retire-js
There is a plethora of JavaScript libraries for use on the Web and in Node.JS apps out there. This greatly simplifies development,but we need to stay up-to-date on security fixes. Using Components with Known Vulnerabilities is now a part of the OWASP Top 10 list of security risks and insecure libraries can pose a huge risk to your Web app. The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
Details
Category: Static Code Analysis
Publisher: trickest
Created Date: 6/23/2021
Container: quay.io/trickest/retire:v4.3.4-patch-3
Source URL: https://github.com/RetireJS/retire.js
Parameters
Command:
--ext - Comma separated list of file extensions for JavaScript files. The default is jsCommand:
--path - Folder to scan for javascript filesCommand:
--proxy - Proxy url (http://some.host:8080)Command:
--cacert - Use the specified certificate file to verify the peer used for fetching remote jsrepo/noderepo filesCommand:
--colors - Enable color output (console output only)Command:
--ignore - Comma delimited list of paths to ignoreCommand:
--jsrepo - Local or internal version of repo. Can be multiple comma separated. Default: 'central')Command:
--nocache - Don't use local cacheCommand:
--verbose - Show identified files (by default only vulnerable files are shown)Command:
--insecure - Enable fetching remote jsrepo/noderepo files from hosts using an insecure or self-signed SSL (TLS) certificateCommand:
--severity - Specify the bug severity level from which the process fails. Allowed levels none, low, medium, high, critical. Default: noneCommand:
--ignorefile - Custom ignore file, defaults to .retireignore / .retireignore.jsonCommand:
--includeOsv - Include OSV advisories in the outputCommand:
--outputformat - Valid formats: text, json, jsonsimple, depcheck (experimental), cyclonedx and cyclonedxJSON