Retirejs detector - mozilla/mozilla-depends GitHub Wiki
Retire.js produces JSON-Parsable output on request. The output of Retire.js v1.6 is an array of detection results of varying formats. Retire.js 2.0 produces an object with metadata, and the results are located within in the data property.
Sample of a detection result containing a vulnerability:
{
"file": "/tmp/mozilla-unified/third_party/webkit/PerformanceTests/Speedometer/resources/todomvc/architecture-examples/emberjs-debug/assets/vendor.js",
"results": [
{
"version": "2.2.4",
"component": "jquery",
"detection": "filecontent",
"vulnerabilities": [
{
"info": [
"https://github.com/jquery/jquery/issues/2432",
"http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
"https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"http://research.insecurelabs.org/jquery/test/"
],
"severity": "medium",
"identifiers": {
"issue": "2432",
"summary": "3rd party CORS request may execute",
"CVE": [
"CVE-2015-9251"
]
}
},
{
"info": [
"https://bugs.jquery.com/ticket/11974",
"https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"http://research.insecurelabs.org/jquery/test/"
],
"severity": "medium",
"identifiers": {
"CVE": [
"CVE-2015-9251"
],
"issue": "11974",
"summary": "parseHTML() executes scripts in event handlers"
}
},
{
"info": [
"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"
],
"severity": "low",
"identifiers": {
"CVE": [
"CVE-2019-11358"
],
"summary": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution"
}
}
]
},
{
"version": "2.6.2",
"component": "ember",
"detection": "filecontent"
}
]
}
However, vulnerability info is not stable and the format mildly polymorphic, depending on the type of vulnerability found.