unretiredjs 1.4.3

Python port of RetireJS - A tool to scan for vulnerabilities in JavaScript libraries

UnretiredJS

A Python port of RetireJS - A tool to scan for vulnerabilities in JavaScript libraries.

Description

UnretiredJS is a Python library that helps you identify known vulnerabilities in JavaScript libraries used in your web applications. It's a port of the popular RetireJS tool, bringing the same powerful vulnerability scanning capabilities to Python projects.

Note: This is a fork of FallibleInc/retirejslib, maintained and updated with additional features and improvements.

Installation

pip install unretiredjs

Usage

Basic Usage

import unretiredjs

# Scan a remote JavaScript file
results = unretiredjs.scan_endpoint("http://code.jquery.com/jquery-1.6.min.js")

Sample Output

[
    {
        'detection': 'filecontent',
        'vulnerabilities': [
            {
                'info': [
                    'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969',
                    'http://research.insecurelabs.org/jquery/test/'
                ],
                'identifiers': {
                    'CVE': ['CVE-2011-4969']
                },
                'severity': 'medium'
            },
            {
                'info': [
                    'http://bugs.jquery.com/ticket/11290',
                    'http://research.insecurelabs.org/jquery/test/'
                ],
                'identifiers': {
                    'bug': '11290',
                    'summary': 'Selector interpreted as HTML'
                },
                'severity': 'medium'
            },
            {
                'info': [
                    'https://github.com/jquery/jquery/issues/2432',
                    'http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/'
                ],
                'identifiers': {
                    'summary': '3rd party CORS request may execute'
                },
                'severity': 'medium'
            }
        ],
        'version': '1.6.0',
        'component': 'jquery'
    }
]

Features

• Scan remote JavaScript files for known vulnerabilities
• Detect vulnerable versions of popular JavaScript libraries
• Comprehensive vulnerability database
• Easy to integrate into Python projects

Requirements

• Python 3.6 or higher
• requests>=2.25.0

Vulnerability Data Updates

The vulnerability data used by UnretiredJS is stored in retirejs/vulnerabilities.py. This data is sourced from the official RetireJS repository (https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json).

Updates are handled automatically by a GitHub Action defined in .github/workflows/update_retirejs_data.yml. This action runs on a monthly schedule (at 00:00 UTC on the 1st day of every month) to fetch the latest vulnerability information. It also allows for manual triggering via the GitHub Actions UI.

If you need to run the update script manually, follow these steps:

1. Navigate to the root directory of this repository.
2. Ensure you have Python 3 installed.
3. Install the necessary dependencies:

   pip install requests
   

4. Run the update script:

   python retirejs/update_vulnerabilities.py
   

5. If the script makes any changes to retirejs/vulnerabilities.py, these changes should be committed to the repository.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Author

Anand Kumar - GitHub