--outputformat json flag doesn't seem to work

[Harika19]

I tried executing below command
retire --outputpath report1.json --outputformat=json --jspath /Users/plakshmi/Graph-ql/gqlsamplenodeweb

But it is not appending any scan results to json file. When I remove --outputformat=json option, then it is appending scan results as text.
How can I fix this/ is there any way to get result in json format.

[eoftedal]

Did you delete the template text for the bug report or were you not presented with it?

[eoftedal]

I'm asking because now I have to ask the questions from that template, like which version of retire is this, what node.js version is this etc.

[Harika19]

retire.js v4.3.3
node version - v16.20.0

So when i ran retire --outputpath report1.json --jspath /Users/plakshmi/Graph-ql/gqlsamplenodeweb, i was able to see results in report1.json in form of text.

When i tried running same command having --outputformat=json option from scratch , deleting report1.json which is created as part of above command , report1.json looks empty -> no results are being added.

[eoftedal]

Seems there is a problem with --jspath not being honoured. Can you try to test with --path instead of --jspath ?

[eoftedal]

$ retire --outputpath out.json --outputformat json
$ cat out.json
{"version":"4.3.3","start":"2023-10-11T09:38:15.187Z","data":[],"messages":[],"errors":[],"time":0.005}

[Harika19]

{"version":"4.3.3","start":"2023-10-11T09:45:16.422Z","data":[],"messages":[],"errors":[],"time":80.972}

It didn't add vulnerability results to data or the messages array.

[eoftedal]

Struggling to reproduce this:

FROM node:alpine
RUN npm install -g retire
WORKDIR /app/data
RUN wget https://code.jquery.com/jquery-1.12.4.js
WORKDIR /tmp
RUN retire --outputformat json --outputpath report1.json --jspath /app/ || echo "Ingore error code to allow build to complete"
RUN cat report1.json

docker build -t demo . --progress=plain

...
#9 [6/7] RUN retire --outputformat json --outputpath report1.json --jspath /app/ || echo "Ingore error code to allow build to complete"
#9 0.372 Ingore error code to allow build to complete
#9 DONE 0.4s

#10 [7/7] RUN cat report1.json
#10 0.124 {"version":"4.3.4","start":"2023-10-11T09:57:00.496Z","data":[{"file":"/app/data/jquery-1.12.4.js","results":[{"version":"1.12.4","component":"jquery","npmname":"jquery","detection":"filename","vulnerabilities":[{"info":["https://github.com/jquery/jquery/issues/2432","http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","https://nvd.nist.gov/vuln/detail/CVE-2015-9251","http://research.insecurelabs.org/jquery/test/"],"below":"3.0.0-beta1","atOrAbove":"1.12.3","severity":"medium","identifiers":{"issue":"2432","summary":"3rd party CORS request may execute","CVE":["CVE-2015-9251"],"githubID":"GHSA-rmxg-73gg-4p98"}},{"info":["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/","https://nvd.nist.gov/vuln/detail/CVE-2019-11358","https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"],"below":"3.4.0","atOrAbove":"1.1.4","severity":"medium","identifiers":{"CVE":["CVE-2019-11358"],"PR":"4333","summary":"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution","githubID":"GHSA-6c3j-c64m-qhgq"}},{"info":["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"],"below":"3.5.0","atOrAbove":"1.2.0","severity":"medium","identifiers":{"CVE":["CVE-2020-11022"],"issue":"4642","summary":"Regex in its jQuery.htmlPrefilter sometimes may introduce XSS","githubID":"GHSA-gxr4-xjj5-5px2"}},{"info":["https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"],"below":"3.5.0","atOrAbove":"1.0.3","severity":"medium","identifiers":{"CVE":["CVE-2020-11023","CVE-2020-23064"],"issue":"4647","summary":"passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.","githubID":"GHSA-jpcq-cgw6-v4j6"}},{"info":["https://github.com/jquery/jquery.com/issues/162"],"below":"2.999.999","severity":"low","identifiers":{"retid":"73","summary":"jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates"}}]}]}],"messages":[],"errors":[],"time":0.071}
#10 DONE 0.1s
...

[eoftedal]

Can you try adding -v and see if you get any more data? Or try with a simpler sample where you can post the data you get from the txt output and the json output?

[Harika19]

Below is the output generated without json flag

retire.js v4.3.3
Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json
/Users/plakshmi/paypal/CDNx/ResourceDeploy/bizcomponents/jquery-1.11.1.min.js
↳ jquery 1.11.1
jquery 1.11.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251, githubID: GHSA-rmxg-73gg-4p98; jquery/jquery#2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2019-11358, PR: 4333, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution, githubID: GHSA-6c3j-c64m-qhgq; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 jquery/jquery@753d591 severity: medium; CVE: CVE-2020-11022, issue: 4642, summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS, githubID: GHSA-gxr4-xjj5-5px2; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ severity: medium; CVE: CVE-2020-11023 CVE-2020-23064, issue: 4647, summary: passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code., githubID: GHSA-jpcq-cgw6-v4j6; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ severity: low; retid: 73, summary: jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates; jquery/jquery.com#162
/Users/plakshmi/paypal/CDNx/ResourceDeploy/campaignsnodeweb/main.js
↳ moment.js 2.29.1
moment.js 2.29.1 has known vulnerabilities: severity: high; summary: This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale., CVE: CVE-2022-24785, githubID: GHSA-8hfj-j24r-96c4; GHSA-8hfj-j24r-96c4 severity: high; summary: Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4, CVE: CVE-2022-31129, githubID: GHSA-wc69-rhjr-hc9g; https://security.snyk.io/vuln/SNYK-JS-MOMENT-2944238 GHSA-wc69-rhjr-hc9g
/Users/plakshmi/paypal/CDNx/ResourceDeploy/gifts/bundle.js
↳ moment.js 2.28.0
moment.js 2.28.0 has known vulnerabilities: severity: high; summary: This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale., CVE: CVE-2022-24785, githubID: GHSA-8hfj-j24r-96c4; GHSA-8hfj-j24r-96c4 severity: high; summary: Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4, CVE: CVE-2022-31129, githubID: GHSA-wc69-rhjr-hc9g; https://security.snyk.io/vuln/SNYK-JS-MOMENT-2944238 GHSA-wc69-rhjr-hc9g
/Users/plakshmi/paypal/CDNx/ResourceDeploy/gaurav-cli-testing/component---src-pages-docs-template-js-089106e1457060bb9075.js
....

with json flag:

{"version":"4.3.3","start":"2023-10-11T09:41:38.453Z","data":[],"messages":[],"errors":[],"time":125.026}

[eoftedal]

If you leave out the --outputpath and just add --outputformat json do you still get empty output?

[Harika19]

Awesome tried with different folder its working now , thanks eoftedal !!

[Harika19]

--outputformat option is working as expected