Added retire.js for Module Vulnerability Scanning

[dsblack0]

Static Analysis Tool: retire.js

retire.js helps detect known vulnerabilities in JavaScript libraries to limit the use of vulnerable components in web or node apps. This tool can be used to run static scans on an app to search for JavaScript libraries and Node.js modules that contain known vulnerabilities. The tool's results provide details on the vulnerabilities found.

Usage

Get scan results in a readable JSON format:
npm run security-scan

Output

See retirejs-output.txt for a sample output from a scan on the app.

For each file found to have known vulnerabilities, the vulnerabilities are given with:

• severity
• currently installed library version vs. latest safe version
• CVE, CWEs, and vulnerability summary
• references and sources

Evidence of Installation

Full sample output saved in retirejs-output.txt.

• Added retire as a devDependencies in packages.json.
• Added a script in packages.json to run retire.js with the output formatted in easily readable JSON.

Customization & Integration

Customization can be applied for:

• Specifying the file path to scan certain directories
• Specifying the output format as JSON, text, or cyclonedx (generates a Software Bill of Materials)
• Filter vulnerabilities by severity

node_modules folder was excluded from the scan in .retireignore

• Contains many files for dependencies, which can include duplicates if dependencies have common dependencies of their own
• Retire.js mainly focused on scanning files deployed to web app, like client-side libraries, rather than server-side dependencies
• More effective to use tools like npm audit to check vulnerabilities in these server-side dependencies.

Integration into the development process is possible via Github Actions.

Possible Errors:

• There may be false positives if retire.js reports vulnerabilities in functions from a library even though those functions aren't used in the app.
• There may be false negatives as retire.js scans based on vulnerabilities that it knows, but if its database is outdated, it could miss some vulnerabilities.

[coveralls]

Pull Request Test Coverage Report for Build 18891955159

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 78.211%

---

Totals
Change from base Build 18765016705:	0.0%
Covered Lines:	25046
Relevant Lines:	30113

---

💛 - Coveralls

[nihansofia0127]

Nice work! Adding a security scan job to CI plus a retire-based npm script and dependency will help us catch vulnerabilities earlier. I am approving this PR and think it’s ready to merge!