[Feature Request] Support retire-js verbose output #560
Description
Is your feature request related to a problem? Please describe.
When running Scanner, I can obtain issues but no further detail. I end up having to run retire.js itself to get supplemental information such as CVE and other details specific to the nature of the issue. This is helpful when determining risk prioritization beyond high/medium/low thresholds.
Describe the solution you'd like
It would be nice to have some sort of "verbose engine output" option so we can capture the output from the engine itself and parse as needed. At a minimum CVE/urls to issue, but at/below version requirements, etc would also be useful.
Describe alternatives you've considered
I've considered just recursively unzipping everything, then running retire-js manually. However, I like the sfdx tool and ecosystem for standardized i/o much better.
Additional context
example output of vulnerable file from retire:
"file": "/test2/source/jquery-1.12.4.min.js",
"results": [
{
"version": "1.12.4",
"component": "jquery",
"detection": "filename",
"vulnerabilities": [
{
"info": [
"https://github.com/jquery/jquery/issues/2432",
"http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
"https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"http://research.insecurelabs.org/jquery/test/"
],
"below": "3.0.0-beta1",
"atOrAbove": "1.12.3",
"severity": "medium",
"identifiers": {
"issue": "2432",
"summary": "3rd party CORS request may execute",
"CVE": [
"CVE-2015-9251"
]
}
},
{
"info": [
"https://bugs.jquery.com/ticket/11974",
"https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"http://research.insecurelabs.org/jquery/test/"
],
"below": "2.2.0",
"atOrAbove": "1.12.2",
"severity": "medium",
"identifiers": {
"CVE": [
"CVE-2015-9251"
],
"issue": "11974",
"summary": "parseHTML() executes scripts in event handlers"
}
},
{
"info": [
"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"
],
"below": "3.4.0",
"severity": "medium",
"identifiers": {
"CVE": [
"CVE-2019-11358"
],
"summary": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"
}
},
{
"info": [
"https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
],
"below": "3.5.0",
"severity": "medium",
"identifiers": {
"CVE": [
"CVE-2020-11022"
],
"summary": "Regex in its jQuery.htmlPrefilter sometimes may introduce XSS"
}
},
{
"info": [
"https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
],
"below": "3.5.0",
"severity": "medium",
"identifiers": {
"CVE": [
"CVE-2020-11023"
],
"summary": "Regex in its jQuery.htmlPrefilter sometimes may introduce XSS"
}
}
]
}
]
}
"Workaround": Can you do something similar with existing capabilities?
(see above about manual retire-js run)
"Urgency": How badly do you need this feature? "Nice to have" vs "Highly beneficial" vs "Can't live without it".
I can work around it, but would love to have it on the roadmap somewhere.