are delivered, therefore ensuring that Analysis Units are created for your source code.

Using CAST Console

Using CAST Management Studio

 Click here to expand...
  • create a new Version
  • create a new Package for your Node.js source code using the Files on your file system option:

  • Define the root folder of your Application source code:

  • Run the Package action
  • Before delivering the source code, check the packaging results:
Without the Web Files Discover

If you are not using the Web Files Discoverer, the following will occur:

  • the CAST Delivery Manager Tool will not find any "projects" related to the Node.js application source code - this is the expected behaviour. However, if your Node.js related source code is part of a larger application (for example a JEE application), then other projects may be found during the package action (click to enlarge):

With the Web Files Discoverer

If you are using the Web Files Discoverer, the following will occur:

  • the CAST Delivery Manager Tool will automatically detect "HTML5 file projects" (see Web Files Discoverer for more technical information about how the discoverer works) related to the Node.js application source code. In addition, if your Node.js related source code is part of a larger application (for example a JEE application), then other projects may also be found during the package action (click to enlarge):

  • Deliver the Version


Using CAST Console

AIP Console exposes the technology configuration options once a version has been accepted/imported, or an analysis has been run. Click Universal Technology (3) in the Config (1) > Analysis (2) tab to display the available options for your Node.js source code:

Then choose the relevant Analysis Unit (1) to view the configuration:

Using the CAST Management Studio

 Click here to expand...

  • Accept and deploy the Version in the CAST Management Studio.
Without the Web Files Discover

If you are not using the Web Files Discoverer, the following will occur:

  • No Analysis Units will be created automatically relating to the Node.js source code - this is the expected behaviour. However, if your Node.js related source code is part of a larger application (for example a JEE application), then other Analysis Units may be created automatically:

  • In the Current Version tab, add a new Analysis Unit specifically for your Node.js source code, selecting the Add new Universal Analysis Unit option:

  • Edit the new Analysis Unit and configure in the Source Settings tab:
    • a name for the Analysis Unit
    • ensure you tick the HTML5/JavaScript option (the Node.js extension depends on the HTML5 and JavaScript extension - and therefore the Universal Analyzer language for the AngularJS extension is set as HTML5/JavaScript)
    • define the location of the deployed Node.js source code (the CAST Management Studio will locate this automatically in the Deployment folder):

  • Run a test analysis on the Analysis Unit before you generate a new snapshot.
With the Web Files Discoverer

If you are using the Web Files Discoverer, the following will occur:

  • "HTML5" Analysis Units will be created automatically (see Web Files Discoverer for more technical information about how the discoverer works) related to the Node.js application source code. In addition, if your Node.js related source code is part of a larger application (for example a JEE application), then other Analysis Units may also be created:

  • There is nothing further to do, you can now run a test analysis on the Analysis Unit before you generate a new snapshot.

Analysis warning and error messages

 Click here to expand...

Message ID
Message Type

Logged during

NODEJS-001WarningAnalysisAn internal issue occured when parsing a statement in a file. A part of a file was badly analyzed.


Contact CAST Technical Support

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the normal manner (for example via CAST Enlighten):

Node.js application with MongoDB data storage exposing web services


The following specific objects are displayed in CAST Enlighten:


Node.js Application

Node.js Port

Node.js Delete Operation Service
Node.js Get Operation Service
Node.js Post Operation Service
Node.js Put Operation Service

Node.js Service

Node.js Express Use

Node.js Express Controller

Node.js Get Http Request Service

Node.js Post Http Request Service

Node.js Put Http Request Service

Node.js Delete Http Request Service

Node.js Unknown Database

Node.js Collection

Node.js Memcached Connection

Node.js Memcached Value

Node.js Call to Java Program

Node.js Call to Generic Program

Node.js Restify Get Operation

Node.js Restify Post Operation

Node.js Restify Put Operation

Node.js Restify Delete Operation

NodeJS Unknown Database Table

Node.js Ecosystem

Node.js comes with numerous libraries and frameworks bringing data acces, web services calls, microservices architectures. This list contains all supported libraries:

LibraryCommentData AccessWeb Service
AWS.DynamoDBAmazon database access(tick)
AWS.S3Amazon storage service(tick)
AWS.LambdaAmazon routing solution
CosmosDBMicrosoft Azure NoSQL Database solution(tick)
CouchdbCouchdb access(tick)
Couchdb-nanoCouchdb access(tick)
elasticsearchOpen-source search engine (tick)
ExpressNode.js application framework
HapiNode.js application framework(tick)(tick)
KnexNode.js SQL query builder (tick)
KoaNode.js application framework(tick)
LoopbackNode.js application framework(tick)(tick)
MarklogicMarklogic access(tick)
MemcachedStorage framework(tick)
Mode-mongodb-nativeMongoDB access(tick)
Mongo-clientMongoDB access(tick)
MongooseMongoDB access(tick)
my_connectionMySQL access(tick)
Node-couchdbCouchdb access(tick)
oracledbOracle Database access(tick)
pgPostgreSQL access(tick)
SailsNode.js application framework(tick)(tick)

External link behavior

Behaviour is different depending on the version of CAST AIP you are using the extension with:

  • From 7.3.6, SQL queries are sent to the external links exactly like standard CAST AIP analyzers.
  • From 7.3.4 and before 7.3.6, a degraded mode takes place: The Node.js extension analyzes the FROM clause to retrieve table names, then sends the table names only to external links.
  • For all versions, if no links are found via external links, unresolved objects are created (with type CAST_NodeJS_Unknown_Database_Table).

Connector per RDBMS Vendor

Oracle "oracledb" connector

Connector "oracledb"
var oracledb = require('oracledb');
connection = oracledb.getConnection(
    user          : "hr",
    password      : "welcome",
    connectString : "localhost/XE"
      "SELECT department_id, department_name FROM departments WHERE department_id < 70",
      function(err, result)
        if (err) { console.error(err); return; }

MS SQL "node-sqlserver" and "mssql" connectors

Connector "node-sqlserver"
var sql = require('node-sqlserver');
var connStr = "Driver={SQL Server Native Client 11.0};Server=myySqlDb,1433;Database=DB;UID=Henry;PWD=cat;";
var query = "SELECT * FROM GAData WHERE TestID = 17";, function(err,conn){
        return console.error("Could not connect to sql: ", err);
    conn.queryRaw("SELECT TOP 10 FirstName, LastName FROM authors", function (err, results) {
        if (err) {
            console.log("Error running query!");
        for (var i = 0; i < results.rows.length; i++) {
            console.log("FirstName: " + results.rows[i][0] + " LastName: " + results.rows[i][1]);
var match = "%crombie%";
sql.query(conn_str, "SELECT FirstName, LastName FROM titles WHERE LastName LIKE ?", [match], function (err, results) { 
    for (var i = 0; i < results.length; i++) {
        console.log("FirstName: " + results[i].FirstName + " LastName: " + results[i].LastName);
Connector "mssql"
var sql = require('mssql');
var config = {
    user: '...',
    password: '...',
    server: 'localhost', // You can use 'localhost\\instance' to connect to named instance 
    database: '...',
    options: {
        encrypt: true // Use this if you're on Windows Azure 
var connection = new sql.Connection(config, function(err) {
    // ... error checks 
    // Query 
    var request = new sql.Request(connection); // or: var request = connection.request(); 
    request.query('select * from authors', function(err, recordset) {
        // ... error checks 
    // Stored Procedure 
    var request = new sql.Request(connection);
    request.input('input_parameter', sql.Int, 10);
    request.output('output_parameter', sql.VarChar(50));
    request.execute('procedure_name', function(err, recordsets, returnValue) {
        // ... error checks 

PostgreSQL "pg" connector

Connector "pg"
var pg = require("pg");
var conString = "pg://operator:CastAIP@localhost:2280/postgres";
var client = new pg.Client(conString);
var querySchemas = client.query("select nspname from pg_catalog.pg_namespace");
querySchemas.on("row", function (row, result) {
    "use strict";
querySchemas.on("end", function (result) {
    "use strict";

MySQL "my_connection" connector

Connector "my_connection"
var connection = require("my_connection");
			function result_getCatLogDetails(getCatLogDetails_err, getCatLogDetails_rows, 
			getCatLogDetails_fields) {
				if (getCatLogDetails_err) {
			        logContent += '|ERROR'+";";
					logContent += getCatLogDetails_err.message+";";
			        deferred.reject(new Error(getCatLogDetails_err));
			    } else {

Connector per NoSQL Vendor

Even if we don't have NoSQL server side representation, we will create a client side representation based on the API access. Node.js analyzer will create links from Javascript functions to NoSQL "Database" or "Table" equivalents as follows:

Amazon Web Services (AWS)

See Amazon Web Services - AWS

Call to Program

NodeJS extension now supports call to external programs using the child-process module.

The fork() function is not handled as its only purpose is to fork node.js programs.

These declaration create a call to a java program/JAR file

const exec = require('child_process').exec;

exec('java -cp com.castsoftware.Archive -jar jarFile.jar', (e, stdout, stderr) => {
    if (e instanceof Error) {
        throw e;

    console.log('stdout ', stdout);
    console.log('stderr ', stderr);

const cp = require('child_process');
const class_name = 'com.castsoftware.Foo'

function call_foo(req, resp) {
    const args = [
    const proc = cp.spawn('java', args);

These declarations creates a call to a Python Program

const execFile = require('child_process').execFile;
const python_file = ''

const child = execFile('python', [python_file], (error, stdout, stderr) => {

    if (error) {
        console.error('stderr', stderr);
        throw error;
    console.log('stdout', stdout);


NodeJS extension now supports routing using the restify module.

The following is an example of application using restify to handle some URIs.

var restify = require('restify');

function send(req, res, next) {

  res.send('hello ' +;

var server = restify.createServer();'/hello', function create(req, res, next) {

  res.send(201, Math.random().toString(36).substr(3, 8));
  return next();


server.put('/hello', send);
server.get('/hello/:name', function create(req, res, next) {

  res.send(201, Math.random().toString(36).substr(3, 8));
  return next();

server.head('/hello/:name', send);

server.del('hello/:name', function rm(req, res, next) {

  return next();


server.listen(8080, function() {

  console.log('%s listening at %s',, server.url);


SQL Named Query 

When executing an sql query directly, a CAST SQL NamedQuery object will be created:

var oracledb = require('oracledb');

connection = oracledb.getConnection(
    user          : "hr",
    password      : "welcome",
    connectString : "localhost/XE"

    user          : "hr",
    password      : "welcome",
    connectString : "localhost/XE"
  function(err, connection)
    if (err) { console.error(err); return; }
      "SELECT department_id, department_name "
    + "FROM titles "
    + "WHERE department_id < 70 "
    + "ORDER BY department_id",
      function(err, result)
        if (err) { console.error(err); return; }

Structural Rules

The following structural rules are provided:

Known Limitations

In this section we list the most significant functional limitations that may affect the analysis of applications using Node.js:

  • With regard to external links degraded mode, only statements with a FROM clause are correctly handled.
  • NodeJS objects are only supported for ES5 standard.
  • Analysis of AWS Lambda function needs have access to the serverless.yml file mapping routes and handlers together
  • No labels