Provide Javascript library version details

[mikeddeeson]

As well as being able to provide details of what Drupal core and module version are being used by a site, it could be helpful to know what Javascript framework versions (e.g. JQuery/ Backbone/ Chosen etc.) are being used.

This would need some work doing with the Drupal module as well to be able to provide these details.

[mikeddeeson]

For the first implementation of this, I think that this should just report on the Javascript library versions.

Finding out if each Javascript library has security updates or is even out of date could be interesting as I don't know of any central system that stores this or even if Javascript frameworks report on security issues.

[johnennewdeeson]

These are things (don't know if they are useful things!)

https://github.com/npm/npm-registry-client

http://registry.npmjs.org/-/package/jquery/dist-tags

[johnennewdeeson]

Also this - https://www.exploit-db.com/

[johnennewdeeson]

and this https://github.com/offensive-security/exploit-database

[johnennewdeeson]

That exploit database tool lets you do this

$> ./searchsploit -j jquery
{
  "SEARCH": "jquery",
  "RESULTS": [
        {"Exploit":"jQuery - jui_filter_rules PHP Code Execution"","Path":"./platforms/php/remote/36124.txt","EDB-ID":36124},
        {"Exploit":"jQuery Uploadify 2.1.0 - Arbitrary File Upload"","Path":"./platforms/multiple/webapps/11218.txt","EDB-ID":11218},
        {"Exploit":"WordPress Plugin jQuery Mega Menu 1.0 - Local File Inclusion"","Path":"./platforms/php/webapps/16250.txt","EDB-ID":16250},
        {"Exploit":"JQuery-Real-Person plugin - Bypass captcha"","Path":"./platforms/php/webapps/18167.zip","EDB-ID":18167},
        {"Exploit":"WordPress Plugin 1-jquery-photo-gallery-Slideshow-flash 1.01 - Cross-Site Scripting"","Path":"./platforms/php/webapps/36382.txt","EDB-ID":36382},
        {"Exploit":"WordPress Plugin NextGEN Gallery - 'jqueryFileTree.php' Directory Traversal"","Path":"./platforms/php/webapps/39100.txt","EDB-ID":39100},
        {"Exploit":"BK Mobile jQuery CMS 2.4 - Multiple Vulnerabilities"","Path":"./platforms/php/webapps/39339.txt","EDB-ID":39339}
  ]
}

[johnennewdeeson]

Also, worth a read:

http://blog.bithound.io/checking-your-npm-dependencies-for-security-vulnerabilities/

https://www.sourceclear.com/

[mikeddeeson]

The initial release of the Drupal module patch (https://www.drupal.org/node/2826110#comment-11963722) provides the Javascript data for Drupal 8 sites.

This is being used by the Warden server to list of these versions.