1 | Command line scanner looking for use of known vulnerable js files and node modules in web projects and/or node projects.
|
2 |
|
3 | Install
|
4 | -------
|
5 |
|
6 | npm install -g retire
|
7 |
|
8 |
|
9 | Usage
|
10 | -----
|
11 |
|
12 | ````
|
13 | Usage: retire [options]
|
14 |
|
15 | Options:
|
16 |
|
17 | -h, --help output usage information
|
18 | -V, --version output the version number
|
19 |
|
20 | -p, --package limit node scan to packages where parent is a dependency mentioned in package.json (ignore node_modules and devDependencies)
|
21 | -n, --node Run node dependency scan only
|
22 | -j, --js Run scan of JavaScript files only
|
23 | -v, --verbose Show identified files (by default only vulnerable files are shown)
|
24 | -x, --dropexternal Don't include project provided vulnerability repository
|
25 | -c, --nocache Don't use local cache
|
26 |
|
27 | --jspath <path> Folder to scan for javascript files
|
28 | --nodepath <path> Folder to scan for node files
|
29 | --path <path> Folder to scan for both
|
30 | --jsrepo <path|url> Local or internal version of repo
|
31 | --noderepo <path|url> Local or internal version of repo
|
32 | --proxy <url> Proxy url (http://some.server:8080)
|
33 | --outputformat <format> Valid formats: text, json
|
34 | --outputpath <path> File to which output should be written
|
35 | --ignore <paths> Comma delimited list of paths to ignore
|
36 | --ignorefile <path> Custom .retireignore file, defaults to .retireignore
|
37 | --severity <level> Specify the bug severity level from which the process fails. Allowed levels none, low, medium, high, critical. Default: none
|
38 | --exitwith <code> Custom exit code (default: 13) when vulnerabilities are found
|
39 | ````
|
40 |
|
41 | .retireignore
|
42 | -------------
|
43 | ````
|
44 | @qs # ignore this module regardless of location
|
45 | node_modules/connect/node_modules/body-parser/node_modules/qs # ignore specific path
|
46 | ````
|
47 | Due to a bug in ignore resolving, please upgrade to >= 1.1.3
|
48 |
|
49 | .retireignore.json
|
50 | ------------------
|
51 | ````
|
52 | [
|
53 | {
|
54 | "component": "jquery",
|
55 | "identifiers" : { "issue": "2432"},
|
56 | "justification" : "We dont call external resources with jQuery"
|
57 | },
|
58 | {
|
59 | "component": "jquery",
|
60 | "version" : "2.1.4",
|
61 | "justification" : "We dont call external resources with jQuery"
|
62 | },
|
63 | {
|
64 | "path" : "node_modules",
|
65 | "justification" : "The node modules are only used for building - client side dependencies are using bower"
|
66 | }
|
67 |
|
68 | ]
|
69 | ````
|
70 |
|
71 | Source code / Reporting an issue
|
72 | --------------------------------
|
73 | The source code and issue tracker can be found at [https://github.com/RetireJS/retire.js](https://github.com/RetireJS/retire.js)
|
74 |
|
\ | No newline at end of file |