Node.js - 2.12
Extension ID
com.castsoftware.nodejs
What’s new?
Please see Node.js - 2.12 - Release Notes for more information.
Description
This extension provides support for Node.js. Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine . Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient.
CAST recommends using this extension with HTML5 and JavaScript ≥ 2.2.5 for the best results.
In what situation should you install this extension?
Regarding Front-End to Back-End connections, we do support the following cross-technology stacks:
iOS Front-End connected to Node.js/PostgreSQL Back-end | iOS Front-End connected to Node.js/MSSQL Back-end | AngularJS Front-End connected to Node.js/MongoDB_ Back-end |
If your Web application contains Node.js source code, and you want to view these object types and their links with other objects, then you should install this extension:
- creates a Node.js application object when an instance has been found
- creates Node.js operations which represent entry-points of web services
- Node.js operations are called from client applications, using jQuery Ajax for example. Supported client frameworks are:
Supported Node.js versions
Version | Support | Comment |
---|---|---|
v0.x | ❌ | No longer supported |
v4.x | ✅ | LTS |
v5.x | ✅ | Based on Javascript ES6 |
v6.x | ✅ | Based on Javascript ES6 |
v7.x | ✅ | Based on Javascript ES6 |
v8.x | ✅ | |
v9.x | ✅ | |
v10.x | ✅ | |
v11.x | ✅ | |
v12.x | ✅ | |
v13.x | ✅ | |
v14.x | ✅ | |
v15.x | ✅ | |
v16.x | ✅ | |
v17.x | ✅ | |
v18.x | ✅ | |
v19.x | ✅ | |
v20.x | ✅ |
Node.js Ecosystem
Node.js comes with numerous libraries and frameworks bringing data access, web services calls, microservices architectures. This list contains all supported libraries:
Library | Comment | Data Access | Web Service | Messaging | Cloud code execution | Remote Process Call |
---|---|---|---|---|---|---|
AWS.DynamoDB | Amazon database access | ✅ | ||||
AWS.S3 | Amazon storage service | ✅ | ||||
AWS.SQS | Amazon messaging service | ✅ | ||||
AWS Lambda | Cloud code execution | ✅ | ||||
aws-amplify | A library for AWS | ✅ | ||||
Axios | HTTP request client | ✅ | ||||
Azure blobs | Azure storage service | ✅ | ||||
Azure Service Bus | Azure Queue Service | ✅ | ||||
Azure Event Hubs | Azure Queue Service | ✅ | ||||
Azure Function | Cloud code execution | ✅ | ||||
Cosmos DB | Microsoft Azure NoSQL Database solution | ✅ | ||||
Couchdb | Couchdb access | ✅ | ||||
Couchdb-nano | Couchdb access | ✅ | ||||
cross-fetch | Fetch API for Node | ✅ | ||||
elasticsearch | Open-source search engine | ✅ | ||||
EventSource | A library for the EventSource client | ✅ | ||||
Express | Node.js application framework | ✅ | ||||
falcor | A library for data fetching | ✅ | ||||
fetch | Fetch API for Node | ✅ | ||||
GCP Bigtable | GCP database access | ✅ | ||||
GCP Cloud Storage | GCP storage service | ✅ | ||||
GCP Pub/Sub | GCP messaging service | ✅ | ||||
got | HTTP request client | ✅ | ||||
g-RPC | Remote Process Call service | ✅ | ||||
Hapi | Node.js application framework | ✅ | ||||
isomorphic-fetch | Fetch API for Node | ✅ | ||||
Knex | Node.js SQL query builder | ✅ | ||||
Koa | Node.js application framework | ✅ | ||||
Loopback | Node.js application framework | ✅ | ✅ | |||
Marklogic | Marklogic access | ✅ | ||||
Memcached | Storage framework | ✅ | ||||
Mongodb (node-mongodb-native) | MongoDB access | ✅ | ||||
Mongo-client | MongoDB access | ✅ | ||||
Mongoose | MongoDB access | ✅ | ||||
MQTT | Messaging library | ✅ | ||||
mssql | MsSQL access | ✅ | ||||
my_connection | MySQL access | ✅ | ||||
mysql2 | MySQL2 access | ✅ | ||||
Node-couchdb | Couchdb access | ✅ | ||||
oracledb | Oracle Database access | ✅ | ||||
pg | PostgreSQL access | ✅ | ||||
prisma | MsSQL, MySQL, PostgreSQL, MongoDB accesses | ✅ | ||||
redis | Redis access | ✅ | ||||
request | HTTP request client | ✅ | ||||
request-promise | HTTP request client | ✅ | ||||
request-promise-native | HTTP request client | ✅ | ||||
request-promise-any | HTTP request client | ✅ | ||||
Sails | Node.js application framework | ✅ | ✅ | |||
Seneca | Microservice toolkit | ✅ | ||||
sequelize | Postgres, MySQL, SQLite, MsSQL, Oracle accesses | ✅ | ||||
sqlite3 | SQLite3 access | ✅ | ||||
superagent | HTTP request client | ✅ | ||||
tedious | Tedious access | ✅ | ||||
WebSocket | WebSocket request | ✅ | ||||
whatwg-fetch | Fetch API for Node | ✅ | ||||
WLResourceRequest | Client Security API | ✅ | ||||
wretch | A wrapper built around fetch API | ✅ | ||||
XMLHttpRequest | A wrapper for HTTP request client | ✅ |
Function Point, Quality and Sizing support
This extension provides the following support:
- Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
- Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Function Points (transactions) | Quality and Sizing |
---|---|
✅ | ✅ |
Comparison with existing support for JavaScript
CAST AIP has provided support for analyzing JavaScript via its JEE and .NET analyzers (provided out of box in CAST AIP) for some time now. The HTML5/JavaScript extension (on which the Node.js extension depends) also provides support for JavaScript but with a focus on web applications. CAST highly recommends that you use this extension if your Application contains JavaScript and more specifically if you want to analyze a web application, however you should take note of the following:
- You should ensure that you configure the extension to NOT analyze the back end web client part of a .NET or JEE application.
- You should ensure that you configure the extension to ONLY analyze the front end web application built with the HTML5/JavaScript that communicates with the back end web client part of a .NET or JEE application.
- If the back end web client part of a .NET or JEE application is analyzed with the Node.js extension and with the native .NET/JEE analyzers, then your results will reflect this - there will be duplicate objects and links (i.e. from the analyzer and from the extension) therefore impacting results and creating erroneous Function Point data.
In CAST AIP ≥ 8.3.x support for analyzing JavaScript has been withdrawn from the JEE and .NET analyzers.
Compatibility
Release | Operating System | Supported |
---|---|---|
v3/8.4.x | Microsoft Windows / Linux | ✅ |
v2/8.3.x | Microsoft Windows | ✅ |
Dependencies with other extensions
Some CAST extensions require the presence of other CAST extensions in order to function correctly. The Node.js extension requires that the following other CAST extensions are also installed:
- HTML5/JavaScript
- Web services linker service (internal technical extension)
Note that when using the CAST Extension Downloader to download the extension and the Manage Extensions interface in CAST Server Manager to install the extension, any dependent extensions are automatically downloaded and installed for you. You do not need to do anything.
Download and installation instructions
The extension will be automatically downloaded and installed in CAST Console. You can manage the extension using the Application - Extensions interface:
Analysis with CAST Imaging Console
CAST Imaging Console exposes the technology configuration options once a version has been accepted/imported, or an analysis has been run. Click Universal Technology (3) in the Config (1) > Analysis (2) tab to display the available options for your Node.js source code:
Then choose the relevant Analysis Unit (1) to view the configuration:
Analysis warning and error messages
Message ID | Message Type | Logged during | Impact | Remediation | Action |
---|---|---|---|---|---|
NODEJS-001 | Warning | Analysis | An internal issue occurred when parsing a statement in a file. A part of a file was badly analyzed. | Contact CAST Technical Support |
What results can you expect?
Node.js source code will be categorised in CAST Dashboards as “HTML5/JavaScript”.
Once the analysis/snapshot generation has completed, you can view the results in the normal manner (for example via CAST Enlighten):
Node.js application with MongoDB data storage exposing web services
Detailed analysis results per framework
See below for more details about how the extension handles each supported framework: Results.
Objects
The following specific objects are displayed in CAST Enlighten:
Icon | Description |
---|---|
NodeJS Application | |
NodeJS Port | |
NodeJS Delete Operation | |
NodeJS Get Operation | |
NodeJS Post Operation | |
NodeJS Put Operation | |
NodeJS Service NodeJS Call to gRPC service method NodeJS gRPC service method |
|
NodeJS Express Controller | |
NodeJS Get Http Request Service | |
NodeJS Post Http Request Service | |
NodeJS Put Http Request Service | |
NodeJS Delete Http Request Service | |
NodeJS Unknown Database | |
NodeJS Collection | |
NodeJS Memcached Connection | |
NodeJS Memcached Value | |
NodeJS Call to Java Program | |
NodeJS Call to Generic Program | |
NodeJS Restify Get Operation | |
NodeJS Restify Post Operation | |
NodeJS Restify Put Operation | |
NodeJS Restify Delete Operation | |
NodeJS AWS SQS Publisher NodeJS AWS SNS Publisher NodeJS Azure Service Bus Publisher NodeJS Azure Event Hub Publisher NodeJS GCP Pub/Sub Publisher |
|
NodeJS AWS SQS Receiver NodeJS AWS SNS Subscriber NodeJS Azure Service Bus Receiver NodeJS Azure Event Hub Receiver NodeJS GCP Pub/Sub Receiver |
|
NodeJS AWS SQS Unknown Publisher NodeJS AWS SNS Unknown Publisher NodeJS Azure Unknown Service Bus Publisher NodeJS Azure Unknown Event Hub Publisher NodeJS GCP Unknown Pub/Sub Publisher |
|
NodeJS AWS SQS Unknown Receiver NodeJS AWS SNS Unknown Subscriber NodeJS Azure Unknown Service Bus Receiver NodeJS Azure Unknown Event Hub Receiver NodeJS GCP Unknown Pub/Sub Receiver |
|
NodeJS GCP Pub/Sub Subscription | |
NodeJS Azure Function | |
NodeJS Call to Azure Function | |
NodeJS Call to Unknown Azure Function | |
NodeJS AWS call to Lambda Function | |
NodeJS AWS call to unknown Lambda Function | |
NodeJS SignalR Hub Method | |
NodeJS SignalR Call to Hub Method | |
NodeJS SignalR Call to Unknown Hub Method | |
NodeJS S3 Bucket NodeJS Azure Blob Container NodeJS GCP Cloud Storage Bucket |
|
NodeJS S3 Unknown Bucket NodeJS Azure Unknown Blob Container NodeJS GCP Unknown Cloud Storage Bucket |
|
NodeJS CosmosDB Collection NodeJS AWS DynamoDB Table NodeJS Elasticsearch Index NodeJS GCP Bigtable table NodeJS Marklogic collection NodeJS Redis Collection |
|
NodeJS CosmosDB Unknown Collection NodeJS Elasticsearch Unknown Index NodeJS GCP Unknown Bigtable table NodeJS Unknown Database Table |
|
NodeJS SQL Query | |
NodeJS MongoDB collection | |
NodeJS MongoDB connection | |
NodeJS Unknown MongoDB collection | |
NodeJS Unknown MongoDB connection | |
Prisma Configuration | |
NodeJS Entity | |
NodeJS Entity Operation |
External link behavior
Behaviour is different depending on the version of CAST AIP you are using the extension with:
- From 7.3.6, SQL queries are sent to the external links exactly like standard CAST AIP analyzers.
- From 7.3.4 and before 7.3.6, a degraded mode takes place: The Node.js extension analyzes the FROM clause to retrieve table names, then sends the table names only to external links.
- For all other versions, if no links are found via external links and the com.castsoftware.nodejs.missingtable extension is installed, unresolved objects are created (with type CAST_NodeJS_Unknown_Database_Table).
Data sensitivity
This extension is capable of setting a property on NoSQL collection and Cloud File storage objects for the following:
- custom sensitivity
- GDPR
- PCI-DSS
See Data Sensitivity for more information.
Structural Rules
The following structural rules are provided:
Release | Link |
---|---|
2.12.0-beta2 | https://technologies.castsoftware.com/rules?sec=srs_nodejs&ref=||2.12.0-beta2 |
2.12.0-beta1 | https://technologies.castsoftware.com/rules?sec=srs_nodejs&ref=||2.12.0-beta1 |
Known Limitations
In this section we list the most significant functional limitations that may affect the analysis of applications using Node.js:
- With regard to external links degraded mode, only statements with a FROM clause are correctly handled.
- NodeJS objects are only supported for ES5 standard.
- Analysis of AWS Lambda function needs have access to the serverless.yml file mapping routes and handlers together
- Technology specific known limitations are listed in the dedicated framework page: