Versions Compared

Old Version 1

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version Current

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Adds https://plugins.gradle.org/plugin/com.github.node-gradle.node link

Retire.js is a free open source scanner for detecting the use of JavaScript libraries with known vulnerabilities.

Links to get a better insight:

  1. http://retirejs.github.io/retire.js/
  2. https://github.com/RetireJS/retire.js/
Alert
titleJavaScript source maps
typeWarning

When we update a library and we use the minified version we need to

  1. verify that we have the source (js and/or css). OpenLayer is an exception because it uses a concatenations of multiple files in the multi mb source distribution, see
    Jira
    serverASF JIRA
    serverId5aa69414-a9e9-3523-82ec-879b028fb15b
    keyOFBIZ-11883
    ;
  2. create a JavaScript source map if it does not exist you may use a tool like https://github.com/mozilla/source-map; note: we are investigating if using https://plugins.gradle.org/plugin/com.github.node-gradle.node would not help
  3. change or add a sourceMappingURL comment in the the minified version. You can follow https://developer.mozilla.org/en-US/docs/Tools/Debugger/How_to/Use_a_source_map.
  4. We need to follow a convention for minified files with maps. Like: jquery-3.5.1.js, jquery-3.5.1.min.js and jquery-3.5.1.min.js.map

Here is an interesting link about possible JavaScript source maps errors: https://developer.mozilla.org/en-US/docs/Tools/Debugger/Source_map_errors


Following are the efforts put to fix vulnerabilities detected using retire.js:

Scan DateTicketAffected VersionVulnerabilitiesFix DateFixed ReleaseFixes
18-March-2017

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-9269

TrunkCVE-2015-925120-November-201717.12.01

jQuery upgraded 

from jQuery 1.11.0 to jQuery 3.2.1 
06-June-2019

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-10678

16.11.05

 CVE-2015-9251

 CVE-2019-11358

18-June-201916.11.06

jQuery upgraded 

from jQuery 1.11.0 to jQuery 3.4.1
06-June-2019

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-10678

17.12.01, 18.12.01, Trunk 

CVE-2018-14041

CVE-2019-11358

27-July-2019

17.12.01,

18.12.01

For CVE-2018-14041 Bootstrap upgraded to 4.3

For CVE-2019-11358 jQuery upgraded from jQuery 3.2.1 to jQuery 3.4.1

29-May-2020

Jira
serverASF JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-11752

17.12.01, 18.12.01, Trunk
Severity:medium
Summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS;
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/		16-June-2020
12-June-2020		17.12.04
18.12.01

jQuery upgraded from jQuery 3.4.1 to jQuery 3.5.1

I (Jacques Le Roux) just (2015-12-08) used retire.js on a trunk HEAD (r1716917) and got this results:

framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js has known vulnerabilities: severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/
specialpurpose\solr\webapp\solr\js\require.js has known vulnerabilities: severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/
specialpurpose\birt\webapp\birt\webcontent\birt\ajax\lib\prototype.js has known vulnerabilities: severity: high; CVE: CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/

...