DependencyCheck: RetireJS analyzer broken

RetireJS analyzer has been broken by this commit: https://github.com/RetireJS/retire.js/commit/60ffbeb1523c503da886b2a47b39551697ed06c8

I’m not sure whether this really belongs here, or not, but this kind of stuff is going to break a lot of builds, IDK if sourcing master version of RetireJS is safe.

Running 7.1.1:

[WARNING] An unexpected error occurred during analysis of '/tmp/dctempd5b4f323-e9be-4053-bb71-08529bfea0d5/check6218485102994472862tmp/271/org/jacoco/report/internal/html/resources/prettify.js' (RetireJS Analyzer): Unclosed character class near index 79
u.version="([0-9][0-9.a-z_\\\\-]+)";u.settings=[];u.models=\{\};u.models.oSearch

                                                                               ^
[ERROR] 
java.util.regex.PatternSyntaxException: Unclosed character class near index 79
u.version="([0-9][0-9.a-z_\\\\-]+)";u.settings=[];u.models=\{\};u.models.oSearch

    at java.util.regex.Pattern.error (Pattern.java:1969)
    at java.util.regex.Pattern.clazz (Pattern.java:2562)
    at java.util.regex.Pattern.sequence (Pattern.java:2077)
    at java.util.regex.Pattern.expr (Pattern.java:2010)
    at java.util.regex.Pattern.compile (Pattern.java:1702)
    at java.util.regex.Pattern.<init> (Pattern.java:1352)
    at java.util.regex.Pattern.compile (Pattern.java:1028)
    at com.h3xstream.retirejs.repo.VulnerabilitiesRepository.findByFileContent (VulnerabilitiesRepository.java:117)
    at com.h3xstream.retirejs.repo.ScannerFacade.scanScript (ScannerFacade.java:125)
    at org.owasp.dependencycheck.analyzer.RetireJsAnalyzer.analyzeDependency (RetireJsAnalyzer.java:286)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
    at java.lang.Thread.run (Thread.java:750)

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 34
Comments: 21 (5 by maintainers)

Commits related to this issue

Closes #382 — committed to RetireJS/retire.js by eoftedal 2 years ago

Most upvoted comments

Looks like retireJS have changed the expression at https://github.com/RetireJS/retire.js/commit/7007575f637b840016edf8a9512d608f00795b1b as of a few minutes ago, so this is working again with the default retireJsUrl again now (although you may have to purge cache as noted above).

+21

chadlwilson on Jul 25, 2022

Hello, this worked for me

<plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
                        <version>7.1.1</version>
                        <configuration>
                            <retireJsUrl>
                                https://raw.githubusercontent.com/RetireJS/retire.js/33b4076ce87f3898b81af4fc1770a7b65aa54bcb/repository/jsrepository.json
                            </retireJsUrl>
                        </configuration>
                        <executions>
                            <execution>
                                <goals>
                                    <goal>check</goal>
                                </goals>
                            </execution>
                        </executions>
                    </plugin>

singh523 on Jul 25, 2022

The workaround so far is to add:

<retireJsUrl>https://raw.githubusercontent.com/Retirejs/retire.js/3.0.6/repository/jsrepository.json</retireJsUrl>

Alternate workaround is <retireJsUrl>https://raw.githubusercontent.com/RetireJS/retire.js/33b4076ce87f3898b81af4fc1770a7b65aa54bcb/repository/jsrepository.json</retureJsUrl> which is the commit immediately before the problematic one. Going back to 3.0.6 is quite a way back in history.

Equivalent fix for gradle plugin (w/ Groovy) is

dependencyCheck {
  analyzers {
    retirejs {
      // Repository version locked due to https://github.com/jeremylong/DependencyCheck/issues/4695
      retireJsUrl = 'https://raw.githubusercontent.com/RetireJS/retire.js/33b4076ce87f3898b81af4fc1770a7b65aa54bcb/repository/jsrepository.json'
    }
  }
}

chadlwilson on Jul 24, 2022

I don’t have to provide jsrepostory.json. Is this issue fixed now?

@workwithprashant Yes. 3 replies above yours..

chadlwilson on Jul 25, 2022

Hi, I have tried adding --retireJsUrl https://raw.githubusercontent.com/Retirejs/retire.js/3.0.6/repository/jsrepository.json in my command line but it is still not working, any suggestions?

Deleting ~/.gradle/dependency-check-data/7.0/jsrepository.json worked for me.

remove ~/.m2/repository/org/owasp/dependency-check-data/7.0/jsrepository.json

was suggested as well

chagemann on Jul 25, 2022

for CLI users, if you’re still having issue when adding this flag

--retireJsUrl https://raw.githubusercontent.com/RetireJS/retire.js/33b4076ce87f3898b81af4fc1770a7b65aa54bcb/repository/jsrepository.json

try to purge first --purge to delete the local copy

kennMicepad on Jul 25, 2022

(updated to avoid copypastes, based on @chadlwilson 's comment)

The workaround so far is to add:

<retireJsUrl>https://raw.githubusercontent.com/RetireJS/retire.js/33b4076ce87f3898b81af4fc1770a7b65aa54bcb/repository/jsrepository.json'</retireJsUrl>

configuration to the plugin, and remove ~/.m2/repository/org/owasp/dependency-check-data/7.0/jsrepository.json. Forcing update won’t help (see https://github.com/jeremylong/DependencyCheck/issues/4696)

veselov on Jul 24, 2022

These steps worked for me:

mvn dependency:purge-local-repository
rm -rf ~/.m2/repository/org/owasp/dependency-check-data/7.0/jsrepository.json

Run the job again !!

ankurga on Jul 25, 2022

this broke ALL of our builds 😦. since we all embed Redoc UI for rendenring Swagger OpenAPI. Every Java / Gradle build now fails across entire company…hope there is a permanent fix soon 😕

I suspect there may not be unless retirejs folks rollback the commit. And I suspect they probably won’t be so keen to do that, as the issue seems to be with assumptions made in the parsing library that OWASP Dependency Check uses rather than an issue with the feed itself.

However, if you have put OWASP dependency check on the critical path for every build - rather than something that happens on schedule (say, daily) for each codebase - I’d hope you are in a position to easily lock the RetireJS feed as suggested, since ability to change easily is really the only way to mitigate a live external dependency like this, whether it’s RetireJS or NVD or OSSINDEX.

chadlwilson on Jul 25, 2022

this broke ALL of our builds 😦. since we all embed Redoc UI for rendenring Swagger OpenAPI. Every Java / Gradle build now fails across entire company…hope there is a permanent fix soon 😕

jfurmankiewiczpros on Jul 25, 2022

I filed a proposed fix for burp-retire-js at https://github.com/h3xstream/burp-retire-js/pull/74

bbossola on Jul 24, 2022

@chadlwilson any idea how to implement this Kotlin DSL? I don’t see any config for RetireJSAnalyzer in 7.1.1
configure<DependencyCheckPlugin> {
 // no retireJsUrl var in here
}

My bad It was import issue, I was able to configure this

configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
        format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.HTML
        outputDirectory = "${project.buildDir}/reports"
        failBuildOnCVSS = 7f
        // Repository version locked due to https://github.com/jeremylong/DependencyCheck/issues/4695
        analyzers.retirejs.retireJsUrl = "https://raw.githubusercontent.com/RetireJS/retire.js/33b4076ce87f3898b81af4fc1770a7b65aa54bcb/repository/jsrepository.json"
    }

khalid64927 on Jul 24, 2022