Giters

RetireJS / retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.

Home Page:https://retirejs.github.io/retire.js/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Detect all libraries in a minified file

Sa-So opened this issue · comments

commented

Is your feature request related to a problem? Please describe.
I have a file named "vendors.bundle.js" in a folder named "theme" in my project. It was added by some team member, in one go with no documentation, and he is no longer with us, it's a minified js file containing multiple libraries.

A Security Test by some team using RetireJS detected 2 vulnerable libraries in our project, within that file, moment.js and bootstrap-select, and I need to upgrade those but I am unable to do so as that file contains multiple libraries in minified form.

To fix this I thought of scanning that file again with Retire and with option --exitwith 0 to detect all libraries in that file and replace that file with all the libraries in that file + upgraded version of vulnerable libraries, but Retire could only find jquery 3.5 in it other than those vulnerable libs and when I added jquery 3.5 + upgraded version of other libraries I ran into errors.
Probably because Retire missed a few libraries that are in that file.I want to know what all libraries are present in that file.

Describe the solution you'd like
I am not sure how this tool detects the libraries used - would love if there is a blog / doc explaining this as well, but what I would want is to include an option which when set to true it tries to detect all libraries in a file/project looking from a large pool of popular libraries.

Describe alternatives you've considered
Not any as of now

Additional context
image
image

commented

retire.js is using some different mechanisms to detect the libraries in the files. The original idea was to find libraries with known vulnerabilities. As such there will be libraries that there is no detection for in retire.js, as they either a) don't have any known vulnerabilities or b) we haven't gotten around to adding them.
retire.js is using the following detection mechanisms:

  • URL/path of file (e.g /1.8.6/jquery.js)
  • filename (e.g. jquery-1.8.6.min.js)
  • regexes to fingerprint files (comments or structures within the javascript)
  • function calling (e.g. jquery.fn.jquery will return the jQuery version)
  • AST scanning (parsing the JS and querying it for versions)

For your case, retire.js is unlikely to find all of them. I would rather try to see if I could figure out how the original file was built (any signs in source code repository etc.?) or if there is a .map file attached. You can also look for comments in the file to see if all libraries are listed. Typically there will be /*! comments even in minified files.