From 32d0da5a4e570fdda6086c2b8c28e7c382feb089 Mon Sep 17 00:00:00 2001 From: Moritz Heidkamp Date: Tue, 7 Oct 2025 13:36:57 +0200 Subject: [PATCH 1/9] Scan all classpath entries This allows using e.g. the [Node Audit Analyzer](https://dependency-check.github.io/DependencyCheck/analyzers/node-audit-analyzer.html) (when enabled via the `nvd.analyzer.node-audit-enabled` config option) by passing `package-lock.json` as part of `classpath`. Note that the filtering in `-main` still takes care of removing directories and non-existing files. The comment there is updated to reflect the new behavior. --- src/nvd/task/check.clj | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/nvd/task/check.clj b/src/nvd/task/check.clj index 384f8c2..1a3987e 100644 --- a/src/nvd/task/check.clj +++ b/src/nvd/task/check.clj @@ -37,17 +37,13 @@ (delay {:nvd-clojure (get-version "nvd-clojure" "nvd-clojure") :dependency-check (.getImplementationVersion (.getPackage Engine))})) -(defn jar? [^String filename] - (.endsWith filename ".jar")) - (defn absolute-path ^String [file] (s/replace-first file #"^~" (System/getProperty "user.home"))) (defn- scan-and-analyze [project] (let [^Engine engine (:engine project)] (doseq [p (:classpath project)] - (when (jar? p) - (.scan engine (absolute-path p)))) + (.scan engine ^String p)) (try (.analyzeDependencies engine) (catch ExceptionCollection e @@ -105,10 +101,9 @@ Older usages are deprecated." {}))) (let [classpath (s/split classpath-string classpath-separator-re) classpath (into [] (remove (fn [^String s] - ;; Only .jar (and perhaps .zip) files are relevant. - ;; source paths such as `src`, while are part of the classpath, - ;; won't be meaningfully analyzed by dependency-check-core. - ;; Keeping only .jars facilitates various usage patterns. + ;; Source paths such as `src`, while part of the classpath, won't + ;; be meaningfully analyzed by dependency-check-core. Thus, skip + ;; directories in general as well as non-existing files. (let [file (io/file s)] (or (.isDirectory file) (not (.exists file)))))) From 60273ad68769d0d3fde8a26b8565cbe7c59d639b Mon Sep 17 00:00:00 2001 From: Moritz Heidkamp Date: Tue, 7 Oct 2025 15:02:33 +0200 Subject: [PATCH 2/9] Extract `parse-classpath` for clarity and improve commentary --- src/nvd/task/check.clj | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/src/nvd/task/check.clj b/src/nvd/task/check.clj index 1a3987e..c797fd9 100644 --- a/src/nvd/task/check.clj +++ b/src/nvd/task/check.clj @@ -37,11 +37,31 @@ (delay {:nvd-clojure (get-version "nvd-clojure" "nvd-clojure") :dependency-check (.getImplementationVersion (.getPackage Engine))})) +(def classpath-separator-re + (re-pattern (str File/pathSeparatorChar))) + (defn absolute-path ^String [file] (s/replace-first file #"^~" (System/getProperty "user.home"))) +(defn parse-classpath + "Accepts a classpath string (i.e. colon-separated paths) and returns a sequence of analyzable + absolute paths. + + In particular, source paths such as `src`, while part of the classpath, won't be meaningfully + analyzed by dependency-check-core. We only care about regular files (e.g. *.jar or + package-lock.json). Thus, skip directories in general as well as non-existing files." + [classpath-string] + (into [] + (comp (remove (fn [^String s] + (let [file (io/file s)] + (or (.isDirectory file) + (not (.exists file)))))) + (map absolute-path)) + (s/split classpath-string classpath-separator-re))) + (defn- scan-and-analyze [project] (let [^Engine engine (:engine project)] + ;; See `parse-classpath` for details on which classpath entries are considered here. (doseq [p (:classpath project)] (.scan engine ^String p)) (try @@ -90,24 +110,12 @@ fail-build? conditional-exit))) -(def classpath-separator-re - (re-pattern (str File/pathSeparatorChar))) - (defn -main [& [config-filename ^String classpath-string]] (when (s/blank? classpath-string) (throw (ex-info "nvd-clojure requires a classpath value to be explicitly passed as a CLI argument. Older usages are deprecated." {}))) - (let [classpath (s/split classpath-string classpath-separator-re) - classpath (into [] - (remove (fn [^String s] - ;; Source paths such as `src`, while part of the classpath, won't - ;; be meaningfully analyzed by dependency-check-core. Thus, skip - ;; directories in general as well as non-existing files. - (let [file (io/file s)] - (or (.isDirectory file) - (not (.exists file)))))) - classpath)] + (let [classpath (parse-classpath classpath-string)] (when-not (System/getProperty "nvd-clojure.internal.skip-self-check") (when-let [bad-entry (->> classpath From 9b84357e14d3b5ea1f358323767ef2b0a6ba1984 Mon Sep 17 00:00:00 2001 From: Moritz Heidkamp Date: Tue, 7 Oct 2025 15:55:32 +0200 Subject: [PATCH 3/9] Reinstate classpath sanity check --- src/nvd/task/check.clj | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/src/nvd/task/check.clj b/src/nvd/task/check.clj index c797fd9..9425895 100644 --- a/src/nvd/task/check.clj +++ b/src/nvd/task/check.clj @@ -117,6 +117,12 @@ Older usages are deprecated." {}))) (let [classpath (parse-classpath classpath-string)] + (when (empty? classpath) + (throw (ex-info "No entries in given classpath qualify for analysis. + +Note that only regular files (non-directories) are considered." + {:classpath classpath-string}))) + (when-not (System/getProperty "nvd-clojure.internal.skip-self-check") (when-let [bad-entry (->> classpath (some (fn [^String entry] @@ -130,19 +136,6 @@ Please refer to the project's README for recommended usages." {:bad-entry bad-entry :classpath classpath-string})))) - ;; perform some sanity checks for ensuring the calculated classpath has the expected format: - (let [f (-> classpath ^String (first) File.)] - (when-not (.exists f) - (throw (ex-info (str "The classpath variable should be a vector of simple strings denoting existing files: " - (pr-str f)) - {})))) - - (let [f (-> classpath ^String (last) File.)] - (when-not (.exists f) - (throw (ex-info (str "The classpath variable should be a vector of simple strings denoting existing files: " - (pr-str f)) - {})))) - ;; specifically handle blank strings (in addition to nil) ;; so that CLI callers can skip the first argument by simply passing an empty string: (let [config-filename (if (s/blank? config-filename) From eaf0f5344111be779752eb269953404b4dfb0c83 Mon Sep 17 00:00:00 2001 From: Moritz Heidkamp Date: Wed, 8 Oct 2025 12:06:28 +0200 Subject: [PATCH 4/9] Expand `~` in classpath entries *before* filtering for existence Otherwise, `~` would be interpreted literally and the existence check would always remove such entries. --- src/nvd/task/check.clj | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/nvd/task/check.clj b/src/nvd/task/check.clj index 9425895..934fc29 100644 --- a/src/nvd/task/check.clj +++ b/src/nvd/task/check.clj @@ -52,11 +52,11 @@ package-lock.json). Thus, skip directories in general as well as non-existing files." [classpath-string] (into [] - (comp (remove (fn [^String s] + (comp (map absolute-path) + (remove (fn [^String s] (let [file (io/file s)] (or (.isDirectory file) - (not (.exists file)))))) - (map absolute-path)) + (not (.exists file))))))) (s/split classpath-string classpath-separator-re))) (defn- scan-and-analyze [project] From 69b40c71b74ea8795ed5a6379eb06caad344fded Mon Sep 17 00:00:00 2001 From: Moritz Heidkamp Date: Wed, 8 Oct 2025 12:07:47 +0200 Subject: [PATCH 5/9] Only expand `~` in classpath entries when followed by `/` or `$` Otherwise, entries like `~foo` would expand to something like `/home/userfoo`. --- src/nvd/task/check.clj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nvd/task/check.clj b/src/nvd/task/check.clj index 934fc29..d781f43 100644 --- a/src/nvd/task/check.clj +++ b/src/nvd/task/check.clj @@ -41,7 +41,7 @@ (re-pattern (str File/pathSeparatorChar))) (defn absolute-path ^String [file] - (s/replace-first file #"^~" (System/getProperty "user.home"))) + (s/replace-first file #"^~(?=$|/)" (System/getProperty "user.home"))) (defn parse-classpath "Accepts a classpath string (i.e. colon-separated paths) and returns a sequence of analyzable From 3941beb6c91e1eb0f563668b44571b34e163569e Mon Sep 17 00:00:00 2001 From: Moritz Heidkamp Date: Wed, 8 Oct 2025 15:07:23 +0200 Subject: [PATCH 6/9] Add integration test for non-default analyzer (node audit) --- .github/integration_test.sh | 19 ++- .github/nvd-node-audit-config.edn | 3 + example/package-lock.json | 225 ++++++++++++++++++++++++++++++ example/package.json | 8 ++ 4 files changed, 254 insertions(+), 1 deletion(-) create mode 100644 .github/nvd-node-audit-config.edn create mode 100644 example/package-lock.json create mode 100644 example/package.json diff --git a/.github/integration_test.sh b/.github/integration_test.sh index e86b3e2..630a4f0 100755 --- a/.github/integration_test.sh +++ b/.github/integration_test.sh @@ -16,13 +16,14 @@ CONFIG_FILE_USING_DEFAULT_FILENAME="$PROJECT_DIR/nvd-clojure.edn" DOGFOODING_CONFIG_FILE="$PROJECT_DIR/.github/nvd-dogfooding-config.edn" TOOLS_CONFIG_FILE="$PROJECT_DIR/.github/nvd-tool-config.edn" DATAFEED_CONFIG_FILE="$PROJECT_DIR/.github/nvd-datafeed-config.edn" +NODE_AUDIT_CONFIG_FILE="$PROJECT_DIR/.github/nvd-node-audit-config.edn" JSON_CONFIG_FILE="$PROJECT_DIR/.github/nvd-config.json" JSON_DOGFOODING_CONFIG_FILE="$PROJECT_DIR/.github/nvd-dogfooding-config.json" JSON_TOOLS_CONFIG_FILE="$PROJECT_DIR/.github/nvd-tool-config.json" A_CUSTOM_CHANGE=":a-custom-change" -SUCCESS_REGEX="[1-9][0-9] vulnerabilities detected\. Severity: " +SUCCESS_REGEX="[1-9][0-9]* vulnerabilities detected\. Severity: " if ! lein with-profile -user,-dev,+ci install; then exit 1 @@ -123,6 +124,22 @@ if ! grep --silent "$SUCCESS_REGEX" test-output; then exit 1 fi +# 1.5 - Exercise `main` program (non-default analyzer) + +step_name=">>> [Step 1.5 lein & non-default analyzer]" + +echo "$step_name starting..." + +if lein with-profile -user,-dev,+ci run -m nvd.task.check "$NODE_AUDIT_CONFIG_FILE" example/package-lock.json > test-output; then + echo "$step_name Should have failed with non-zero code!" + exit 1 +fi + +if ! grep --silent "$SUCCESS_REGEX" test-output; then + echo "$step_name Should have found vulnerabilities!" + exit 1 +fi + # cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`: cd "$PROJECT_DIR" || exit 1 diff --git a/.github/nvd-node-audit-config.edn b/.github/nvd-node-audit-config.edn new file mode 100644 index 0000000..a4a2309 --- /dev/null +++ b/.github/nvd-node-audit-config.edn @@ -0,0 +1,3 @@ +{:suppression-file ".github/example_nvd_suppressions.xml" + :analyzer {:ossindex-warn-only-on-remote-errors true + :node-audit-enabled true}} diff --git a/example/package-lock.json b/example/package-lock.json new file mode 100644 index 0000000..06865f7 --- /dev/null +++ b/example/package-lock.json @@ -0,0 +1,225 @@ +{ + "name": "example-with-known-vulnerabilities", + "version": "1.4.17", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "example-with-known-vulnerabilities", + "version": "1.4.17", + "dependencies": { + "tar-fs": "2.1.3" + } + }, + "node_modules/base64-js": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz", + "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT" + }, + "node_modules/bl": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz", + "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==", + "license": "MIT", + "dependencies": { + "buffer": "^5.5.0", + "inherits": "^2.0.4", + "readable-stream": "^3.4.0" + } + }, + "node_modules/buffer": { + "version": "5.7.1", + "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz", + "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT", + "dependencies": { + "base64-js": "^1.3.1", + "ieee754": "^1.1.13" + } + }, + "node_modules/chownr": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz", + "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==", + "license": "ISC" + }, + "node_modules/end-of-stream": { + "version": "1.4.5", + "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.5.tgz", + "integrity": "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==", + "license": "MIT", + "dependencies": { + "once": "^1.4.0" + } + }, + "node_modules/fs-constants": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz", + "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==", + "license": "MIT" + }, + "node_modules/ieee754": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz", + "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "BSD-3-Clause" + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "license": "ISC" + }, + "node_modules/mkdirp-classic": { + "version": "0.5.3", + "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz", + "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A==", + "license": "MIT" + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "license": "ISC", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/pump": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.3.tgz", + "integrity": "sha512-todwxLMY7/heScKmntwQG8CXVkWUOdYxIvY2s0VWAAMh/nd8SoYiRaKjlr7+iCs984f2P8zvrfWcDDYVb73NfA==", + "license": "MIT", + "dependencies": { + "end-of-stream": "^1.1.0", + "once": "^1.3.1" + } + }, + "node_modules/readable-stream": { + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", + "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", + "license": "MIT", + "dependencies": { + "inherits": "^2.0.3", + "string_decoder": "^1.1.1", + "util-deprecate": "^1.0.1" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT" + }, + "node_modules/string_decoder": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", + "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", + "license": "MIT", + "dependencies": { + "safe-buffer": "~5.2.0" + } + }, + "node_modules/tar-fs": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.3.tgz", + "integrity": "sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==", + "license": "MIT", + "dependencies": { + "chownr": "^1.1.1", + "mkdirp-classic": "^0.5.2", + "pump": "^3.0.0", + "tar-stream": "^2.1.4" + } + }, + "node_modules/tar-stream": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz", + "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==", + "license": "MIT", + "dependencies": { + "bl": "^4.0.3", + "end-of-stream": "^1.4.1", + "fs-constants": "^1.0.0", + "inherits": "^2.0.3", + "readable-stream": "^3.1.1" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/util-deprecate": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", + "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==", + "license": "MIT" + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "license": "ISC" + } + } +} diff --git a/example/package.json b/example/package.json new file mode 100644 index 0000000..53c3e5f --- /dev/null +++ b/example/package.json @@ -0,0 +1,8 @@ +{ + "name": "example-with-known-vulnerabilities", + "version": "1.4.17", + "private": true, + "dependencies": { + "tar-fs": "2.1.3" + } +} From a58615ce9c992937f222306bc316c796db5ff52b Mon Sep 17 00:00:00 2001 From: Moritz Heidkamp Date: Thu, 9 Oct 2025 16:38:52 +0200 Subject: [PATCH 7/9] Regex-quote path separator for prudence In practice, only ":" and ";" are used but quoting is prudent to not give readers pause. --- src/nvd/task/check.clj | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/nvd/task/check.clj b/src/nvd/task/check.clj index d781f43..ea81fda 100644 --- a/src/nvd/task/check.clj +++ b/src/nvd/task/check.clj @@ -30,6 +30,7 @@ [trptcolin.versioneer.core :refer [get-version]]) (:import (java.io File) + (java.util.regex Pattern) (org.owasp.dependencycheck Engine) (org.owasp.dependencycheck.exception ExceptionCollection))) @@ -38,7 +39,7 @@ :dependency-check (.getImplementationVersion (.getPackage Engine))})) (def classpath-separator-re - (re-pattern (str File/pathSeparatorChar))) + (re-pattern (Pattern/quote File/pathSeparator))) (defn absolute-path ^String [file] (s/replace-first file #"^~(?=$|/)" (System/getProperty "user.home"))) From af8decdcae648002dcc1e318d2e4fac36c1b8e88 Mon Sep 17 00:00:00 2001 From: rm-hull Date: Tue, 20 Jan 2026 07:50:01 +0000 Subject: [PATCH 8/9] Update stale dependencies --- deps.edn | 10 +++++----- project.clj | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/deps.edn b/deps.edn index c7f7c7d..5b991d6 100644 --- a/deps.edn +++ b/deps.edn @@ -2,14 +2,14 @@ :deps { ;; dependency-check-core transitively brings in two versions of ;; this dependency, so we explicitly depend on the latest - com.google.errorprone/error_prone_annotations {:mvn/version "2.42.0"} + com.google.errorprone/error_prone_annotations {:mvn/version "2.46.0"} clansi/clansi {:mvn/version "1.0.0"} - org.clojure/clojure {:mvn/version "1.12.3"} - org.clojure/data.json {:mvn/version "2.5.1"} - org.clojure/java.classpath {:mvn/version "1.1.0"} + org.clojure/clojure {:mvn/version "1.12.4"} + org.clojure/data.json {:mvn/version "2.5.2"} + org.clojure/java.classpath {:mvn/version "1.1.1"} org.slf4j/slf4j-simple {:mvn/version "2.0.17"} - org.owasp/dependency-check-core {:mvn/version "12.1.6"} + org.owasp/dependency-check-core {:mvn/version "12.2.0"} rm-hull/table {:mvn/version "0.7.1"} diff --git a/project.clj b/project.clj index d900313..741569c 100644 --- a/project.clj +++ b/project.clj @@ -7,13 +7,13 @@ ;; dependency-check-core transitively brings in two versions of ;; these dependencies, so we explicitly depend on the latest - [com.google.errorprone/error_prone_annotations "2.42.0"] + [com.google.errorprone/error_prone_annotations "2.46.0"] [commons-logging/commons-logging "1.3.5"] [org.clojure/clojure "1.12.3"] - [org.clojure/data.json "2.5.1"] + [org.clojure/data.json "2.5.2"] [org.slf4j/slf4j-simple "2.0.17"] - [org.owasp/dependency-check-core "12.1.6" :exclusions [commons-logging]] + [org.owasp/dependency-check-core "12.2.0" :exclusions [commons-logging]] [rm-hull/table "0.7.1"] @@ -36,10 +36,10 @@ [lein-codox "0.10.7"]] :eastwood {:add-linters [:boxed-math :performance]} - :dependencies [[clj-kondo "2025.09.22"] + :dependencies [[clj-kondo "2026.01.19"] [commons-collections "20040616"]]} :ci {:pedantic? :abort} - :clj-kondo {:dependencies [[clj-kondo "2025.09.22"]]} + :clj-kondo {:dependencies [[clj-kondo "2026.01.19"]]} :skip-self-check {:jvm-opts ["-Dnvd-clojure.internal.skip-self-check=true"]}} :deploy-repositories [["clojars" {:url "https://clojars.org/repo" :username :env/clojars_username From f27b5b37482fe53e22615a3bc2ced5c44854fcea Mon Sep 17 00:00:00 2001 From: Toby Crawley Date: Tue, 20 Jan 2026 13:59:19 -0500 Subject: [PATCH 9/9] Prep for 5.3.0 release --- CHANGELOG.md | 5 +++++ Makefile | 2 +- README.md | 12 ++++++------ project.clj | 2 +- resources/nvd_clojure/default_config_content.edn | 2 +- 5 files changed, 14 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e239e5b..8bd4975 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +# Changes from 5.2.0 to 5.3.0 + +* Update `dependency-check-core` from 12.1.6 to [12.2.0](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1220-2026-01-09). +* [Support for scanning all artifacts on the classpath, not just jars](https://github.com/rm-hull/nvd-clojure/pull/195). This allows the [Node Audit Analyzer](https://dependency-check.github.io/DependencyCheck/analyzers/node-audit-analyzer.html) to be used to analyze `package-lock.json` files. + # Changes from 5.1.0 to 5.2.0 * Update `dependency-check-core` from 12.1.3 to [12.1.6](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1216-2025-09-24). diff --git a/Makefile b/Makefile index a468da8..34b669a 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # Example usage: # copy a one-off Clojars token to your clipboard -# GIT_TAG=v5.2.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy +# GIT_TAG=v5.3.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy deploy: check-env lein clean diff --git a/README.md b/README.md index c13b732..37e4829 100644 --- a/README.md +++ b/README.md @@ -18,18 +18,18 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to ### Installation and basic usage -> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md#what-is-classpath-interference) +> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.3.0/FAQ.md#what-is-classpath-interference) #### Leiningen
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.2.0"]`. Said project can be located inside the targeted repo's Git repository. +Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.3.0"]`. Said project can be located inside the targeted repo's Git repository. ```clj (defproject nvd-helper "local" :description "nvd-clojure helper project" - :dependencies [[nvd-clojure "5.2.0"] + :dependencies [[nvd-clojure "5.3.0"] [org.clojure/clojure "1.12.3"]] :jvm-opts ["-Dclojure.main.report=stderr"]) ``` @@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.2.0"}`. Said project can be located inside the targeted repo's Git repository. +Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.3.0"}`. Said project can be located inside the targeted repo's Git repository. Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed. @@ -155,7 +155,7 @@ dependency relationships are: dependencies, and suggest upgraded versions, and can optionally be configured to update the project file. -(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation)) +(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.3.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation)) ## Configuration @@ -214,7 +214,7 @@ You can also set logging properties directly through Java system properties (the clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ... ``` -## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md) +## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.3.0/FAQ.md) ## Attribution diff --git a/project.clj b/project.clj index 741569c..45461e2 100644 --- a/project.clj +++ b/project.clj @@ -1,4 +1,4 @@ -(defproject nvd-clojure "5.2.0" +(defproject nvd-clojure "5.3.0" :description "National Vulnerability Database dependency checker" :url "https://github.com/rm-hull/nvd-clojure" :license {:name "The MIT License (MIT)" diff --git a/resources/nvd_clojure/default_config_content.edn b/resources/nvd_clojure/default_config_content.edn index f472c98..1000e28 100644 --- a/resources/nvd_clojure/default_config_content.edn +++ b/resources/nvd_clojure/default_config_content.edn @@ -6,7 +6,7 @@ ;; Feel free to tweak it, version-control it and remove any comment. -;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v5.2.0#configuration-options +;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v5.3.0#configuration-options {;; You can use the `:suppression-file` in order to silence false positives. ;; This file will be automatically created, with whatever filename is specified here, if it didn't exist already.