OWASP
retire.js finds results but then errors, result file empty
Ran just retirejs scan on a project. The screen showed retire.js finding some issues but then hitting an error. unfortunately the glue output json was just [] So if you were just processing the output it would probably not indicate there were any errors.
Log shows RetireJS scanning: /mnt/project Missing version for popper.js. Need to run npm install ? Retire JSON Raw Results: [{ A BUNCH OF RESULTS HERE }] Problem running RetireJS #<NoMethodError: undefined method `each_with_object' for nil:NilClass>
And like I mentioned earlier the output .json file contains just []
Rest of the stack trace
#<NoMethodError: undefined method each_with_object' for nil:NilClass> /home/glue/glue/lib/glue/tasks/retirejs.rb:191:in vulnerability_hashes'
/home/glue/glue/lib/glue/tasks/retirejs.rb:119:in block in parse_vulnerabilities' /home/glue/glue/lib/glue/tasks/retirejs.rb:109:in each'
/home/glue/glue/lib/glue/tasks/retirejs.rb:109:in parse_vulnerabilities' /home/glue/glue/lib/glue/tasks/retirejs.rb:98:in js_vulnerabilities'
/home/glue/glue/lib/glue/tasks/retirejs.rb:94:in parse_retire_results' /home/glue/glue/lib/glue/tasks/retirejs.rb:40:in block in analyze'
/home/glue/glue/lib/glue/tasks/retirejs.rb:38:in each' /home/glue/glue/lib/glue/tasks/retirejs.rb:38:in analyze'
/home/glue/glue/lib/glue/tasks.rb:81:in block in run_tasks' /home/glue/glue/lib/glue/tasks.rb:58:in each'
/home/glue/glue/lib/glue/tasks.rb:58:in run_tasks' /home/glue/glue/lib/glue/scanner.rb:21:in block in process'
/home/glue/glue/lib/glue/scanner.rb:17:in each' /home/glue/glue/lib/glue/scanner.rb:17:in process'
/home/glue/glue/lib/glue.rb:270:in scan' /home/glue/glue/lib/glue.rb:47:in run'
/home/glue/glue/bin/glue:58:in <top (required)>' /home/glue/.rvm/rubies/ruby-2.3.1/bin/glue:23:in load'
/home/glue/.rvm/rubies/ruby-2.3.1/bin/glue:23:in <main>' /home/glue/.rvm/rubies/ruby-2.3.1/bin/ruby_executable_hooks:15:in eval'
/home/glue/.rvm/rubies/ruby-2.3.1/bin/ruby_executable_hooks:15:in `
--version reports Glue 0.9.4
I am using docker for windows on windows 10 to run the Glue container if that matters.
Can you share the output of retire.JS? look like it has some issues with your output...
Log says this:
Retire JSON Raw Results: [{"file"=>"/mnt/project/node_modules/webpack-dev-server/client/live.bundle.js", "results"=>[{"version"=>"3.3.1", "component"=>"jquery", "detection"=>"filecontent", "vulnerabilities"=>[{"info"=>["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"], "severity"=>"low", "identifiers"=>{"CVE"=>["CVE-2019-11358"], "summary"=>"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"}}]}]}, {"file"=>"/mnt/project/node_modules/selenium-webdriver/lib/test/data/jquery-1.3.2.js", "results"=>[{"version"=>"1.3.2", "component"=>"jquery", "detection"=>"filename", "vulnerabilities"=>[{"info"=>["https://nvd.nist.gov/vuln/detail/CVE-2011-4969", "http://research.insecurelabs.org/jquery/test/", "https://bugs.jquery.com/ticket/9521"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2011-4969"], "summary"=>"XSS with location.hash"}}, {"info"=>["http://bugs.jquery.com/ticket/11290", "https://nvd.nist.gov/vuln/detail/CVE-2012-6708", "http://research.insecurelabs.org/jquery/test/"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2012-6708"], "bug"=>"11290", "summary"=>"Selector interpreted as HTML"}}, {"info"=>["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"], "severity"=>"low", "identifiers"=>{"CVE"=>["CVE-2019-11358"], "summary"=>"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"}}]}]}, {"file"=>"/mnt/project/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js", "results"=>[{"version"=>"1.4.4.min", "component"=>"jquery", "detection"=>"filename", "vulnerabilities"=>[{"info"=>["https://nvd.nist.gov/vuln/detail/CVE-2011-4969", "http://research.insecurelabs.org/jquery/test/", "https://bugs.jquery.com/ticket/9521"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2011-4969"], "summary"=>"XSS with location.hash"}}, {"info"=>["http://bugs.jquery.com/ticket/11290", "https://nvd.nist.gov/vuln/detail/CVE-2012-6708", "http://research.insecurelabs.org/jquery/test/"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2012-6708"], "bug"=>"11290", "summary"=>"Selector interpreted as HTML"}}, {"info"=>["https://github.com/jquery/jquery/issues/2432", "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/", "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "http://research.insecurelabs.org/jquery/test/"], "severity"=>"medium", "identifiers"=>{"issue"=>"2432", "summary"=>"3rd party CORS request may execute", "CVE"=>["CVE-2015-9251"]}}, {"info"=>["https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"], "severity"=>"low", "identifiers"=>{"CVE"=>["CVE-2019-11358"], "summary"=>"jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"}}]}]}, {"file"=>"/mnt/project/node_modules/selenium-webdriver/lib/test/data/js/jquery-ui-1.8.10.custom.min.js", "results"=>[{"version"=>"1.8.10", "component"=>"jquery-ui-dialog", "detection"=>"filecontent", "vulnerabilities"=>[{"info"=>["http://bugs.jqueryui.com/ticket/6016", "https://nvd.nist.gov/vuln/detail/CVE-2010-5312"], "severity"=>"medium", "identifiers"=>{"CVE"=>["CVE-2010-5312"], "bug"=>"6016", "summary"=>"Title cross-site scripting vulnerability"}}, {"info"=>["https://github.com/jquery/api.jqueryui.com/issues/281", "https://nvd.nist.gov/vuln/detail/CVE-2016-7103", "https://snyk.io/vuln/npm:jquery-ui:20160721"], "severity"=>"high", "identifiers"=>{"CVE"=>["CVE-2016-7103"], "bug"=>"281", "summary"=>"XSS Vulnerability on closeText option"}}]}, {"version"=>"1.8.10", "component"=>"jquery-ui-autocomplete", "detection"=>"filecontent"}]}, {"file"=>"/mnt/project/node_modules/selenium-webdriver/lib/test/data/js/tinymce.min.js", "results"=>[{"version"=>"4.0.26", "component"=>"tinyMCE", "detection"=>"filecontentreplace", "vulnerabilities"=>[{"info"=>["https://www.tinymce.com/docs/changelog/"], "severity"=>"medium", "identifiers"=>{"summary"=>"xss issues with media plugin not properly filtering out some script attributes."}}, {"info"=>["https://www.tinymce.com/docs/changelog/"], "severity"=>"medium", "identifiers"=>{"summary"=>"FIXED so script elements gets removed by default to prevent possible XSS issues in default config implementations"}}, {"info"=>["https://www.tinymce.com/docs/changelog/"], "severity"=>"medium", "identifiers"=>{"summary"=>"FIXED so links with xlink:href attributes are filtered correctly to prevent XSS."}}]}]}]
Sorry for the late response :) I just retired to reproduce it locally (fed the JSON into retire task) and it worked. Which glue version are you using?
Can you try the same using the raw-latest tag? It contains a more up-to-date version. There were some bug fixes for this task.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}