Prep for 5.3.0 release

.github/integration_test.sh

@@ -16,13 +16,14 @@ CONFIG_FILE_USING_DEFAULT_FILENAME="$PROJECT_DIR/nvd-clojure.edn"
 DOGFOODING_CONFIG_FILE="$PROJECT_DIR/.github/nvd-dogfooding-config.edn"
 TOOLS_CONFIG_FILE="$PROJECT_DIR/.github/nvd-tool-config.edn"
 DATAFEED_CONFIG_FILE="$PROJECT_DIR/.github/nvd-datafeed-config.edn"
+NODE_AUDIT_CONFIG_FILE="$PROJECT_DIR/.github/nvd-node-audit-config.edn"
 
 JSON_CONFIG_FILE="$PROJECT_DIR/.github/nvd-config.json"
 JSON_DOGFOODING_CONFIG_FILE="$PROJECT_DIR/.github/nvd-dogfooding-config.json"
 JSON_TOOLS_CONFIG_FILE="$PROJECT_DIR/.github/nvd-tool-config.json"
 
 A_CUSTOM_CHANGE=":a-custom-change"
-SUCCESS_REGEX="[1-9][0-9] vulnerabilities detected\. Severity: "
+SUCCESS_REGEX="[1-9][0-9]* vulnerabilities detected\. Severity: "
 
 if ! lein with-profile -user,-dev,+ci install; then
   exit 1
@@ -123,6 +124,22 @@ if ! grep --silent "$SUCCESS_REGEX" test-output; then
   exit 1
 fi
 
+# 1.5 - Exercise `main` program (non-default analyzer)
+
+step_name=">>> [Step 1.5 lein & non-default analyzer]"
+
+echo "$step_name starting..."
+
+if lein with-profile -user,-dev,+ci run -m nvd.task.check "$NODE_AUDIT_CONFIG_FILE" example/package-lock.json > test-output; then
+  echo "$step_name Should have failed with non-zero code!"
+  exit 1
+fi
+
+if ! grep --silent "$SUCCESS_REGEX" test-output; then
+  echo "$step_name Should have found vulnerabilities!"
+  exit 1
+fi
+
 # cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`:
 cd "$PROJECT_DIR" || exit 1
 

.github/nvd-node-audit-config.edn

@@ -0,0 +1,3 @@
+{:suppression-file ".github/example_nvd_suppressions.xml"
+ :analyzer {:ossindex-warn-only-on-remote-errors true
+            :node-audit-enabled true}}

CHANGELOG.md

@@ -1,3 +1,8 @@
+# Changes from 5.2.0 to 5.3.0
+
+* Update `dependency-check-core` from 12.1.6 to [12.2.0](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1220-2026-01-09).
+* [Support for scanning all artifacts on the classpath, not just jars](https://github.com/rm-hull/nvd-clojure/pull/195). This allows the [Node Audit Analyzer](https://dependency-check.github.io/DependencyCheck/analyzers/node-audit-analyzer.html) to be used to analyze `package-lock.json` files.
+
 # Changes from 5.1.0 to 5.2.0
 
 * Update `dependency-check-core` from 12.1.3 to [12.1.6](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1216-2025-09-24).

Makefile

@@ -2,7 +2,7 @@
 
 # Example usage:
 # copy a one-off Clojars token to your clipboard
-# GIT_TAG=v5.2.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
+# GIT_TAG=v5.3.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
 
 deploy: check-env
 	lein clean

README.md

@@ -18,18 +18,18 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to
 
 ### Installation and basic usage
 
-> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md#what-is-classpath-interference)
+> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.3.0/FAQ.md#what-is-classpath-interference)
 
 #### Leiningen
 
 <details>
 
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.2.0"]`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.3.0"]`. Said project can be located inside the targeted repo's Git repository.
 
 ```clj
 (defproject nvd-helper "local"
   :description "nvd-clojure helper project"
-  :dependencies [[nvd-clojure "5.2.0"]
+  :dependencies [[nvd-clojure "5.3.0"]
                  [org.clojure/clojure "1.12.3"]]
   :jvm-opts ["-Dclojure.main.report=stderr"])
 ```
@@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
 
 <details>
 
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.2.0"}`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.3.0"}`. Said project can be located inside the targeted repo's Git repository.
 
 Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.
 
@@ -155,7 +155,7 @@ dependency relationships are:
 dependencies, and suggest upgraded versions, and can optionally be configured
 to update the project file.
 
-(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))
+(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.3.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))
 
 ## Configuration
 
@@ -214,7 +214,7 @@ You can also set logging properties directly through Java system properties (the
 clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ...
 ```
 
-## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md)
+## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.3.0/FAQ.md)
 
 ## Attribution
 

deps.edn

@@ -2,14 +2,14 @@
  :deps {
         ;; dependency-check-core transitively brings in two versions of
         ;; this dependency, so we explicitly depend on the latest
-        com.google.errorprone/error_prone_annotations {:mvn/version "2.42.0"}
+        com.google.errorprone/error_prone_annotations {:mvn/version "2.46.0"}
         clansi/clansi {:mvn/version "1.0.0"}
 
-        org.clojure/clojure {:mvn/version "1.12.3"}
-        org.clojure/data.json {:mvn/version "2.5.1"}
-        org.clojure/java.classpath {:mvn/version "1.1.0"}
+        org.clojure/clojure {:mvn/version "1.12.4"}
+        org.clojure/data.json {:mvn/version "2.5.2"}
+        org.clojure/java.classpath {:mvn/version "1.1.1"}
         org.slf4j/slf4j-simple {:mvn/version "2.0.17"}
-        org.owasp/dependency-check-core {:mvn/version "12.1.6"}
+        org.owasp/dependency-check-core {:mvn/version "12.2.0"}
 
         rm-hull/table {:mvn/version "0.7.1"}
 

example/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "example-with-known-vulnerabilities",
+  "version": "1.4.17",
+  "private": true,
+  "dependencies": {
+    "tar-fs": "2.1.3"
+  }
+}