diff --git a/.github/integration_test.sh b/.github/integration_test.sh index a658552..e86b3e2 100755 --- a/.github/integration_test.sh +++ b/.github/integration_test.sh @@ -32,197 +32,204 @@ if ! clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' exit 1 fi -# 1.- Exercise `main` program (EDN) +# 1.- Exercise check via lein cd "$PROJECT_DIR/example" || exit 1 -example_classpath="$(lein with-profile -user,-dev,-test classpath)" +lein_example_classpath="$(lein with-profile -user,-dev,-test classpath)" # cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`: cd "$PROJECT_DIR" || exit 1 -if lein with-profile -user,-dev,+ci run -m nvd.task.check "$CONFIG_FILE" "$example_classpath" > example-lein-output; then - echo "Should have failed with non-zero code!" +# 1.1 - lein w/EDN config +step_name=">>> [Step 1.1 - lein & EDN]" + +echo "$step_name starting..." + +if lein with-profile -user,-dev,+ci run -m nvd.task.check "$CONFIG_FILE" "$lein_example_classpath" > test-output; then + echo "$step_name Should have failed with non-zero code!" exit 1 fi -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities! (Step 1 - EDN)" +if ! grep --silent "$SUCCESS_REGEX" test-output; then + echo "$step_name Should have found vulnerabilities!" exit 1 fi -if grep --silent "$A_CUSTOM_CHANGE" example-lein-output; then - echo "$CONFIG_FILE and $CONFIG_FILE_USING_DEFAULT_FILENAME should have different contents!" +if grep --silent "$A_CUSTOM_CHANGE" test-output; then + echo "$step_name $CONFIG_FILE and $CONFIG_FILE_USING_DEFAULT_FILENAME should have different contents!" exit 1 fi if grep --silent "$A_CUSTOM_CHANGE" "$CONFIG_FILE"; then - echo "$CONFIG_FILE and $CONFIG_FILE_USING_DEFAULT_FILENAME should have different contents!" + echo "$step_name $CONFIG_FILE and $CONFIG_FILE_USING_DEFAULT_FILENAME should have different contents!" exit 1 fi -# 1.- Exercise `main` program (EDN; implicitly using the default filename by specifying the empty string) +# 1.2 - Exercise `main` program (EDN; implicitly using the default filename by specifying the empty string) -cd "$PROJECT_DIR/example" || exit 1 +step_name=">>> [Step 1.2 lein & EDN - default filename]" -example_classpath="$(lein with-profile -user,-dev,-test classpath)" +echo "$step_name starting..." -# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`: -cd "$PROJECT_DIR" || exit 1 - -if lein with-profile -user,-dev,+ci run -m nvd.task.check "" "$example_classpath" > example-lein-output 2>&1; then - echo "Should have failed with non-zero code!" +if lein with-profile -user,-dev,+ci run -m nvd.task.check "" "$lein_example_classpath" > test-output 2>&1; then + echo "$step_name Should have failed with non-zero code!" exit 1 fi -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities! (Step 1 - EDN - default filename)" +if ! grep --silent "$SUCCESS_REGEX" test-output; then + echo "$step_name Should have found vulnerabilities!" exit 1 fi -if ! grep --silent "$A_CUSTOM_CHANGE" example-lein-output; then - echo "Passing an empty string as the config name should result in the config having the default filename being used!" +if ! grep --silent "$A_CUSTOM_CHANGE" test-output; then + echo "$step_name Passing an empty string as the config name should result in the config having the default filename being used!" exit 1 fi if ! grep --silent "$A_CUSTOM_CHANGE" "$CONFIG_FILE_USING_DEFAULT_FILENAME"; then - echo "Passing an empty string as the config name should not result in the config file being overriden!" + echo "$step_name Passing an empty string as the config name should not result in the config file being overriden!" exit 1 fi -# 1.- Exercise `main` program (EDN) with a datafeed - -cd "$PROJECT_DIR/example" || exit 1 - -example_classpath="$(lein with-profile -user,-dev,-test classpath)" +# 1.3 - Exercise `main` program (EDN) with a datafeed +step_name=">>> [Step 1.3 lein & EDN - w/datafeed]" -# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`: -cd "$PROJECT_DIR" || exit 1 +echo "$step_name starting..." -if lein with-profile -user,-dev,+ci run -m nvd.task.check "$DATAFEED_CONFIG_FILE" "$example_classpath" > example-lein-output; then - echo "Should have failed with non-zero code!" +if lein with-profile -user,-dev,+ci run -m nvd.task.check "$DATAFEED_CONFIG_FILE" "$lein_example_classpath" > test-output; then + echo "$step_name Should have failed with non-zero code!" exit 1 fi -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities! (Step 1 - EDN)" +if ! grep --silent "$SUCCESS_REGEX" test-output; then + echo "$step_name Should have found vulnerabilities!" exit 1 fi -# 1.- Exercise `main` program (JSON) +# 1.4 - Exercise `main` program (JSON) -cd "$PROJECT_DIR/example" || exit 1 +step_name=">>> [Step 1.4 lein & JSON]" -example_classpath="$(lein with-profile -user,-dev,-test classpath)" +echo "$step_name starting..." -# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`: -cd "$PROJECT_DIR" || exit 1 - -if lein with-profile -user,-dev,+ci run -m nvd.task.check "$JSON_CONFIG_FILE" "$example_classpath" > example-lein-output; then - echo "Should have failed with non-zero code!" +if lein with-profile -user,-dev,+ci run -m nvd.task.check "$JSON_CONFIG_FILE" "$lein_example_classpath" > test-output; then + echo "$step_name Should have failed with non-zero code!" exit 1 fi -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities! (Step 1 - JSON)" +if ! grep --silent "$SUCCESS_REGEX" test-output; then + echo "$step_name Should have found vulnerabilities!" exit 1 fi -# 2.- Exercise `tools.deps` integration (EDN) +# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`: +cd "$PROJECT_DIR" || exit 1 + +# 2.- Exercise `tools.deps` integration cd "$PROJECT_DIR/example" || exit 1 -example_classpath="$(clojure -Spath)" +clojure_example_classpath="$(clojure -Spath)" # cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`: cd "$PROJECT_DIR" || exit 1 -if clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "$CONFIG_FILE" "$example_classpath" > example-lein-output; then - echo "Should have failed with non-zero code!" +# 2.1 Exercise `tools.deps` integration (EDN) +step_name=">>> [Step 2.1 deps & EDN]" + +echo "$step_name starting..." + +if clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "$CONFIG_FILE" "$clojure_example_classpath" > test-output; then + echo "$step_name Should have failed with non-zero code!" exit 1 fi -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities! (Step 2 - EDN)" +if ! grep --silent "$SUCCESS_REGEX" test-output; then + echo "$step_name Should have found vulnerabilities!" exit 1 fi -# 2.- Exercise `tools.deps` integration (JSON) +# 2.2 - Exercise `tools.deps` integration (JSON) +step_name=">>> [Step 2.2 deps & JSON]" -cd "$PROJECT_DIR/example" || exit 1 +echo "$step_name starting..." -example_classpath="$(clojure -Spath)" - -# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`: -cd "$PROJECT_DIR" || exit 1 - -if clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "$JSON_CONFIG_FILE" "$example_classpath" > example-lein-output; then - echo "Should have failed with non-zero code!" +if clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "$JSON_CONFIG_FILE" "$clojure_example_classpath" > test-output; then + echo "$step_name Should have failed with non-zero code!" exit 1 fi -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities! (Step 2 - JSON)" +if ! grep --silent "$SUCCESS_REGEX" test-output; then + echo "$step_name Should have found vulnerabilities!" exit 1 fi -# 3.- Exercise Clojure CLI Tools integration (EDN) +# 3. - Exercise Clojure CLI Tools integration cd "$PROJECT_DIR/example" || exit 1 -example_classpath="$(clojure -Spath)" +clojure_example_classpath="$(clojure -Spath)" # cd to $HOME, to demonstrate that the Tool does not depend on a deps.edn file: cd || exit 1 -if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$example_classpath\"" :config-filename \""$TOOLS_CONFIG_FILE\"" > example-lein-output; then - echo "Should have failed with non-zero code!" +# 3.1 - Exercise Clojure CLI Tools integration (EDN) +step_name=">>> [Step 3.1 clojure tool & EDN]" + +echo "$step_name starting..." + +if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$clojure_example_classpath\"" :config-filename \""$TOOLS_CONFIG_FILE\"" > test-output; then + echo "$step_name Should have failed with non-zero code!" exit 1 fi -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities! (Step 3 - EDN)" +if ! grep --silent "$SUCCESS_REGEX" test-output; then + echo "$step_name Should have found vulnerabilities!" exit 1 fi -# 3.- Exercise Clojure CLI Tools integration (JSON) +# 3.2 - Exercise Clojure CLI Tools integration (JSON) -cd "$PROJECT_DIR/example" || exit 1 - -example_classpath="$(clojure -Spath)" +step_name=">>> [Step 3.2 clojure tool & JSON]" -# cd to $HOME, to demonstrate that the Tool does not depend on a deps.edn file: -cd || exit 1 +echo "$step_name starting..." -if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$example_classpath\"" :config-filename \""$JSON_TOOLS_CONFIG_FILE\"" > example-lein-output; then - echo "Should have failed with non-zero code!" +if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$clojure_example_classpath\"" :config-filename \""$JSON_TOOLS_CONFIG_FILE\"" > test-output; then + echo "$step_name Should have failed with non-zero code!" exit 1 fi -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities! (Step 3 - JSON)" +if ! grep --silent "$SUCCESS_REGEX" test-output; then + echo "$step_name Should have found vulnerabilities!" exit 1 fi -# 4.- Dogfood the `nvd-clojure` project (EDN) +# 4.- Dogfood the `nvd-clojure` project cd "$PROJECT_DIR" || exit 1 own_classpath="$(lein with-profile -user,-dev,-test classpath)" +# 4.1 - Dogfood the `nvd-clojure` project (EDN) +# +step_name=">>> [Step 4.1 lein dogfooding & EDN]" + +echo "$step_name starting..." + if ! lein with-profile -user,-dev,+ci,+skip-self-check run -m nvd.task.check "$DOGFOODING_CONFIG_FILE" "$own_classpath"; then - echo "nvd-clojure did not pass dogfooding! (EDN)" + echo "$step_name nvd-clojure did not pass dogfooding! (EDN)" exit 1 fi -# 4.- Dogfood the `nvd-clojure` project (JSON) +# 4.2. - Dogfood the `nvd-clojure` project (JSON) -cd "$PROJECT_DIR" || exit 1 +step_name=">>> [Step 4.2 lein dogfooding & JSON]" -own_classpath="$(lein with-profile -user,-dev,-test classpath)" +echo "$step_name starting..." if ! lein with-profile -user,-dev,+ci,+skip-self-check run -m nvd.task.check "$JSON_DOGFOODING_CONFIG_FILE" "$own_classpath"; then - echo "nvd-clojure did not pass dogfooding! (JSON)" + echo "$step_name nvd-clojure did not pass dogfooding! (JSON)" exit 1 fi diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 66fce6b..a952d57 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - java-version: ["11", "17", "21", "24"] + java-version: ["11", "17", "21", "25"] steps: - uses: actions/setup-java@v1 with: @@ -46,7 +46,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - java-version: ["11", "17", "21", "24"] + java-version: ["11", "17", "21", "25"] steps: - uses: actions/setup-java@v1 with: diff --git a/.gitignore b/.gitignore index cb9a291..46a87ae 100644 --- a/.gitignore +++ b/.gitignore @@ -12,8 +12,8 @@ .portal/vs-code.edn /checkouts/ /classes/ -/example-lein-output -/example/example-lein-output +/test-output +/example/test-output /example/target/ /lib/ /plugin/target/ diff --git a/CHANGELOG.md b/CHANGELOG.md index a1a0730..e239e5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +# Changes from 5.1.0 to 5.2.0 + +* Update `dependency-check-core` from 12.1.3 to [12.1.6](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1216-2025-09-24). +* Support [setting user & password for OSS Index analyzer](https://github.com/rm-hull/nvd-clojure/tree/v5.2.0#configuration-options), as OSS Index [now requires authentication](https://ossindex.sonatype.org/doc/auth-required) + # Changes from 5.0.0 to 5.1.0 * Update `dependency-check-core` from 12.1.0 to [12.1.3](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1213-2025-06-10). diff --git a/Makefile b/Makefile index c67e0dc..a468da8 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # Example usage: # copy a one-off Clojars token to your clipboard -# GIT_TAG=v5.1.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy +# GIT_TAG=v5.2.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy deploy: check-env lein clean diff --git a/README.md b/README.md index a4c9d1a..c13b732 100644 --- a/README.md +++ b/README.md @@ -18,19 +18,19 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to ### Installation and basic usage -> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.1.0/FAQ.md#what-is-classpath-interference) +> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md#what-is-classpath-interference) #### Leiningen
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.1.0"]`. Said project can be located inside the targeted repo's Git repository. +Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.2.0"]`. Said project can be located inside the targeted repo's Git repository. ```clj (defproject nvd-helper "local" :description "nvd-clojure helper project" - :dependencies [[nvd-clojure "5.1.0"] - [org.clojure/clojure "1.12.0"]] + :dependencies [[nvd-clojure "5.2.0"] + [org.clojure/clojure "1.12.3"]] :jvm-opts ["-Dclojure.main.report=stderr"]) ``` @@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.1.0"}`. Said project can be located inside the targeted repo's Git repository. +Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.2.0"}`. Said project can be located inside the targeted repo's Git repository. Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed. @@ -155,7 +155,7 @@ dependency relationships are: dependencies, and suggest upgraded versions, and can optionally be configured to update the project file. -(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.1.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation)) +(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation)) ## Configuration @@ -199,6 +199,8 @@ There are some specific settings below which are worthy of a few comments: * `:output-dir` default value `target/nvd/`: the directory to save reports into * `:throw-if-check-unsuccessful` - makes the program exit by throwing an exception instead of by invoking `System/exit`. - This can ease certain usages. +* `:ossindex-user` & `:ossindex-password` (within the `:analyzer` map): These are **MANDATORY** if you want to use the OSS Index analyzer. Without + them set, the OSS Index analyzer will be disabled (see https://ossindex.sonatype.org/doc/auth-required) Note that you can alternatively set the `ANALYZER_OSSINDEX_USER` and `ANALYZER_OSSINDEX_PASSWORD` environment variables. ## Logging @@ -212,7 +214,7 @@ You can also set logging properties directly through Java system properties (the clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ... ``` -## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.1.0/FAQ.md) +## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md) ## Attribution diff --git a/deps.edn b/deps.edn index 0e9f472..c7f7c7d 100644 --- a/deps.edn +++ b/deps.edn @@ -1,14 +1,18 @@ {:paths ["src"] - :deps {org.clojure/clojure {:mvn/version "1.12.1"} - org.clojure/java.classpath {:mvn/version "1.1.0"} + :deps { ;; dependency-check-core transitively brings in two versions of ;; this dependency, so we explicitly depend on the latest - com.google.errorprone/error_prone_annotations {:mvn/version "2.38.0"} + com.google.errorprone/error_prone_annotations {:mvn/version "2.42.0"} clansi/clansi {:mvn/version "1.0.0"} + + org.clojure/clojure {:mvn/version "1.12.3"} org.clojure/data.json {:mvn/version "2.5.1"} + org.clojure/java.classpath {:mvn/version "1.1.0"} org.slf4j/slf4j-simple {:mvn/version "2.0.17"} - org.owasp/dependency-check-core {:mvn/version "12.1.3"} + org.owasp/dependency-check-core {:mvn/version "12.1.6"} + rm-hull/table {:mvn/version "0.7.1"} + trptcolin/versioneer {:mvn/version "0.2.0"}} :mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"} "clojars" {:url "https://repo.clojars.org/"}} diff --git a/project.clj b/project.clj index ab4a285..d900313 100644 --- a/project.clj +++ b/project.clj @@ -1,19 +1,24 @@ -(defproject nvd-clojure "5.1.0" +(defproject nvd-clojure "5.2.0" :description "National Vulnerability Database dependency checker" :url "https://github.com/rm-hull/nvd-clojure" :license {:name "The MIT License (MIT)" :url "https://opensource.org/licenses/MIT"} - :dependencies [[org.clojure/clojure "1.12.1"] - [clansi "1.0.0"] + :dependencies [[clansi "1.0.0"] + ;; dependency-check-core transitively brings in two versions of - ;; this dependency, so we explicitly depend on the latest - [com.google.errorprone/error_prone_annotations "2.38.0"] + ;; these dependencies, so we explicitly depend on the latest + [com.google.errorprone/error_prone_annotations "2.42.0"] + [commons-logging/commons-logging "1.3.5"] + + [org.clojure/clojure "1.12.3"] [org.clojure/data.json "2.5.1"] [org.slf4j/slf4j-simple "2.0.17"] - [org.owasp/dependency-check-core "12.1.3"] + [org.owasp/dependency-check-core "12.1.6" :exclusions [commons-logging]] + [rm-hull/table "0.7.1"] + [trptcolin/versioneer "0.2.0"]] - :managed-dependencies [[com.google.code.gson/gson "2.13.1"]] + :managed-dependencies [[com.google.code.gson/gson "2.13.2"]] :scm {:url "git@github.com:rm-hull/nvd-clojure.git"} :source-paths ["src"] :jar-exclusions [#"(?:^|/).git"] @@ -23,17 +28,18 @@ :min-lein-version "2.8.1" :target-path "target/%s" :jvm-opts ["-Dclojure.main.report=stderr"] - :profiles {:dev {:plugins [[lein-cljfmt "0.7.0"] - [lein-codox "0.10.7"] - [lein-cloverage "1.2.3"] + :profiles {:dev {:plugins [[jonase/eastwood "1.4.0"] + [lein-ancient "0.7.0"] - [jonase/eastwood "1.4.0"]] + [lein-cljfmt "0.7.0"] + [lein-cloverage "1.2.3"] + [lein-codox "0.10.7"]] :eastwood {:add-linters [:boxed-math :performance]} - :dependencies [[clj-kondo "2025.06.05"] + :dependencies [[clj-kondo "2025.09.22"] [commons-collections "20040616"]]} :ci {:pedantic? :abort} - :clj-kondo {:dependencies [[clj-kondo "2025.06.05"]]} + :clj-kondo {:dependencies [[clj-kondo "2025.09.22"]]} :skip-self-check {:jvm-opts ["-Dnvd-clojure.internal.skip-self-check=true"]}} :deploy-repositories [["clojars" {:url "https://clojars.org/repo" :username :env/clojars_username diff --git a/resources/nvd_clojure/default_config_content.edn b/resources/nvd_clojure/default_config_content.edn index 76c2900..f472c98 100644 --- a/resources/nvd_clojure/default_config_content.edn +++ b/resources/nvd_clojure/default_config_content.edn @@ -6,7 +6,7 @@ ;; Feel free to tweak it, version-control it and remove any comment. -;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#configuration-options +;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v5.2.0#configuration-options {;; You can use the `:suppression-file` in order to silence false positives. ;; This file will be automatically created, with whatever filename is specified here, if it didn't exist already. @@ -16,8 +16,18 @@ ;; according to an API key that you can obtain in https://nvd.nist.gov/developers/request-an-api-key :nvd-api {:key nil} - #_:analyzer ;; Analyzer options, which are mostly advanced/internal - #_{:ossindex-warn-only-on-remote-errors + :analyzer ;; Analyzer options, which are mostly advanced/internal + { + ;; Sonatype requires authentication, see + ;; https://ossindex.sonatype.org/doc/auth-required. If not provided, The OSS + ;; Index analyzer will be disabled. You can also provide these via the + ;; ANALYZER_OSSINDEX_USER and ANALYZER_OSSINDEX_PASSWORD environment + ;; variables. Note that without the OSS Index analyzer, you may get false + ;; negatives. + :ossindex-user nil + :ossindex-password nil + + #_#_:ossindex-warn-only-on-remote-errors ;; Occasionally necessary for not making HTTP 500 errors from OSS Index (one of the multiple analyzers internally used) ;; a reason for execution to fail. ;; Please only enable this carefully since it can mean false negatives. diff --git a/src/nvd/config.clj b/src/nvd/config.clj index f22939f..1533a14 100644 --- a/src/nvd/config.clj +++ b/src/nvd/config.clj @@ -33,28 +33,30 @@ (org.owasp.dependencycheck.utils Downloader Settings Settings$KEYS))) (def ^:private string-mappings - {Settings$KEYS/ANALYZER_NEXUS_URL [:analyzer :nexus-url] - Settings$KEYS/SUPPRESSION_FILE [:suppression-file] - Settings$KEYS/ADDITIONAL_ZIP_EXTENSIONS [:zip-extensions] - Settings$KEYS/PROXY_SERVER [:proxy :server] - Settings$KEYS/PROXY_PORT [:proxy :port] - Settings$KEYS/PROXY_USERNAME [:proxy :user] - Settings$KEYS/PROXY_PASSWORD [:proxy :password] - Settings$KEYS/CONNECTION_TIMEOUT [:database :connection-timeout] - Settings$KEYS/DATA_DIRECTORY [:data-directory] - Settings$KEYS/DB_DRIVER_NAME [:database :driver-name] - Settings$KEYS/DB_DRIVER_PATH [:database :driver-path] - Settings$KEYS/DB_CONNECTION_STRING [:database :connection-string] - Settings$KEYS/DB_USER [:database :user] - Settings$KEYS/DB_PASSWORD [:database :password] - Settings$KEYS/NVD_API_KEY [:nvd-api :key] - Settings$KEYS/NVD_API_ENDPOINT [:nvd-api :endpoint] - Settings$KEYS/NVD_API_DELAY [:nvd-api :delay] - Settings$KEYS/NVD_API_MAX_RETRY_COUNT [:nvd-api :max-retry-count] - Settings$KEYS/NVD_API_VALID_FOR_HOURS [:nvd-api :valid-for-hours] - Settings$KEYS/NVD_API_DATAFEED_URL [:nvd-api :datafeed :url] - Settings$KEYS/NVD_API_DATAFEED_USER [:nvd-api :datafeed :user] - Settings$KEYS/NVD_API_DATAFEED_PASSWORD [:nvd-api :datafeed :password]}) + {Settings$KEYS/ANALYZER_NEXUS_URL [:analyzer :nexus-url] + Settings$KEYS/SUPPRESSION_FILE [:suppression-file] + Settings$KEYS/ADDITIONAL_ZIP_EXTENSIONS [:zip-extensions] + Settings$KEYS/PROXY_SERVER [:proxy :server] + Settings$KEYS/PROXY_PORT [:proxy :port] + Settings$KEYS/PROXY_USERNAME [:proxy :user] + Settings$KEYS/PROXY_PASSWORD [:proxy :password] + Settings$KEYS/CONNECTION_TIMEOUT [:database :connection-timeout] + Settings$KEYS/DATA_DIRECTORY [:data-directory] + Settings$KEYS/DB_DRIVER_NAME [:database :driver-name] + Settings$KEYS/DB_DRIVER_PATH [:database :driver-path] + Settings$KEYS/DB_CONNECTION_STRING [:database :connection-string] + Settings$KEYS/DB_USER [:database :user] + Settings$KEYS/DB_PASSWORD [:database :password] + Settings$KEYS/NVD_API_KEY [:nvd-api :key] + Settings$KEYS/NVD_API_ENDPOINT [:nvd-api :endpoint] + Settings$KEYS/NVD_API_DELAY [:nvd-api :delay] + Settings$KEYS/NVD_API_MAX_RETRY_COUNT [:nvd-api :max-retry-count] + Settings$KEYS/NVD_API_VALID_FOR_HOURS [:nvd-api :valid-for-hours] + Settings$KEYS/NVD_API_DATAFEED_URL [:nvd-api :datafeed :url] + Settings$KEYS/NVD_API_DATAFEED_USER [:nvd-api :datafeed :user] + Settings$KEYS/NVD_API_DATAFEED_PASSWORD [:nvd-api :datafeed :password] + Settings$KEYS/ANALYZER_OSSINDEX_USER [:analyzer :ossindex-user] + Settings$KEYS/ANALYZER_OSSINDEX_PASSWORD [:analyzer :ossindex-password]}) (def ^:private boolean-mappings {Settings$KEYS/ANALYZER_ARCHIVE_ENABLED [:analyzer :archive-enabled] @@ -209,6 +211,14 @@ You can pass an empty string for an .edn file to be automatically created." (.setString settings Settings$KEYS/NVD_API_KEY api-key))) + (when (= ::not-found (get-in nvd-settings [:analyzer :ossindex-user] ::not-found)) + (when-some [ossindex-user (System/getenv "ANALYZER_OSSINDEX_USER")] + (.setString settings Settings$KEYS/ANALYZER_OSSINDEX_USER ossindex-user))) + + (when (= ::not-found (get-in nvd-settings [:analyzer :ossindex-password] ::not-found)) + (when-some [ossindex-password (System/getenv "ANALYZER_OSSINDEX_PASSWORD")] + (.setString settings Settings$KEYS/ANALYZER_OSSINDEX_PASSWORD ossindex-password))) + (.configure (Downloader/getInstance) settings) (-> project