vulkro scan --include-retirejs
[Pro] Invoke RetireJS against the Salesforce client-side surface and
merge any vulnerable-library findings into the scan output. Drop-in
replacement for the historical sfdx-scanner RetireJS step.
RetireJS ships a continuously-updated content-fingerprint catalog of
vulnerable JavaScript libraries (jQuery, AngularJS, Bootstrap, lodash,
moment, and ~200 others). It identifies vendored library bundles by
file shape, not by manifest. Salesforce managed packages routinely
ship vendored copies of these libraries inside staticresources/ with
no package.json or lockfile, so the standard Vulkro SCA path
(which keys on lockfile entries) cannot see them. This wrapper closes
that gap.
Usage
vulkro scan --include-retirejs .
vulkro scan --include-retirejs --format json .
vulkro scan ci . --include-retirejs --fail-on critical,high
What gets scanned
The wrapper limits RetireJS to the canonical Salesforce client-side roots, each scanned only if it exists on disk:
| Path | What lives here |
|---|---|
force-app/main/default/staticresources/ | Vendored library bundles (jQuery, Angular, Bootstrap, etc.) shipped inside a managed package. The most common surface where outdated copies hide. |
force-app/main/default/lwc/ | LWC component JS, including any bundle's own JS files. |
force-app/main/default/aura/ | Aura controller / helper / renderer JS. |
If none of these exist (the project is not a Salesforce DX layout) the wrapper returns zero findings without invoking RetireJS.
Binary discovery
vulkro scan --include-retirejs looks for a RetireJS binary in this
order:
VULKRO_RETIREJS_BINenvironment variable: absolute path to aretirebinary. Overrides the search below.retireonPATH(the global install path).npx retireas a fallback (requires Node.js + npm).
If none are available the wrapper emits an actionable error:
RetireJS not found. Vulkro looked for: (1) `$VULKRO_RETIREJS_BIN` env
var, (2) `retire` on PATH, (3) `npx` on PATH. Install: `npm install
-g retire`, or set VULKRO_RETIREJS_BIN=/path/to/retire
The error does not abort the rest of the scan: native Vulkro detectors still run and emit findings as usual.
Environment variables
| Variable | Description |
|---|---|
VULKRO_RETIREJS_BIN | Absolute path to a retire binary. When set and the file exists, takes precedence over PATH and the npx fallback. Useful for air-gapped builds that ship a vendored copy of RetireJS at a known location. |
Finding shape
Each RetireJS vulnerability becomes one Vulkro SecurityFinding:
| Field | Value |
|---|---|
owasp_category | SoftwareIntegrityFailures (A08:2021) |
severity | Mapped from RetireJS severity (critical -> Critical, high -> High, medium -> Medium, low -> Low). |
confidence | High (content-fingerprint match plus CVE-backed advisory). |
message | [RETIRE] RETIRE-{component}-{cve-or-ghsa} - {component} {version} has known vulnerability: {summary} |
remediation | "Upgrade {component} to a version >= {safe}." plus the upstream advisory URLs. |
evidence | One item with signal: "retirejs-cve" and a detail string listing every identifier RetireJS attached (CVEs, GHSA IDs, RETID, upstream bug numbers). |
Sample output
[RETIRE] RETIRE-jquery-cve-2020-11023 - jquery 1.4.2 has known vulnerability:
passing HTML containing <option> elements may execute untrusted code.
Remediation: Upgrade jquery to a version >= 3.5.0.
See: https://nvd.nist.gov/vuln/detail/CVE-2020-11023.
File: force-app/main/default/staticresources/lib/jquery-1.4.2.min.js
Confidence: high (RetireJS content-fingerprint match)
AppExchange Security Review mapping
Every RetireJS-wrapper finding routes to two sections of the
AppExchange Security Review readiness report
(vulkro sf-appexchange-report):
- External Integrations - vendored third-party JS executes inside the customer's org.
- Lightning Component Security - libraries inside
lwc/andaura/execute in the component runtime.
This means a managed-package ISV who shipped jQuery 1.x in a static resource will see the same library in both rows of the readiness report, with one row per advisory.
Exit codes
Follows the standard vulkro scan contract:
0- success, no findings (RetireJS clean and native rules clean).1- findings reported (any source, including the wrapper).2- argument error or internal failure (a missingretirebinary prints an actionable warning but does not by itself cause exit 2: native rules still run).
Notes
- No telemetry. RetireJS reads a catalog file shipped with the npm package; no network call is required at scan time (the catalog is bundled with the install).
- Offline-first. When you set
VULKRO_RETIREJS_BINto a vendored binary, the entire wrapper runs without contacting any remote registry. - Pro feature. The wrapper sits behind a single Pro gate. The gate fires at flag-parse time so a Free user sees the upgrade message immediately rather than after the scan completes.