retire.js jquery-migrate 1.4.1 detected as vulnerability despite missing any record in the repo

Retire.js version: (retire --version): 1.6.1

node version: (node --version): v4.8.2

Type: Question

Description: When scanning jquery.min.js version v1.12.4, retire is reporting two issues:

retire -c --js --jspath . Downloading https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json ... scripts/jquery.min.js ↳ jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 http://research.insecurelabs.org/jquery/test/ ↳ jquery-migrate 1.4.1

The first one detected (jquery 1.12.4) is fine.

But the second one (jquery-migrate 1.4.1) doesnt have any description/CVE/links/etc. Looking at the repository (https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json), the only vuln I found regarding jquery-migrate is: below" : "1.2.0".

So is this a false positive?

Expected behaviour: If it is true positive, include the proof/bugs/issue/CVE/etc If it is false positive, remove it from the result.

Jun 29 '18 14:06 gbena

@gbena Does the file actually contain jquery-migrate? Any chance you could share the file?

Jul 05 '18 07:07 eoftedal

Did you by any chance include -v in your orignal command? Because -v will also make it list all detected libraries, not just the ones with vulnerabilities.

Jul 05 '18 08:07 eoftedal

It does contain jquery-migrate.

I am just confused how retire detected that jquery-migrate in version 1.4.1 is vulnerable. There is no evidence about this version being vulnerable. And the output of retire didnt provide any evidence as well.

I unfortunately can't share the file, as it is embedded.

I just re-ran with -v again. No difference on the output except it says reading from cache.

Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json Reading /tmp/.retire-cache/1531128716602.json ... Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json Reading /tmp/.retire-cache/1531128746530.json ...

Jul 09 '18 09:07 gbena

From the output above, it didnt say that it has known vulnerabilities. It just said it identified it.

Jul 11 '18 19:07 eoftedal

Can you run it once with -v and once without?

Jul 11 '18 19:07 eoftedal

I did. The previous comment was run with -v. In the original issue is without.

Nevertheless, I just ran it again. Here is the output. (filenames are disguised):

$ retire -v . Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json Reading /tmp/.retire-cache/1531396815503.json ... Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json Reading /tmp/.retire-cache/1531396816692.json ... file1.js ↳ jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 http://research.insecurelabs.org/jquery/test/ ↳ jquery-migrate 1.4.1 file2.js ↳ jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 http://research.insecurelabs.org/jquery/test/ ↳ jquery-migrate 1.4.1 file3.js ↳ jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 http://research.insecurelabs.org/jquery/test/ ↳ jquery-migrate 1.4.1

$ retire . Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json file1.js ↳ jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 http://research.insecurelabs.org/jquery/test/ ↳ jquery-migrate 1.4.1 file2.js ↳ jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 http://research.insecurelabs.org/jquery/test/ ↳ jquery-migrate 1.4.1 file3.js ↳ jquery 1.12.4 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 http://research.insecurelabs.org/jquery/test/ ↳ jquery-migrate 1.4.1

Jul 12 '18 12:07 gbena

This is very odd. I'm not able to reproduce this on node 4.8.2 with retire 1.6.1 unless I provide the -v option. And it clearly doesn't see it as vulnerable as it doesn't say "has known vulnerabilities".

Would you mind posting the output from: retire --outputformat json

Jul 15 '18 20:07 eoftedal

Sure. Here is output with and without -v

Without -v $ retire --outputformat json [{"file":"file1.js","results":[{"version":"1.12.4","component":"jquery","detection":"filecontent","vulnerabilities":[{"info":["https://github.com/jquery/jquery/issues/2432","http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"issue":"2432","summary":"3rd party CORS request may execute","CVE":["CVE-2015-9251"]}},{"info":["https://bugs.jquery.com/ticket/11974","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"CVE":["CVE-2015-9251"],"issue":"11974","summary":"parseHTML() executes scripts in event handlers"}}]},{"version":"1.4.1","component":"jquery-migrate","detection":"filecontent"}]},{"file":"file2.js","results":[{"version":"1.12.4","component":"jquery","detection":"filecontent","vulnerabilities":[{"info":["https://github.com/jquery/jquery/issues/2432","http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"issue":"2432","summary":"3rd party CORS request may execute","CVE":["CVE-2015-9251"]}},{"info":["https://bugs.jquery.com/ticket/11974","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"CVE":["CVE-2015-9251"],"issue":"11974","summary":"parseHTML() executes scripts in event handlers"}}]},{"version":"1.4.1","component":"jquery-migrate","detection":"filecontent"}]},{"file":"file3.js","results":[{"version":"1.12.4","component":"jquery","detection":"filecontent","vulnerabilities":[{"info":["https://github.com/jquery/jquery/issues/2432","http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"issue":"2432","summary":"3rd party CORS request may execute","CVE":["CVE-2015-9251"]}},{"info":["https://bugs.jquery.com/ticket/11974","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"CVE":["CVE-2015-9251"],"issue":"11974","summary":"parseHTML() executes scripts in event handlers"}}]},{"version":"1.4.1","component":"jquery-migrate","detection":"filecontent"}]}]

With -v: $ retire -v --outputformat json [{"file":"file1.js","results":[{"version":"1.12.4","component":"jquery","detection":"filecontent","vulnerabilities":[{"info":["https://github.com/jquery/jquery/issues/2432","http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"issue":"2432","summary":"3rd party CORS request may execute","CVE":["CVE-2015-9251"]}},{"info":["https://bugs.jquery.com/ticket/11974","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"CVE":["CVE-2015-9251"],"issue":"11974","summary":"parseHTML() executes scripts in event handlers"}}]},{"version":"1.4.1","component":"jquery-migrate","detection":"filecontent"}]},{"file":"file2.js","results":[{"version":"1.12.4","component":"jquery","detection":"filecontent","vulnerabilities":[{"info":["https://github.com/jquery/jquery/issues/2432","http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"issue":"2432","summary":"3rd party CORS request may execute","CVE":["CVE-2015-9251"]}},{"info":["https://bugs.jquery.com/ticket/11974","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"CVE":["CVE-2015-9251"],"issue":"11974","summary":"parseHTML() executes scripts in event handlers"}}]},{"version":"1.4.1","component":"jquery-migrate","detection":"filecontent"}]},{"file":"file3.js","results":[]},{"file":"file4.js","results":[]},{"file":"file5.js","results":[]},{"file":"file6.js","results":[]},{"file":"file7.js","results":[]},{"file":"file8.js","results":[]},{"file":"file9.js","results":[]},{"file":"file10.js","results":[]},{"file":"file11.js","results":[]},{"file":"file12.js","results":[]},{"file":"file13.js","results":[]},{"file":"file14.js","results":[]},{"file":"file15.js","results":[]},{"file":"file16.js","results":[]},{"file":"file17.js","results":[]},{"file":"file18.js","results":[]},{"file":"file19.js","results":[]},{"file":"file20.js","results":[]},{"file":"file21.js","results":[]},{"file":"file22.js","results":[]},{"file":"file23.js","results":[]},{"file":"file24.js","results":[{"version":"1.12.4","component":"jquery","detection":"filecontent","vulnerabilities":[{"info":["https://github.com/jquery/jquery/issues/2432","http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"issue":"2432","summary":"3rd party CORS request may execute","CVE":["CVE-2015-9251"]}},{"info":["https://bugs.jquery.com/ticket/11974","http://research.insecurelabs.org/jquery/test/"],"severity":"medium","identifiers":{"CVE":["CVE-2015-9251"],"issue":"11974","summary":"parseHTML() executes scripts in event handlers"}}]},{"version":"1.4.1","component":"jquery-migrate","detection":"filecontent"}]},{"file":"file25.js","results":[]},{"file":"file26.js","results":[]},{"file":"file27.js","results":[]},{"file":"file28.js","results":[]},{"file":"file29.js","results":[]},{"file":"file30.js","results":[]}]

Jul 18 '18 14:07 gbena