An easy way to identify vulnerable JavaScript libraries

Retire JS is one of the Dependency Checker, particularly for known libraries that we use in our code. So often a time when we are developing and the platform that we are using Node JS, this what you can use for Dependency check.

Basically what Retire JS does, is it does dependency and vulnerability checking.

Many times we need to use a lot of existing codes, particularly in terms of libraries when we are developing our applications. And what happens if there is a piece of code which is often affected by security bugs or vulnerabilities, and that is known in the public domain and hence can be used by an attacker to attack our applications.

So let’s see with Retire JS how do we use it and, what sense we can make of it. 

As the name suggests, This is focused on JavaScript libraries which we are using, This is the official place, and we can navigate their GitHub via, Retire.js.

Simple what you have to is, clone the Retire JS from GitHub.

As mentioned on the page as well, you can use it as a command-line scanner, grunt plugin or gulp task. And also it comes as extensions, most of the common browsers Chrome / Firefox.

Not only as an attacker you can also use it as QA perspectives, but you can also add it as an extension in your browser and it automatically indicates if any vulnerable library is loaded. That is a quick and easy way to identify that.

The other way is having it in your pipeline, and run it as a task from the command line itself. Then you can get all the vulnerabilities that are present.

The Lovely and most great things with Retire JS is,

It provides plugins for OWASP ZAP scanner as well as the Burp Suite web proxy.

Once you have the plugin enabled you will automatically as an attacker you will get all vulnerable libraries and you can go ahead there. 

Let’s see what can we do & how can we set up this, it simply installs as npm module, 

npm install -g retire

you can install it & access it globally from anywhere.

Once the installation has happened, it looks something like below,

You can find the component for chrome, Firefox ….and also relevant files.

How do we use it?

Once it’s installed, then go to the root folder of your source code and run ‘retire’ from there.

retire

It will quickly run through all the JavaScript libraries which are present. Figure out what are the issues and severity.

Let's try to make sense of some of these, 

1. It will provide every issue details, 
2. Providing CVE numbers
3. The path, relevant links which are there 
4. Which library is vulnerable 
5. Severity
6. What the exact issue
7. Summary of the issue

So that’s what it is since this example which I use based command line format gives you pretty much of a lot of details but is does not provide well-formatted details, But when you use it in your pipeline you can simply automate this better, it is also faster.

And depending on the parameters you want to look for, you can go ahead and set your thesaurus.

So this is about how to install & run retire JS.

Thanks …...