Saturday, November 2, 2013

Retire.js - Command line Scanner and Chrome plugin

 Retire.js identify JavaScript libraries with known vulnerabilities in your application  


Retire.js is a command line scanner that helps you identify dependencies with known vulnerabilites in your application. Using the provided Grunt plugin you can easily include Retire.js into your build process. Retire.js also provides a chrome extension allowing you to detect libraries while surfing your website.

To detect a given version of a given component, Retire.js uses filename or URL. If that fails, it will download/open the file and look for specific comments within the file. If that also fails, there is the possibility to use hashes for minified files. And if that fails as well, the Chrome plugin will run code in a sandbox to try to detect the component and version. This last detection mechanims is not available in the command line scanner, as running arbitrary JavaScript-files in the node-process could have unwanted consequences. If anybody knows of a good way to sandbox the code on node, feel free to register and issue or contribute. 

It's important to note that even though your site is using a vulnerable library, that does not necessarily mean your site is vulnerable. It depends on whether and how your site exercises the vulnerable code. That said, it's better to be safe than sorry. 

More Info and Download: https://github.com/bekk/retire.js
                                           

2 comments:

Aaron Banks said...

Where is the best place to get security in Calgary? I have been wanting to get some for my house but I didn't know where to go.

Strake Davis said...

Interesting article. I have seen how important security is in Calgary and how much of a difference it makes on a day to day basis.