Skip to content

Bump retire version to 2.0.2

Lucas Charles requested to merge bump-2.0.2-jsonsimple into master

What does this MR do?

After spending a couple hours rewriting this it turns out I can just specify --outputformat jsonsimple to get back the old behavior 😀

There is 1 breaking change however that I think is worth further discussing: the dependency paths appear to have updated to point at transverse dependencies instead of direct ones. I'm not sure what our desired behavior is here so I'm phoning a friend!

--- test/fixtures/gl-dependency-scanning-report.json	2019-03-14 16:28:10.000000000 -0700
+++ test/expect/gl-dependency-scanning-report.json	2019-03-14 09:37:01.000000000 -0700
@@ -4,14 +4,14 @@
     {
       "category": "dependency_scanning",
       "message": "Vulnerability in ansi2html",
-      "cve": "sast-test-npm/node_modules/ansi2html/package.json:ansi2html:npm:51",
+      "cve": "sast-test-npm/package.json:ansi2html:npm:51",
       "severity": "High",
       "scanner": {
         "id": "retire.js",
         "name": "Retire.js"
       },
       "location": {
-        "file": "sast-test-npm/node_modules/ansi2html/package.json",
+        "file": "sast-test-npm/package.json",
         "dependency": {
           "package": {
             "name": "ansi2html"

Or a more real example, where there is a vulnerability within dagre-d3-renderer due to a direct dependency on jquery:

    {
      "category": "dependency_scanning",
      "name": "3rd party CORS request may execute",
      "message": "3rd party CORS request may execute in jquery",
      "cve": "node_modules/dagre-d3-renderer/dist/demo/jquery-1.9.1.min.js:jquery:cve:CVE-2015-9251",
      "severity": "Medium",
      "scanner": {
        "id": "retire.js",
        "name": "Retire.js"
      },
      "location": {
        "file": "node_modules/dagre-d3-renderer/dist/demo/jquery-1.9.1.min.js",
        "dependency": {
          "package": {
            "name": "jquery"
          },
          "version": "1.9.1.min"
        }
      },
      "identifiers": [
        {
          "type": "cve",
          "name": "CVE-2015-9251",
          "value": "CVE-2015-9251",
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251"
        }
      ],
      "links": [
        {
          "url": "https://github.com/jquery/jquery/issues/2432"
        },
        {
          "url": "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
        },
        {
          "url": "http://research.insecurelabs.org/jquery/test/"
        }
      ]
    }

And due to the magic of retire.js there is no true CHANGELOG but I've sanity tested this against gitlab-ee and it appears to work as expected.

Retire.js changes between 1.6.2 and 2.0.2: https://github.com/RetireJS/retire.js/compare/095061d367e947d57ebbac77019447735500e438...76c99bc16b7748d9876eda26e164f790eef8cab8

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-ee/issues/8899

Does this MR meet the acceptance criteria?

Edited by Fabien Catteau

Merge request reports