| 1 | Command line scanner looking for use of known vulnerable js files and node modules in web projects and/or node projects.
|
| 2 |
|
| 3 | Install
|
| 4 | -------
|
| 5 |
|
| 6 | npm install -g retire
|
| 7 |
|
| 8 |
|
| 9 | Usage
|
| 10 | -----
|
| 11 |
|
| 12 | ````
|
| 13 | Usage: retire [options]
|
| 14 |
|
| 15 | Options:
|
| 16 |
|
| 17 | -h, --help output usage information
|
| 18 | -V, --version output the version number
|
| 19 |
|
| 20 | -p, --package limit node scan to packages where parent is mentioned in package.json (ignore node_modules)
|
| 21 | -n, --node Run node dependency scan only
|
| 22 | -j, --js Run scan of JavaScript files only
|
| 23 | -v, --verbose Show identified files (by default only vulnerable files are shown)
|
| 24 | -x, --dropexternal Don't include project provided vulnerability repository
|
| 25 | -c, --nocache Don't use local cache
|
| 26 |
|
| 27 | --jspath <path> Folder to scan for javascript files
|
| 28 | --nodepath <path> Folder to scan for node files
|
| 29 | --path <path> Folder to scan for both
|
| 30 | --jsrepo <path|url> Local or internal version of repo
|
| 31 | --noderepo <path|url> Local or internal version of repo
|
| 32 | --cachedir <path> Path to use for local cache instead of /tmp/.retire-cache
|
| 33 | --proxy <url> Proxy url (http://some.sever:8080)
|
| 34 | --outputformat <format> Valid formats: text, json, jsonsimple, depcheck (experimental) and cyclonedx
|
| 35 | --outputpath <path> File to which output should be written
|
| 36 | --ignore <paths> Comma delimited list of paths to ignore
|
| 37 | --ignorefile <path> Custom ignore file, defaults to .retireignore / .retireignore.json
|
| 38 | --severity <level> Specify the bug severity level from which the process fails. Allowed levels none, low, medium, high, critical. Default: none
|
| 39 | --exitwith <code> Custom exit code (default: 13) when vulnerabilities are found
|
| 40 | --colors Enable color output (console output only)
|
| 41 | --insecure Enable fetching remote jsrepo/noderepo files from hosts using an insecure or self-signed SSL (TLS) certificate
|
| 42 | --cacert <path> Use the specified certificate file to verify the peer used for fetching remote jsrepo/noderepo files
|
| 43 | ````
|
| 44 |
|
| 45 | The `depcheck` output format mimics the output of OWASP Dependency Check, but lacks some information compared to OWASP Dependency Check, because that information is not in the repo.
|
| 46 | The `cyclonedx` output format is based on based on the https://github.com/CycloneDX spec.
|
| 47 |
|
| 48 | .retireignore
|
| 49 | -------------
|
| 50 | ````
|
| 51 | @qs # ignore this module regardless of location
|
| 52 | node_modules/connect/node_modules/body-parser/node_modules/qs # ignore specific path
|
| 53 | ````
|
| 54 | Due to a bug in ignore resolving, please upgrade to >= 1.1.3
|
| 55 |
|
| 56 | .retireignore.json
|
| 57 | ------------------
|
| 58 | ````
|
| 59 | [
|
| 60 | {
|
| 61 | "component": "jquery",
|
| 62 | "identifiers" : { "issue": "2432"},
|
| 63 | "justification" : "We dont call external resources with jQuery"
|
| 64 | },
|
| 65 | {
|
| 66 | "component": "jquery",
|
| 67 | "version" : "2.1.4",
|
| 68 | "justification" : "We dont call external resources with jQuery"
|
| 69 | },
|
| 70 | {
|
| 71 | "path" : "node_modules",
|
| 72 | "justification" : "The node modules are only used for building - client side dependencies are using bower"
|
| 73 | }
|
| 74 |
|
| 75 | ]
|
| 76 | ````
|
| 77 |
|
| 78 | Source code / Reporting an issue
|
| 79 | --------------------------------
|
| 80 | The source code and issue tracker can be found at [https://github.com/RetireJS/retire.js](https://github.com/RetireJS/retire.js)
|
| 81 | |
| \ | No newline at end of file |