Scans Node.js programs for vulnerabilities. Uses Espect
From terminal:
$ carat <file> [options]
Example:
$ carat vulns/fs.js
---------------- vulns/fs.js
vuln
sink:
line: vulns/fs.js:4
code: fs.readFileSync(process.argv[2])
source:
line: vulns/fs.js:4
code: process
vuln
sink:
line: vulns/fs.js:8
code: eval(data)
source:
line: vulns/fs.js:8
code: data
Code is written in es6, only traverses es5 for now.