1 | Command line scanner looking for use of known vulnerable js files and node modules in web projects and/or node projects.
|
2 |
|
3 | Install
|
4 | -------
|
5 |
|
6 | npm install -g retire
|
7 |
|
8 |
|
9 | Usage
|
10 | -----
|
11 |
|
12 | ````
|
13 | Usage: retire [options]
|
14 |
|
15 | Options:
|
16 |
|
17 | -h, --help output usage information
|
18 | -V, --version output the version number
|
19 |
|
20 | -p, --package limit node scan to packages where parent is mentioned in package.json (ignore node_modules)
|
21 | -n, --node Run node dependency scan only
|
22 | -j, --js Run scan of JavaScript files only
|
23 | -v, --verbose Show identified files (by default only vulnerable files are shown)
|
24 | -x, --dropexternal Don't include project provided vulnerability repository
|
25 | -c, --nocache Don't use local cache
|
26 |
|
27 | --jspath <path> Folder to scan for javascript files
|
28 | --nodepath <path> Folder to scan for node files
|
29 | --path <path> Folder to scan for both
|
30 | --jsrepo <path|url> Local or internal version of repo
|
31 | --noderepo <path|url> Local or internal version of repo
|
32 | --cachedir <path> Path to use for local cache instead of /tmp/.retire-cache
|
33 | --proxy <url> Proxy url (http://some.sever:8080)
|
34 | --outputformat <format> Valid formats: text, json, jsonsimple, depcheck (experimental) and cyclonedx
|
35 | --outputpath <path> File to which output should be written
|
36 | --ignore <paths> Comma delimited list of paths to ignore
|
37 | --ignorefile <path> Custom ignore file, defaults to .retireignore / .retireignore.json
|
38 | --severity <level> Specify the bug severity level from which the process fails. Allowed levels none, low, medium, high, critical. Default: none
|
39 | --exitwith <code> Custom exit code (default: 13) when vulnerabilities are found
|
40 | --colors Enable color output (console output only)
|
41 | --insecure Enable fetching remote jsrepo/noderepo files from hosts using an insecure or self-signed SSL (TLS) certificate
|
42 | --cacert <path> Use the specified certificate file to verify the peer used for fetching remote jsrepo/noderepo files
|
43 | ````
|
44 |
|
45 | The `depcheck` output format mimics the output of OWASP Dependency Check, but lacks some information compared to OWASP Dependency Check, because that information is not in the repo.
|
46 | The `cyclonedx` output format is based on based on the https://github.com/CycloneDX spec.
|
47 |
|
48 | .retireignore
|
49 | -------------
|
50 | ````
|
51 | @qs # ignore this module regardless of location
|
52 | node_modules/connect/node_modules/body-parser/node_modules/qs # ignore specific path
|
53 | ````
|
54 | Due to a bug in ignore resolving, please upgrade to >= 1.1.3
|
55 |
|
56 | .retireignore.json
|
57 | ------------------
|
58 | ````
|
59 | [
|
60 | {
|
61 | "component": "jquery",
|
62 | "identifiers" : { "issue": "2432"},
|
63 | "justification" : "We dont call external resources with jQuery"
|
64 | },
|
65 | {
|
66 | "component": "jquery",
|
67 | "version" : "2.1.4",
|
68 | "justification" : "We dont call external resources with jQuery"
|
69 | },
|
70 | {
|
71 | "path" : "node_modules",
|
72 | "justification" : "The node modules are only used for building - client side dependencies are using bower"
|
73 | }
|
74 |
|
75 | ]
|
76 | ````
|
77 |
|
78 | Source code / Reporting an issue
|
79 | --------------------------------
|
80 | The source code and issue tracker can be found at [https://github.com/RetireJS/retire.js](https://github.com/RetireJS/retire.js)
|
81 |
|
\ | No newline at end of file |