Vulnerability Detection for Node.js Apps Using Retire

Eliminating from your application all code–include node modules–with known vulnerabilities is an essential part of secure coding. Retire is a node.js package that looks for reported vulnerabilities in your node modules and/or javascript code. It’s dirt simple to use–so there’s no excuse for not using it.

Just install retire using NPM. If you use grunt, install grunt-retire as well.

The gruntfile config entry looks like this

retire: {
js: ['app/**/*.js'], /** Which js-files to scan. **/
node: ['node_modules'], /** Which node directories to scan (containing package.json). **/
options: {
verbose: true,
packageOnly: false,
jsRepository: 'https://raw.github.com/bekk/retire.js/master/repository/jsrepository.json',
nodeRepository: 'https://raw.github.com/bekk/retire.js/master/repository/npmrepository.json',
}
},

You may have to change the js and node directories.

To enable the task, add this in grunt:

grunt.registerTask('retireCheck', ['retire']);

Note that grunt.registerTask(‘retire’, [‘retire’]); will NOT work!

Now run grunt retireCheck. Make this part of your build process to reduce the potential for vulnerable code to ruin your day!

Advertisements

About jeffmershon

Director of Program Management at SiriusXM.
This entry was posted in Software and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s