retire.js finds results but then errors, result file empty

[dougmcdorman]

Ran just retirejs scan on a project. The screen showed retire.js finding some issues but then hitting an error. unfortunately the glue output json was just [] So if you were just processing the output it would probably not indicate there were any errors.

Log shows RetireJS scanning: /mnt/project Missing version for popper.js. Need to run npm install ? Retire JSON Raw Results: [{ A BUNCH OF RESULTS HERE }] Problem running RetireJS

<NoMethodError: undefined method `each_with_object' for nil:NilClass>

And like I mentioned earlier the output .json file contains just []

[dougmcdorman]

Rest of the stack trace

<NoMethodError: undefined method `each_with_object' for nil:NilClass>

/home/glue/glue/lib/glue/tasks/retirejs.rb:191:in vulnerability_hashes' /home/glue/glue/lib/glue/tasks/retirejs.rb:119:inblock in parse_vulnerabilities' /home/glue/glue/lib/glue/tasks/retirejs.rb:109:in each' /home/glue/glue/lib/glue/tasks/retirejs.rb:109:inparse_vulnerabilities' /home/glue/glue/lib/glue/tasks/retirejs.rb:98:in js_vulnerabilities' /home/glue/glue/lib/glue/tasks/retirejs.rb:94:inparse_retire_results' /home/glue/glue/lib/glue/tasks/retirejs.rb:40:in block in analyze' /home/glue/glue/lib/glue/tasks/retirejs.rb:38:ineach' /home/glue/glue/lib/glue/tasks/retirejs.rb:38:in analyze' /home/glue/glue/lib/glue/tasks.rb:81:inblock in run_tasks' /home/glue/glue/lib/glue/tasks.rb:58:in each' /home/glue/glue/lib/glue/tasks.rb:58:inrun_tasks' /home/glue/glue/lib/glue/scanner.rb:21:in block in process' /home/glue/glue/lib/glue/scanner.rb:17:ineach' /home/glue/glue/lib/glue/scanner.rb:17:in process' /home/glue/glue/lib/glue.rb:270:inscan' /home/glue/glue/lib/glue.rb:47:in run' /home/glue/glue/bin/glue:58:in<top (required)>' /home/glue/.rvm/rubies/ruby-2.3.1/bin/glue:23:in load' /home/glue/.rvm/rubies/ruby-2.3.1/bin/glue:23:in

' /home/glue/.rvm/rubies/ruby-2.3.1/bin/ruby_executable_hooks:15:in eval' /home/glue/.rvm/rubies/ruby-2.3.1/bin/ruby_executable_hooks:15:in

'

[dougmcdorman]

--version reports Glue 0.9.4

I am using docker for windows on windows 10 to run the Glue container if that matters.

[omerlh]

Can you share the output of retire.JS? look like it has some issues with your output...

[dougmcdorman]

Log says this:

Retire JSON Raw Results: [{"file"=>"/mnt/project/node_modules/webpack-dev-server/client/live.bundle.js", "results"=>[{"version"=>"3.3.1", "component"=>"jquery", "detection"=>"filecontent", "vulnerabilities"=>[{"info"=>["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"], "severity"=>"low", "identifiers"=>{"CVE"=>["CVE-2019-11358"], "summary"=>"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"}}]}]}, {"file"=>"/mnt/project/node_modules/selenium-webdriver/lib/test/data/jquery-1.3.2.js", "results"=>[{"version"=>"1.3.2", "component"=>"jquery", "detection"=>"filename", "vulnerabilities"=>[{"info"=>["https://nvd.nist.gov/vuln/detail/CVE-2011-4969", "http://research.insecurelabs.org/jquery/test/", "https://bugs.jquery.com/ticket/9521"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2011-4969"], "summary"=>"XSS with location.hash"}}, {"info"=>["http://bugs.jquery.com/ticket/11290", "https://nvd.nist.gov/vuln/detail/CVE-2012-6708", "http://research.insecurelabs.org/jquery/test/"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2012-6708"], "bug"=>"11290", "summary"=>"Selector interpreted as HTML"}}, {"info"=>["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"], "severity"=>"low", "identifiers"=>{"CVE"=>["CVE-2019-11358"], "summary"=>"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"}}]}]}, {"file"=>"/mnt/project/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js", "results"=>[{"version"=>"1.4.4.min", "component"=>"jquery", "detection"=>"filename", "vulnerabilities"=>[{"info"=>["https://nvd.nist.gov/vuln/detail/CVE-2011-4969", "http://research.insecurelabs.org/jquery/test/", "https://bugs.jquery.com/ticket/9521"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2011-4969"], "summary"=>"XSS with location.hash"}}, {"info"=>["http://bugs.jquery.com/ticket/11290", "https://nvd.nist.gov/vuln/detail/CVE-2012-6708", "http://research.insecurelabs.org/jquery/test/"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2012-6708"], "bug"=>"11290", "summary"=>"Selector interpreted as HTML"}}, {"info"=>["https://github.com/jquery/jquery/issues/2432", "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/"], "severity"=>"medium", "identifiers"=>{"issue"=>"2432", "summary"=>"3rd party CORS request may execute", "CVE"=>["CVE-2015-9251"]}}, {"info"=>["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"], "severity"=>"low", "identifiers"=>{"CVE"=>["CVE-2019-11358"], "summary"=>"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"}}]}]}, {"file"=>"/mnt/project/node_modules/selenium-webdriver/lib/test/data/js/jquery-ui-1.8.10.custom.min.js", "results"=>[{"version"=>"1.8.10", "component"=>"jquery-ui-dialog", "detection"=>"filecontent", "vulnerabilities"=>[{"info"=>["http://bugs.jqueryui.com/ticket/6016", "https://nvd.nist.gov/vuln/detail/CVE-2010-5312"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2010-5312"], "bug"=>"6016", "summary"=>"Title cross-site scripting vulnerability"}}, {"info"=>["https://github.com/jquery/api.jqueryui.com/issues/281", "https://nvd.nist.gov/vuln/detail/CVE-2016-7103", "https://snyk.io/vuln/npm:jquery-ui:20160721"], "severity"=>"high", "identifiers"=>{"CVE"=>["CVE-2016-7103"], "bug"=>"281", "summary"=>"XSS Vulnerability on closeText option"}}]}, {"version"=>"1.8.10", "component"=>"jquery-ui-autocomplete", "detection"=>"filecontent"}]}, {"file"=>"/mnt/project/node_modules/selenium-webdriver/lib/test/data/js/tinymce.min.js", "results"=>[{"version"=>"4.0.26", "component"=>"tinyMCE", "detection"=>"filecontentreplace", "vulnerabilities"=>[{"info"=>["https://www.tinymce.com/docs/changelog/"], "severity"=>"medium", "identifiers"=>{"summary"=>"xss issues with media plugin not properly filtering out some script attributes."}}, {"info"=>["https://www.tinymce.com/docs/changelog/"], "severity"=>"medium", "identifiers"=>{"summary"=>"FIXED so script elements gets removed by default to prevent possible XSS issues in default config implementations"}}, {"info"=>["https://www.tinymce.com/docs/changelog/"], "severity"=>"medium", "identifiers"=>{"summary"=>"FIXED so links with xlink:href attributes are filtered correctly to prevent XSS."}}]}]}]

[omerlh]

Sorry for the late response :) I just retired to reproduce it locally (fed the JSON into retire task) and it worked. Which glue version are you using?

[dougmcdorman]

owasp/glue --version Glue 0.9.4

[omerlh]

Can you try the same using the raw-latest tag? It contains a more up-to-date version. There were some bug fixes for this task.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.