RetireJS is an engine that analyzes a project’s third-party JavaScript dependencies and identifies security vulnerabilities. It has a thriving community, and its database of vulnerable libraries is updated frequently.

Salesforce Code Analyzer uses RetireJS to scan for vulnerable third-party libraries that are bundled into a project.

Files representing vulnerable dependencies are detected in three ways:

  • By their name
  • By examining their content
  • By examining the contents of ZIP

For example, this command scans MyProject for vulnerable third-party libraries.

If MyProject contains MyProject/lorem/ipsum/jquery-3.1.0.min.js, it’s identified as a vulnerability.

If you rename the file to SomeGenericFile.js or jquery.resource, or if you hide it within a ZIP file such as, Code Analyzer still identifies the vulnerable library and reports it as a violation.

By default, we return a truncated version of RetireJS's internal violations which indicates that the library in question is out of date. To receive more information, use the --verbose-violations flag.

A --verbose-violations violation message looks like this.

When using --verbose-violations, a violation message looks like this.