Retire.js is a free open source scanner for detecting the use of JavaScript libraries with known vulnerabilities.
Links to get a better insightsinsight:
- http://retirejs.github.io/retire.js/
- https://github.com/RetireJS/retire.js/
Alert |
---|
title | JavaScript source maps |
---|
type | Warning |
---|
|
When we update a library and we use the minified version we need to - verify that we have the source (js and/or css). OpenLayer is an exception because it uses a concatenations of multiple files in the multi mb source distribution, see
Jira |
---|
server | ASF JIRA |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | OFBIZ-11883 |
---|
| ; - create a JavaScript source map if it does not exist you may use a tool like https://github.com/mozilla/source-map; note: we are investigating if using https://plugins.gradle.org/plugin/com.github.node-gradle.node would not help
- change or add a sourceMappingURL comment in the the minified version. You can follow https://developer.mozilla.org/en-US/docs/Tools/Debugger/How_to/Use_a_source_map.
- We need to follow a convention for minified files with maps. Like: jquery-3.5.1.js, jquery-3.5.1.min.js and jquery-3.5.1.min.js.map
Here is an interesting link about possible JavaScript source maps errors: https://developer.mozilla.org/en-US/docs/Tools/Debugger/Source_map_errors |
Following are the efforts put to fix vulnerabilities detected using retire.js:
Scan Date | Ticket | Affected Version | Vulnerabilities | Fix Date | Fixed Release | Fixes |
---|
18-March-2017 | Jira |
---|
server | ASF JIRA |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | OFBIZ-9269 |
---|
|
| Trunk | CVE-2015-9251 | 20-November-2017 | 17.12.01 | jQuery upgraded from jQuery 1.11.0 to jQuery 3.2.1 |
06-June-2019 | Jira |
---|
server | ASF JIRA |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | OFBIZ-10678 |
---|
|
| 16.11.05 | CVE-2015-9251 CVE-2019-11358 | 18-June-2019 | 16.11.06 | jQuery upgraded from jQuery 1.11.0 to jQuery 3.4.1 |
06-June-2019 | Jira |
---|
server | ASF JIRA |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | OFBIZ-10678 |
---|
|
| 17.12.01, 18.12.01, Trunk | CVE-2018-14041 CVE-2019-11358 | 27-July-2019 | 17.12.01, 18.12.01 | For CVE-2018-14041 Bootstrap upgraded to 4.3 For CVE-2019-11358 jQuery upgraded from jQuery 3.2.1 to jQuery 3.4.1 |
29-May-2020 | Jira |
---|
server | ASF JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
---|
key | OFBIZ-11752 |
---|
|
| 17.12.01, 18.12.01, Trunk | Severity:medium Summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ | 16-June-2020 12-June-2020 | 17.12.04 18.12.01
| jQuery upgraded from jQuery 3.4.1 to jQuery 3.5.1 |