scan – Giant Geek Blog

RetireJS for Eclipse extension

Several years ago I wrote an Eclipse plugin to help me identify vulnerable javascript libraries using RetireJS. On a whim, I finally got around to submitting it to the Eclipse marketplace last week and it was approved.

This addresses a common OWASP Top-Ten item – A9:2017-Using Components with Known Vulnerabilities.

For Non-Developers… in English, while software developers are creating websites they often use open-source libraries such as jQuery (or literally thousands of other libraries) to simplify their development. Eventually, almost all software is identified as being vulnerable to various attacks. This tool makes it easier to scan and report on libraries that might be used in an application so that they can be updated or replaced.

REFERENCES:

Java Dependency Vulnerability scanning with Maven victims-enforcer

One of the OWASP guidelines for secure applications is to not use components with known vulnerabilities. Unfortunately it can be a very difficult and time consuming task to keep up with these manually, automation can save you countless hours!

See https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities.

NOTE: victims-enforcer can be used in conjunction with the OWASP dependency scanner. I have only found it to be problematic in ‘tycho’ builds.

<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-enforcer-plugin</artifactId> <version>1.4.1</version> <dependencies> <dependency> <groupId>com.redhat.victims</groupId> <artifactId>enforce-victims-rule</artifactId> <version>1.3.4</version> <type>jar</type> </dependency> </dependencies> <executions> <execution> <id>enforce-victims-rule</id> <goals> <goal>enforce</goal> </goals> <configuration> <rules> <rule implementation="com.redhat.victims.VictimsRule"> <!-- Check the project's dependencies against the database using name and version. The default mode for this is 'warning'.


 Valid options are: 
 disabled: Rule is still run but only INFO level messages and no errors.

warning : Rule will spit out a warning message but doesn't result in a failure.

fatal : Rule will spit out an error message and fail the build.

-->

<metadata>warning</metadata>
 <!--

Check the project's dependencies against the database using

the SHA-512 checksum of the artifact. The default is fatal. 
 Valid options are: 
 disabled: Rule is still run but only INFO level messages and no errors.

warning : Rule will spit out a warning message but doesn't result in a failure.

fatal : Rule will spit out an error message and fail the build.

-->

<fingerprint>fatal</fingerprint>
 <!--

Disables the synchronization mechanism. By default the rule will

attempt to update the database for each build. 
 Valid options are: 
 auto : Automatically update the database entries on each build.

daily : Update the database entries once per day.

weekly: Update the database entries once per week.

offline : Disable the synchronization mechanism.

-->

<updates>daily</updates><!-- was: auto -->

</rule> </rules> </configuration> </execution> </executions> </plugin>
Vulnerability database is sourced from: https://victi.ms with backing from RedHat.

REFERENCES:

OWASP Dependency Vulnerability Scanning of Java JARs with Maven

See https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities.

NOTE: OWASP dependency scanner can be used in conjunction with the victims-enforcer.

Add to your projects pom.xml:
<plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>1.3.4</version> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>

Each time you build, the plug-in will verify the assets against the list of known vulnerable libraries and report them in your output.

Vulnerability database is populated from: https://nvd.nist.gov.

NOTES:

The example above is a very simple implementation, see the documentation for additional functions.
The first use of the plug-in can take a long time as the vulnerability library must be installed locally before initial use.
Similar functionality is available for Ant builds, if desired.

REFERENCES:

RetireJS javascript libary vulnerability scanning with Maven

It’s important to note that even though your site is using a vulnerable library, that does not necessarily mean your site is vulnerable. It depends on whether and how your site exercises
the vulnerable code. That said, it’s better to be safe than sorry.

I identified this method of using the asset after reading the instructions for the Burp/Gulp scanner from h3xstream after the following section caught my eye:
https://github.com/h3xstream/burp-retire-js#maven-plugin-, it contained a small reference to Maven and even showed output but no configuration for use. A couple of attempts later I came up with the following:

Add to pom.xml:
<build> <plugins> <plugin> <groupId>com.h3xstream.retirejs</groupId> <artifactId>retirejs-maven-plugin</artifactId> <version>2.1.0</version> <executions> <execution> <id>scanProjectJavascript</id> <phase>install</phase> <goals> <goal>scan</goal> </goals> </execution> </executions> </plugin> </plugins> </build>

After adding this to your pom.xml, the console output for each build will contain information regarding each vulnerable JavaScript library.

One small problem exists in the current version, use behind corporate firewalls can often be blocked, resulting in an error in the console and use of an older version of the vulnerability library to be used in scans.

Error example:
[ERROR] Exception while loading the repository (Most likely unable to access the internet) java.net.UnknownHostException: raw.githubusercontent.com

See the following for updates:
https://github.com/h3xstream/burp-retire-js/issues/8

See https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities.

REFERENCES:

S	M	T	W	T	F	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30