search

RetireJS / retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
https://retirejs.github.io/retire.js/
Other
3.66k stars 414 forks source link

False positives on jquery-ui 1.13.2 and ckeditor.js 4.20.2 #399

Closed freedmandil closed 1 year ago

freedmandil commented 1 year ago

**Retire.js version: (retire --version): 3.2.3 (using chrome extension)

**node version: (node --version): v18.15.0

Type: Bug

Description: installed chrome extension followed instructions I have the latest version of jquery-ui - 1.13.2 and ckeditor 4.20.2 and it's displaying a false positive, when referencing the errors, the CVE's are all outdated and old and it doesn't register the new version, rather it says version is at 1.11.4 for jquery and 4.5.8 for ckeditor

Expected behaviour: No vulnerabilities for latest installed software correct versions in listing.

freedmandil commented 1 year ago

ckeditor.js was upgraded to 4.20.2 and it's producing an false positive for 4.5.8

eoftedal commented 1 year ago

Are the two libraries merged in a file using a minifier or are they separately on disk? Did upgrade them using npm or similar, or download the libraries of the web sites?

freedmandil commented 1 year ago

Now it's working, The two libraries are separate on disk, and I upgraded them via a cdn and hosted them on my own server.