Closed Harika19 closed 9 months ago
Did you delete the template text for the bug report or were you not presented with it?
I'm asking because now I have to ask the questions from that template, like which version of retire is this, what node.js version is this etc.
retire.js v4.3.3 node version - v16.20.0
So when i ran retire --outputpath report1.json --jspath /Users/plakshmi/Graph-ql/gqlsamplenodeweb
, i was able to see results in report1.json in form of text.
When i tried running same command having --outputformat=json option from scratch , deleting report1.json which is created as part of above command , report1.json looks empty -> no results are being added.
Seems there is a problem with --jspath
not being honoured. Can you try to test with --path
instead of --jspath
?
$ retire --outputpath out.json --outputformat json
$ cat out.json
{"version":"4.3.3","start":"2023-10-11T09:38:15.187Z","data":[],"messages":[],"errors":[],"time":0.005}
{"version":"4.3.3","start":"2023-10-11T09:45:16.422Z","data":[],"messages":[],"errors":[],"time":80.972}
It didn't add vulnerability results to data or the messages array.
Struggling to reproduce this:
FROM node:alpine
RUN npm install -g retire
WORKDIR /app/data
RUN wget https://code.jquery.com/jquery-1.12.4.js
WORKDIR /tmp
RUN retire --outputformat json --outputpath report1.json --jspath /app/ || echo "Ingore error code to allow build to complete"
RUN cat report1.json
docker build -t demo . --progress=plain
...
#9 [6/7] RUN retire --outputformat json --outputpath report1.json --jspath /app/ || echo "Ingore error code to allow build to complete"
#9 0.372 Ingore error code to allow build to complete
#9 DONE 0.4s
#10 [7/7] RUN cat report1.json
#10 0.124 {"version":"4.3.4","start":"2023-10-11T09:57:00.496Z","data":[{"file":"/app/data/jquery-1.12.4.js","results":[{"version":"1.12.4","component":"jquery","npmname":"jquery","detection":"filename","vulnerabilities":[{"info":["https://github.com/jquery/jquery/issues/2432","http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","https://nvd.nist.gov/vuln/detail/CVE-2015-9251","http://research.insecurelabs.org/jquery/test/"],"below":"3.0.0-beta1","atOrAbove":"1.12.3","severity":"medium","identifiers":{"issue":"2432","summary":"3rd party CORS request may execute","CVE":["CVE-2015-9251"],"githubID":"GHSA-rmxg-73gg-4p98"}},{"info":["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/","https://nvd.nist.gov/vuln/detail/CVE-2019-11358","https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"],"below":"3.4.0","atOrAbove":"1.1.4","severity":"medium","identifiers":{"CVE":["CVE-2019-11358"],"PR":"4333","summary":"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution","githubID":"GHSA-6c3j-c64m-qhgq"}},{"info":["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"],"below":"3.5.0","atOrAbove":"1.2.0","severity":"medium","identifiers":{"CVE":["CVE-2020-11022"],"issue":"4642","summary":"Regex in its jQuery.htmlPrefilter sometimes may introduce XSS","githubID":"GHSA-gxr4-xjj5-5px2"}},{"info":["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"],"below":"3.5.0","atOrAbove":"1.0.3","severity":"medium","identifiers":{"CVE":["CVE-2020-11023","CVE-2020-23064"],"issue":"4647","summary":"passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.","githubID":"GHSA-jpcq-cgw6-v4j6"}},{"info":["https://github.com/jquery/jquery.com/issues/162"],"below":"2.999.999","severity":"low","identifiers":{"retid":"73","summary":"jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates"}}]}]}],"messages":[],"errors":[],"time":0.071}
#10 DONE 0.1s
...
Can you try adding -v
and see if you get any more data? Or try with a simpler sample where you can post the data you get from the txt output and the json output?
Below is the output generated without json flag
retire.js v4.3.3 Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json /Users/plakshmi/paypal/CDNx/ResourceDeploy/bizcomponents/jquery-1.11.1.min.js ↳ jquery 1.11.1 jquery 1.11.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251, githubID: GHSA-rmxg-73gg-4p98; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2019-11358, PR: 4333, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution, githubID: GHSA-6c3j-c64m-qhgq; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b severity: medium; CVE: CVE-2020-11022, issue: 4642, summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS, githubID: GHSA-gxr4-xjj5-5px2; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ severity: medium; CVE: CVE-2020-11023 CVE-2020-23064, issue: 4647, summary: passing HTML containing
with json flag:
{"version":"4.3.3","start":"2023-10-11T09:41:38.453Z","data":[],"messages":[],"errors":[],"time":125.026}
If you leave out the --outputpath
and just add --outputformat json
do you still get empty output?
Awesome tried with different folder its working now , thanks eoftedal !!
--outputformat option is working as expected
I tried executing below command
retire --outputpath report1.json --outputformat=json --jspath /Users/plakshmi/Graph-ql/gqlsamplenodeweb
But it is not appending any scan results to json file. When I remove --outputformat=json option, then it is appending scan results as text. How can I fix this/ is there any way to get result in json format.