Bump retire version to 2.0.2
What does this MR do?
After spending a couple hours rewriting this it turns out I can just specify --outputformat jsonsimple
to get back the old behavior
There is 1 breaking change however that I think is worth further discussing: the dependency paths appear to have updated to point at transverse dependencies instead of direct ones. I'm not sure what our desired behavior is here so I'm phoning a friend!
--- test/fixtures/gl-dependency-scanning-report.json 2019-03-14 16:28:10.000000000 -0700
+++ test/expect/gl-dependency-scanning-report.json 2019-03-14 09:37:01.000000000 -0700
@@ -4,14 +4,14 @@
{
"category": "dependency_scanning",
"message": "Vulnerability in ansi2html",
- "cve": "sast-test-npm/node_modules/ansi2html/package.json:ansi2html:npm:51",
+ "cve": "sast-test-npm/package.json:ansi2html:npm:51",
"severity": "High",
"scanner": {
"id": "retire.js",
"name": "Retire.js"
},
"location": {
- "file": "sast-test-npm/node_modules/ansi2html/package.json",
+ "file": "sast-test-npm/package.json",
"dependency": {
"package": {
"name": "ansi2html"
Or a more real example, where there is a vulnerability within dagre-d3-renderer
due to a direct dependency on jquery
:
{
"category": "dependency_scanning",
"name": "3rd party CORS request may execute",
"message": "3rd party CORS request may execute in jquery",
"cve": "node_modules/dagre-d3-renderer/dist/demo/jquery-1.9.1.min.js:jquery:cve:CVE-2015-9251",
"severity": "Medium",
"scanner": {
"id": "retire.js",
"name": "Retire.js"
},
"location": {
"file": "node_modules/dagre-d3-renderer/dist/demo/jquery-1.9.1.min.js",
"dependency": {
"package": {
"name": "jquery"
},
"version": "1.9.1.min"
}
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2015-9251",
"value": "CVE-2015-9251",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251"
}
],
"links": [
{
"url": "https://github.com/jquery/jquery/issues/2432"
},
{
"url": "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
},
{
"url": "http://research.insecurelabs.org/jquery/test/"
}
]
}
And due to the magic of retire.js
there is no true CHANGELOG but I've sanity tested this against gitlab-ee
and it appears to work as expected.
Retire.js changes between 1.6.2 and 2.0.2: https://github.com/RetireJS/retire.js/compare/095061d367e947d57ebbac77019447735500e438...76c99bc16b7748d9876eda26e164f790eef8cab8
What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ee/issues/8899
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer