Remove babel from nodejs-scan analyzer
A few reminders:
- Our nodejs-scan analyzer only rely on the rules provided by the upstream project NodeJsScan.
- The logic has been completely re-implemented in Go
- We didn't want to use the tool itself because of a lot of dependencies
- We introduced Babel to avoid reporting vulnerabilities that would be in comments.
It turned out babel is a big dependency, and generated a lot of extra work and woes. We recently updated to babel 7 to fix some of the issues we had, and introduced others at the same time. It's time to reconsider this choice, and evaluate the real need for such a big piece of software to maintain.
If we're only talking about ignoring comments, why don't we just update the scanFile
func to ignore lines starting with //
, and all lines between the ones starting with /*
and ending with */
. We don't even need a RegExp for that, strings.HasPrefix
(/Suffix) is enough for this job.
This change is pretty straightforward and would make the analyzer a lot lighter (no more javascript or babel required), therefore easier to maintain.
/cc @fcatteau in case I missed something obvious. /cc @twoodham