Git Product home page Git Product logo

retire.js's Introduction

Retire.js

Retire Status

What you require you must also retire

There is a plethora of JavaScript libraries for use on the Web and in Node.JS apps out there. This greatly simplifies development,but we need to stay up-to-date on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 list of security risks and insecure libraries can pose a huge risk to your Web app. The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.

Retire.js can be used in many ways:

  1. As command line scanner
  2. As a grunt plugin
  3. As a gulp task
  4. As a Chrome extension
  5. As a Firefox extension
  6. As a Burp and OWASP Zap plugin

Command line scanner

Scan a web app or node app for use of vulnerable JavaScript libraries and/or Node.JS modules.

Grunt plugin

A Grunt task for running Retire.js as part of your application's build routine, or some other automated workflow.

Gulp task

An example of a Gulp task which can be used in your gulpfile to watch and scan your project files automatically. You can modify the watch patterns and (optional) Retire.js options as you like.

var gulp = require('gulp');
var spawn = require('child_process').spawn;
var gutil = require('gulp-util');

gulp.task('retire:watch', ['retire'], function (done) {
    // Watch all javascript files and package.json
    gulp.watch(['js/**/*.js', 'package.json'], ['retire']);
});

gulp.task('retire', function() {
    // Spawn Retire.js as a child process
    // You can optionally add option parameters to the second argument (array)
    var child = spawn('retire', [], {cwd: process.cwd()});
    
    child.stdout.setEncoding('utf8');
    child.stdout.on('data', function (data) {
        gutil.log(data);
    });

    child.stderr.setEncoding('utf8');
    child.stderr.on('data', function (data) {
        gutil.log(gutil.colors.red(data));
        gutil.beep();
    });
});

Chrome and firefox extensions

Scans visited sites for references to insecure libraries, and puts warnings in the developer console. An icon on the address bar displays will also indicate if vulnerable libraries were loaded.

Burp and OWASP ZAP plugin

@h3xstream has adapted Retire.js as a plugin for the penetration testing tools Burp and OWASP ZAP. An alternative OWASP ZAP plugin exists at https://github.com/nikmmy/retire/

Donate

Flattr this

Donations will be used to fund the maintainance of the tool and vulnerability repo.

retire.js's People

Contributors

eoftedal avatar thomasandersen avatar samuelbjohnson avatar bkimminich avatar kozmic avatar caa-garmbruster avatar colezlaw avatar arthepsy avatar anantshri avatar elointz avatar heikkipora avatar lukasreschke avatar reedloden avatar trevorah avatar bwillis avatar christianmosveen avatar dtomalty avatar amotmot avatar yadazula avatar hvdb avatar jt2k avatar jasvir avatar jellekralt avatar joechapman avatar guss77 avatar sarkie avatar tomgco avatar tdm00 avatar blunden avatar glaslos avatar

Watchers

James Cloos avatar Magno Logan avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.