Rationale
According to OWASP, one of the Top 10 vulnerability risks is using open components with known vulnerabilities. This easily overlooked risk is very relevant for Salesforce developers, as they might unknowingly include vulnerable JavaScript libraries in their Visualforce, Aura or Lightning components.
What does this rule do?
This rule checks any open source library used by any Visualforce page or component, Aura Component, or Lightning Web Component with a known vulnerability.
How does the rule work?
We use various strategies to determine whether a Salesforce application actively uses any third-party library. These depend on the language and type of component and include:
Libraries embedded via URL (e.g. from CDN networks)
Libraries imported from static resources
Libraries referenced in
packages.json
We maintain a database of signatures from many open source libraries and their various versions, along with any known vulnerabilities. We determine which libraries and versions are used by looking at:
Filenames (when the original file names of the libraries are preserved)
URLs (when included from a known CDN)
File content (e.g. when libraries are loaded as static resources, but the original filenames are not preserved)
When we identify a known library, we check for any known vulnerabilities related to that version. If a match is found, a violation is flagged.
Clayton supports libraries and vulnerabilities listed at https://retirejs.github.io/retire.js/
Examples
Below are some snippets that illustrate some of the circumstances in which the rule will detect a vulnerability.
<apex:page id="SecondPageId" standardcontroller="Contact">
<script
src="https://code.jquery.com/jquery-2.2.2.min.js"
integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8="
crossorigin="anonymous"></script>
</apex:page>
A Visualforce page with a HTML embed of a vulnerable library, loaded via CDN
<apex:page id="HVEMCaseConversationPageId" standardcontroller="Contact">
<apex:includeScript value="{!$Resource.jquery}" />
</apex:page>
A Visualforce page that includes a vulnerable library loaded as a Static Resource
{
"name": "salesforce-app",
"private": true,
"version": "1.0.0",
"description": "Salesforce App",
"scripts": {
..
},
"devDependencies": {
..
},
"lint-staged": {
..
},
"dependencies": {
"jquery": "^2.1.1"
}
}
A vulnerable dependency referenced in package.json