Fixes for PR 492

chrome/extension/js/generated/retire-chrome.js

@@ -1873,12 +1873,27 @@ module.exports={
           "info": [
             "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
             "http://research.insecurelabs.org/jquery/test/",
-            "https://bugs.jquery.com/ticket/11974",
             "https://github.com/advisories/GHSA-rmxg-73gg-4p98",
             "https://github.com/jquery/jquery/issues/2432",
             "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
           ]
         },
+        {
+          "atOrAbove": "1.8.0",
+          "below": "2.2.0",
+          "cwe": [
+            "CWE-79"
+          ],
+          "severity": "medium",
+          "identifiers": {
+            "summary": "parseHTML() executes scripts in event handlers",
+            "issue": "11974"
+          },
+          "info": [
+            "http://research.insecurelabs.org/jquery/test/",
+            "https://bugs.jquery.com/ticket/11974"
+          ]
+        },
         {
           "below": "2.999.999",
           "cwe": [
@@ -1912,12 +1927,27 @@ module.exports={
           "info": [
             "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
             "http://research.insecurelabs.org/jquery/test/",
-            "https://bugs.jquery.com/ticket/11974",
             "https://github.com/advisories/GHSA-rmxg-73gg-4p98",
             "https://github.com/jquery/jquery/issues/2432",
             "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
           ]
         },
+        {
+          "atOrAbove": "2.2.2",
+          "below": "3.0.0",
+          "cwe": [
+            "CWE-79"
+          ],
+          "severity": "medium",
+          "identifiers": {
+            "summary": "parseHTML() executes scripts in event handlers",
+            "issue": "11974"
+          },
+          "info": [
+            "http://research.insecurelabs.org/jquery/test/",
+            "https://bugs.jquery.com/ticket/11974"
+          ]
+        },
         {
           "atOrAbove": "3.0.0-rc.1",
           "below": "3.0.0",
@@ -5226,6 +5256,25 @@ module.exports={
             "https://www.herodevs.com/vulnerability-directory/cve-2024-8372"
           ]
         },
+        {
+          "atOrAbove": "1.7.0",
+          "below": "1.8.8",
+          "severity": "medium",
+          "cwe": [
+            "CWE-1333",
+            "CWE-770"
+          ],
+          "identifiers": {
+            "summary": "angular vulnerable to regular expression denial of service (ReDoS)",
+            "CVE": [
+              "CVE-2022-25844"
+            ],
+            "githubID": "GHSA-m2h2-264f-f486"
+          },
+          "info": [
+            "https://github.com/advisories/GHSA-m2h2-264f-f486"
+          ]
+        },
         {
           "atOrAbove": "0",
           "below": "1.9.8",
@@ -5283,25 +5332,6 @@ module.exports={
           "info": [
             "https://docs.angularjs.org/misc/version-support-status"
           ]
-        },
-        {
-          "atOrAbove": "1.7.0",
-          "below": "999",
-          "severity": "medium",
-          "cwe": [
-            "CWE-1333",
-            "CWE-770"
-          ],
-          "identifiers": {
-            "summary": "angular vulnerable to regular expression denial of service (ReDoS)",
-            "CVE": [
-              "CVE-2022-25844"
-            ],
-            "githubID": "GHSA-m2h2-264f-f486"
-          },
-          "info": [
-            "https://github.com/advisories/GHSA-m2h2-264f-f486"
-          ]
         }
       ],
       "extractors": {
@@ -10390,7 +10420,7 @@ module.exports={
           ]
         },
         {
-          "atOrAbove": "0",
+          "atOrAbove": "0.7.30",
           "below": "0.7.33",
           "cwe": [
             "CWE-1333",

node/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [5.4.0]
+
+### Improvements
+
+- Add possibility to exclude specific versions for a vulnerability (example: jquery-1.12.4-aem which has some extra patches).
+
 ## [5.3.0]
 
 ### Improvement

node/lib/retire.js

@@ -4,7 +4,7 @@
  */
 
 var exports = exports || {};
-exports.version = '5.3.0';
+exports.version = '5.4.0';
 
 function isDefined(o) {
   return typeof o !== 'undefined';
@@ -103,6 +103,9 @@ function check(results, repo) {
         if (isDefined(vulns[i].atOrAbove) && !isAtOrAbove(result.version, vulns[i].atOrAbove)) {
           continue;
         }
+        if (isDefined(vulns[i].excludes) && vulns[i].excludes.includes(result.version)) {
+          continue;
+        }
         var vulnerability = { info: vulns[i].info, below: vulns[i].below, atOrAbove: vulns[i].atOrAbove };
         if (vulns[i].severity) {
           vulnerability.severity = vulns[i].severity;

node/package.json

@@ -2,7 +2,7 @@
   "author": "Erlend Oftedal <erlend@oftedal.no>",
   "name": "retire",
   "description": "Retire is a tool for detecting use of vulnerable libraries",
-  "version": "5.3.0",
+  "version": "5.4.0",
   "license": "Apache-2.0",
   "repository": {
     "type": "git",

node/spec/tests/versions.spec.ts

@@ -67,4 +67,16 @@ describe('versions', function () {
     assert.isNotVulnerable(result);
     done();
   });
+  it('should_not_be_vulnerable_when_version_in_excludes_list', function (done) {
+    repo.jquery.vulnerabilities = [{ atOrAbove: '1.0.0', below: '3.0.0', excludes: ['1.12.4-aem'] }];
+    const result = retire.scanUri('https://ajax.googleapis.com/ajax/libs/jquery/1.12.4-aem/jquery.min.js', repo);
+    assert.isNotVulnerable(result);
+    done();
+  });
+  it('should_be_vulnerable_when_similar_version_not_in_excludes_list', function (done) {
+    repo.jquery.vulnerabilities = [{ atOrAbove: '1.0.0', below: '3.0.0', excludes: ['1.12.4-aem'] }];
+    const result = retire.scanUri('https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js', repo);
+    assert.isVulnerable(result);
+    done();
+  });
 });

node/src/cli.ts

@@ -72,7 +72,7 @@ const jsrepolocation: string[] = (prg.jsrepo ?? "'central'")
   .split(',')
   .map((x: string) =>
     x === "'central'"
-      ? 'https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository-v4.json'
+      ? 'https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository-v5.json'
       : x,
   );
 

node/src/repo.ts

@@ -21,6 +21,7 @@ export function validateRepository(
     .object({
       below: versionValidator,
       atOrAbove: versionValidator.optional(),
+      excludes: z.array(versionValidator).optional(),
       severity: z.enum(keys),
       cwe: z.array(z.string().regex(/^CWE-[0-9]+$/)).min(1),
       identifiers: z

node/src/types.ts

@@ -23,6 +23,7 @@ export type Repository = Record<
 export type Vulnerability = {
   below: string;
   atOrAbove?: string;
+  excludes?: string[];
   severity: SeverityLevel;
   cwe: string[];
   identifiers: {

repository/convertFormat.js

@@ -18,7 +18,8 @@ function convertToOldFormat(
   input,
   includeQueries = false,
   includeBackdoored = false,
-  includeLicenses = false
+  includeLicenses = false,
+  includeExcludes = false,
 ) {
   const result = {};
   Object.entries(input).forEach(([key, value]) => {
@@ -28,12 +29,16 @@ function convertToOldFormat(
       const { ranges, summary, identifiers, info, ...rest } = v;
 
       ranges.forEach((r) => {
-        vulns.push({
+        const vuln = {
           ...r,
           ...rest,
           identifiers: { summary, ...identifiers },
           info,
-        });
+        };
+        if (!includeExcludes && r.excludes) {
+          vuln.excludes = undefined;
+        }
+        vulns.push(vuln);
       });
     });
     vulns.sort((a, b) => {

repository/convertToVersioned

@@ -14,3 +14,6 @@ fs.writeFileSync("jsrepository-v3.json", JSON.stringify(resultV3, null, 2));
 
 const resultV4 = convert(data, true, false, true);
 fs.writeFileSync("jsrepository-v4.json", JSON.stringify(resultV4, null, 2));
+
+const resultV5 = convert(data, true, false, true, true);
+fs.writeFileSync("jsrepository-v5.json", JSON.stringify(resultV5, null, 2));

repository/jsrepository-master.json

@@ -98,7 +98,8 @@
           },
           {
             "atOrAbove": "1.12.3",
-            "below": "3.0.0-beta1"
+            "below": "3.0.0-beta1",
+            "excludes": ["1.12.4-aem"]
           }
         ],
         "summary": "3rd party CORS request may execute",
@@ -214,7 +215,8 @@
       {
         "ranges": [
           {
-            "below": "2.999.999"
+            "below": "2.999.999",
+            "excludes": ["1.12.4-aem"]
           }
         ],
         "summary": "jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates",