Feature Request: Add module for detecting vulnerable JavaScript libraries using Retire.js #2308
Description
Hi @kazet,
After reviewing the repository, documentation (especially the features list at https://artemis-scanner.readthedocs.io/en/latest/features.html), and existing modules, I noticed that Artemis provides excellent coverage for server-side vulnerabilities, configuration issues, CMS checks, exposed resources (e.g., .git via vcs, directory indexing), brute-forcing, Nuclei templates, port scanning, DNS/mail misconfigs, and more. However, there appears to be no dedicated support for scanning client-side JavaScript libraries for known vulnerabilities.
Many modern websites load third-party or outdated JavaScript libraries (e.g., old versions of jQuery, Lodash, Bootstrap, Moment.js) that have public CVEs, often leading to exploitable issues like XSS, prototype pollution, or DoS. These are a common real-world finding (part of OWASP A06:2021 – Vulnerable and Outdated Components) but aren't systematically checked in the current module set (e.g., scripts_unregistered_domains checks domain registration for script sources, but not version/vuln status).
Proposal
Add a new module (e.g., js_vuln_detector.py) that integrates Retire.js, a mature, open-source scanner specifically designed to detect vulnerable JavaScript libraries in web pages or Node environments.
Key benefits this would bring to Artemis:
- Detects known CVEs in front-end libraries loaded via
<script>tags (local files, CDNs, etc.). - Complements existing modules without overlap (Nuclei might catch some via custom templates, but Retire.js is purpose-built for this with a comprehensive, up-to-date vulnerability database).
- Enables more complete vulnerability reporting, e.g.:
"Vulnerable JavaScript library detected: jQuery 1.12.4 (CVE-2019-11358 – potential XSS) loaded from /static/jquery.min.js. Recommendation: Update to a patched version." - Fits perfectly with Artemis's modular, tool-integration philosophy (similar to how
nuclei.pycalls Nuclei via subprocess, orhumbleintegrates header analysis).
High-Level Implementation Ideas
Following the pattern of existing modules (subclass ModuleBase, implement run()):
- Trigger on HTTP/URL tasks (or after
webapp_identifier/ crawling modules). - Fetch the target page and extract JavaScript resources (using existing HTTP utils or a simple crawler to collect
<script src="...">URLs and inline scripts if needed). - Run Retire.js:
- Preferred: Use the Python port (
retirejson PyPI –pip install retirejs) for native integration:retirejs.scan_endpoint(url)or scan downloaded files. - Alternative: Use the original Node.js CLI via subprocess (install in Docker, similar to other external tools).
- Preferred: Use the Python port (
- Parse the output (JSON format) → map findings to Artemis
ReportingMessagewith appropriate severity/risk level. - Add dependency handling in
requirements.txt/ Docker setup (Retire.js is Apache-2.0 licensed, compatible with BSD-3-Clause). - Tests: Follow the
example.pytemplate; add unit tests for sample pages with known vulnerable libs.
This seems like a valuable, self-contained addition that could significantly improve the scanner's coverage for client-side risks without major architectural changes.
I'd be happy to work on a prototype PR if this direction looks good. Any thoughts, preferences (e.g., Python port vs. CLI), or adjustments to scope/priority?
Looking forward to your feedback.