RetireJS is a tool that allows you to check your javascript dependencies for known vulnerabilities.
It works both for client-side dependencies and NodeJs dependencies.
You can find the demo project used in this blog post here.
Table of contents
- OWASP Top 10: using vulnerable dependencies
- Using retirejs from the command line
- Possible next steps
OWASP Top 10: using vulnerable dependencies
In this post I’ll try to get a way of helping to prevent one of the risks described in the OWASP top 10: using components with known vulnerabilities. If you’re unfamiliar with the concept, you can take a look at my post about solving this issue for a .NET project.
Command line version
The command-line version can be installed using npm.
1 | npm install -g retire |
You can call retire by executing
1 | retire |
in the command-line.
You might prefer to keep it as a local dependency instead of a global one. You can do it like this:1
npm install retire --save-dev
You can execute it like this:1
node node_modules/retire/bin/retire
You’ll notice that it seems bit inconvenient, so you can add a script to your package.json to make it easier to access.
1 | "scripts": { |
Now you can run it by executing npm run retire.
When we run it, we can see a list of vulnerabilities found in our project.
We can also redirect it to a file using the --outputpath argument.
You will probably get an output resembling this.
Possible next steps
You could integrate running this process in your local development process, or integrate it in your build server. You could for example make your build fail based on the exit code retirejs returns. You could also include it in a Zed Attack Proxy scan (see my previous post about ZAP), there is a plugin enabling scanning of client-side dependencies for vulnerabilities, you can find out more about it here. At the moment of writing, the plugin is still in alpha stage though.