Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include attribution for known security vulnerabilities #6191

Open
ethcryptodev opened this issue Oct 8, 2018 · 4 comments
Open

Include attribution for known security vulnerabilities #6191

ethcryptodev opened this issue Oct 8, 2018 · 4 comments
Labels
feature P3

Comments

@ethcryptodev
Copy link

Very quick question:

Some script on my site https://www.lockebridge.com is throwing a Medium severity Best Practices penalty for using a vulnerable library version of Bootstrap (3.3.7) when ran through Lighthouse. I need to know how to easily find out what script or asset is at fault that is using this library so I can update the offending plugin or theme code.

As a feature request, it would be nice if Lighthouse provided the name and reference in the results to the offending script that is being called which is using the vulnerable library throwing the penalty as a column and result. I would argue a direct reference to the offending script is of much greater significance to users as a displayed result to help fix the problem than the vulnerability count column if one had to choose between these two.

Any help would be tremendously appreciated!
@patrickhulce patrickhulce changed the title Includes front-end JavaScript libraries with known security vulnerabilities Oct 8, 2018
@patrickhulce
Copy link
Collaborator

Thanks for filing @strayangelfilms!

Just as an FYI, it's highly unlikely that we'll be able to do this anytime soon. Detecting the library usage is done via global scope inspection currently, and we have no clue what specific script touched global scope to make it that way. The developer is the person in the best position to know which of their scripts it could have come from.

AFAICT, bringing this functionality to LH would require a total rewrite of the library detection (which is currently done by a 3P library) to examine source code/track stacks/something fancy it doesn't do currently.
@ethcryptodev
Copy link
Author

@patrickhulce Thank you for exploring this in detail, it is much appreciated.

For many sites or apps where they're literally custom coded by a dev actually compiling scripts and their root libraries, obviously this isn't necessary, but for 50% of the web running on WordPress or a CMS that are now using Lighthouse to score ranking / SEO / performance, any tool that can help figure out what script has called the vulnerable library would be a godsend so individual theme / plugin / component updates can be easily assessed and appropriate remediation applied.
@rockeynebhwani
Copy link

@strayangelfilms / @patrickhulce - Is it not possible to use something like this - https://retirejs.github.io/retire.js/?
@patrickhulce
Copy link
Collaborator

Would you mind elaborating on how that would help @rockeynebhwani? We already have the same functionality to identify the vulnerabilities themselves, this issue is requesting specifically how they got onto the page, which AFAICT is not solved by any of these in a web context.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature P3
3 participants
@rockeynebhwani @patrickhulce @ethcryptodev