• Stars
    star
    268
  • Rank 153,144 (Top 4 %)
  • Language
    Clojure
  • License
    MIT License
  • Created over 8 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

National Vulnerability Database dependency checker for Clojure projects

nvd-clojure

Formerly known as lein-nvd

Downloads Clojars Project

National Vulnerability Database dependency checker tool.

For a given project, all the .jar files from its classpath will be checked for known security vulnerabilities. nvd-clojure passes them to a library called DependencyCheck which does the vulnerability analysis. Quoting the README from that library:

DependencyCheck is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

Installation and basic usage

Please see also: Avoiding classpath interference

Leiningen

Please create a separate project consisting of [nvd-clojure/nvd-clojure "3.2.0"]. Said project can be located inside the targeted repo's Git repository.

(defproject nvd-helper "local"
  :description "nvd-clojure helper project"
  :dependencies [[nvd-clojure "3.2.0"]
                 [org.clojure/clojure "1.11.1"]]
  :jvm-opts ["-Dclojure.main.report=stderr"])

Please do not add nvd-clojure as a dependency or plugin in the project.clj of the project to be analysed.

Then you can run, within this helper project:

lein with-profile -user run -m nvd.task.check "nvd-clojure.edn" "$(cd <YOUR_PROJECT>; lein with-profile -user,-dev classpath)"

The first argument denotes a .edn file with extra options (example, doc). You can pass an empty string "" to mean "please use the default filename" (which is nvd-clojure.edn). If this file didn't exist, it will be automatically created for you, with some useful contents and comments.

The classpath Leiningen command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, plugins, etc.

If you are using a multi-modules solution (e.g. lein-monolith), you should ensure that each module is included in this classpath; else they will not be analysed.

Clojure CLI

Please create a separate project consisting exclusively of nvd-clojure/nvd-clojure {:mvn/version "3.2.0"}. Said project can be located inside the targeted repo's Git repository.

Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.

You can accomplish something similar with user-level aliases, or with the :replace-deps option, at your own risk.

Then you can run, within this helper project:

clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "nvd-clojure.edn" "$(cd <YOUR_PROJECT>; clojure -Spath -A:any:aliases)"

The first argument denotes a .edn file with extra options (example, doc). You can pass an empty string "" to mean "please use the default filename" (which is nvd-clojure.edn). If this file didn't exist, it will be automatically created for you, with some useful contents and comments.

The -Spath command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, etc.

If you are using a multi-modules solution (e.g. Polylith), you should ensure that each module is included in this classpath; else they will not be analysed.

Clojure CLI Tool

If you have CLI version 1.10.3.933 or later, you can also install nvd-clojure as a "tool":

clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' :as nvd

Then you can run:

clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$(clojure -Spath -A:any:aliases)\"" :config-filename \""nvd-config.edn\""

The :config-filename argument denotes an .edn file with extra options (example, doc). If this file didn't exist, it will be automatically created for you, with some useful contents and comments.

The -Spath command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, etc.

If you are using a multi-modules solution (e.g. Polylith), you should ensure that each module is included in this classpath; else they will not be analysed.

Usage overview

Run the program as indicated in the previous section. The first time it runs, it will download (and cache) various databases from https://nvd.nist.gov. Subsequent runs will periodically check and update the local database, but the initial run could therefore be quite slow - of the order of ten minutes or more, so give it time.

On completion, a summary table is output to the console, and a suite of reports will be produced in the project's ./target/nvd/ directory. If vulnerabilities are detected, then the check process will exit abnormally, thereby causing any CI build environment to error. (This behaviour can be overriden by setting a :fail-threshold in the project configuration).

Example

There is an example project which has dependencies with known vulnerabilities (CVE-2016-3720, CVE-2015-5262, CVE-2014-3577).

This can be demonstrated by running the following:

clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$(cd example; lein with-profile -user classpath)\""

This will download the NVD database, and then cross-check the classpath dependencies against known vulnerabilities. The following summary report will be displayed on the console:

summary-report

Note that as there were some vulnerabilities detected, the process was aborted, with error code -1 hence the reported subprocess failed message.

More detailed reports (both HTML & XML) are written into the ./example/target/nvd/ directory as follows:


detail-report

Upgrading dependencies

You may use the built-in dependency tree reporters to find out what the dependency relationships are:

$ lein deps :tree # for Leiningen
$ clojure -Stree # for deps.edn

...make sure to use aliases/profiles in such a way that reflects the production classpath.

antq will traverse your project dependencies, and suggest upgraded versions, and can optionally be configured to update the project file.

(Note that that is only one of the multiple ways of remediating a given vulnerability, please see FAQ)

Configuration

The default settings for nvd-clojure are usually sufficient for most projects, but can be customized with an .edn config file (example). The filename denoting that file is the first argument to be passed to nvd-clojure when invoking it as a main (-m) program.

When invoking it via Clojure Tools, it must be passed as a :config-filename option, e.g.

clojure -Tnvd nvd.task/check :classpath \""$(clojure -Spath)\"" :config-filename \""nvd-config.edn\""

Note the escaped double quotes around the filename, to ensure that Clojure reads the command line argument as a string, not a symbol.

Configuration options

There are many DependencyCheck settings (for example to connect via a proxy, or to specify an alternative to the H2 database). The exact settings can be seen in the config.clj source file and cross-referenced to the DependencyCheck wiki.

There are some specific settings below which are worthy of a few comments:

  • :fail-threshold default value 0; checks the highest CVSS score across all dependencies, and fails if this threshold is breached.
    • As CVSS score ranges from 0..10, the default value will cause a build to fail even for the lowest rated vulnerability.
    • Set to 11 if you never want the build to fail.
  • :data-directory default value is the data dir of DependencyCheck, e.g. ~/.m2/repository/org/owasp/dependency-check-utils/3.2.1/data/
    • It shouldn't normally be necessary to change this
  • :suppression-file default unset
    • Allows for CVEs to be permanently or temporarily suppressed.
    • See DependencyCheck documentation for the XML file format.
    • If a nvd-clojure.edn file was automatically generated for you, then this file will also be automatically generated (and enabled) for you.
  • :verbose-summary default false
    • When set to true, the summary table includes a severity determination for all dependencies.
    • When set to false, the summary table includes only packages that have either low or high severity determination.
  • :output-dir default value target/nvd/: the directory to save reports into
  • :throw-if-check-unsuccessful - makes the program exit by throwing an exception instead of by invoking System/exit.
    • This can ease certain usages.

Logging

You can override the default logging behaviour by providing a simplelogger.properties file on the nvd-clojure classpath. Note that this is not the classpath of your project. See resources/simplelogger.properties for the default config.

You can also set logging properties directly through Java system properties (the -D flags), for example:

clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ...

FAQ

Attribution

nvd-clojure uses Jeremy Long's DependencyCheck library to do the heavy lifting.

References

License

The MIT License (MIT)

Copyright (c) 2016-23 Richard Hull

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

More Repositories

1

luma.oled

Python module to drive a SSD1306 / SSD1309 / SSD1322 / SSD1325 / SSD1327 / SSD1331 / SSD1351 / SH1106 OLED
Python
809
star
2

pifm

Copy of http://www.icrobotics.co.uk/wiki/index.php/Turning_the_Raspberry_Pi_Into_an_FM_Transmitter
C++
524
star
3

luma.led_matrix

Python module to drive LED Matrices & 7-segment displays (MAX7219) and RGB NeoPixels (WS2812 / APA102)
Python
519
star
4

luma.examples

Companion repo for running examples against the luma.oled, luma.lcd, luma.led_matrix and luma.emulator display drivers.
Python
348
star
5

OPi.GPIO

RPi.GPIO drop-in replacement library for Orange Pi Zero and other SBCs
Python
185
star
6

luma.lcd

Python module to drive PCD8544, HT1621, ST7735, ST7567 and UC1701X-based LCDs
Python
157
star
7

luma.core

A component library providing a Pillow-compatible drawing canvas, and other functionality to support drawing primitives and text-rendering capabilities for small displays on the Raspberry Pi and other single board computers.
Python
148
star
8

programming-enchiladas

A ClojureScript-based HTML5 Canvas and SVG Graphics Playground, much like http://bl.ocks.org/ but specifically for showcasing small ClojuresScript code demos: The underlying agenda is to show how small simple functional programs can generate complex behaviour.
JavaScript
138
star
9

sql_graphviz

Generates graphviz commands to graphically display tables and show foreign key links.
Python
138
star
10

infix

A Clojure library for expressing LISP expressions as infix rather than prefix notation
Clojure
101
star
11

bme280

Raspberry PI schematics & python module to drive a Bosch BME280 digital sensor module
Python
96
star
12

spidev-test

C
88
star
13

big-bang

ClojureScript event loop abstraction, loosely based on Racket's big-bang and implemented on top of core.async
Clojure
66
star
14

barebones-toolchain

Barebones [ i686-elf / ARMv7-eabi / MIPS ] cross-compiler & toolchain
C
64
star
15

jasentaa

A parser combinator library for Clojure and ClojureScript
Clojure
60
star
16

wireframes

A lightweight 3D graphics rendering engine in Clojure & ClojureScript.
Clojure
60
star
17

byok

A bare-metal x86 Forth interpreter & compiler
C
54
star
18

skull-canyon

Notes on setting up Ubuntu 18.04 (Bionic Beaver) on Intel NUC6i7KYK
46
star
19

luma.emulator

Provides a series of pseudo-display devices which allow the luma.core components to be used without running a physical device.
Python
43
star
20

inkspot

A small Clojure/ClojureScript library for creating colour swatches
Clojure
39
star
21

lindenmayer-systems

An L-system or Lindenmayer system is a parallel rewriting system, namely a variant of a formal grammar, most famously used to model the growth processes of plant development, but also able to model the morphology of a variety of organisms. Clojure / Heroku.
Clojure
38
star
22

clj-wordnet

An interface to the WordNet database using idiomatic Clojure
Clojure
35
star
23

markov-chains

A library (and application examples) of stochastic discrete-time Markov Chains (DTMC) in Clojure
Clojure
31
star
24

st7735fb

Schematics and build info for assembling a custom Raspberry Pi kernel with ST7735 TFT-LCD framebuffer drivers
Python
28
star
25

k8055

Velleman k8055 linux driver and GUI sources for the Raspberry Pi
C
27
star
26

wam

Gradual WAM implementation using Hassan Aït-Kaci's tutorial reconstruction
Clojure
25
star
27

hmc5883l

Python wrapper class for HMC5883L magnetometer (using smbus I2c)
Python
22
star
28

clustering

Implementation of K-Means, Self-Organising Maps, QT and Hierarchical clustering algorithms, in Clojure.
Clojure
21
star
29

weatherstation

TypeScript
16
star
30

project-euler

Clojure solutions to Project Euler problems
Clojure
14
star
31

turtle

A logo-style turtle graphics library for Clojure & ClojureScript (renders to SVG, bitmaps & HTML5 Canvas)
Clojure
11
star
32

wiringPi

A fork of Gordon Henderson's git://git.drogon.net/wiringPi but with python bindings
C
10
star
33

corewar

A clojure / clojurescript / core.async implementation of A. K. Dewdney's Core War
Clojure
9
star
34

linux-journal-archive

Copy of the Linux Journal archives (issues 1–293)
HTML
8
star
35

local-cast

Stream local video/audio content to a Chromecast on your network
JavaScript
7
star
36

maze

Maze generator and solver, in ClojureScript with a HTML5 canvas
Clojure
7
star
37

turmites

A turmite is a Turing machine which has an orientation as well as a current state and a "tape" that consists of an infinite two-dimensional grid of cells. ClojureScript / HTML5 Canvas / Heroku.
Clojure
6
star
38

yalix

Seven LISPs in seven languages
Python
5
star
39

task-scheduler

Fork/Join task scheduling in Clojure
Clojure
5
star
40

luma.docs

Python
5
star
41

ars-magna

A multi-word anagram solver, based on the article "Anagrams and Pangrams" from The Armchair Universe
Clojure
5
star
42

byok3

A forth interpreter and compiler implemented in scala using typelevel/cats
Scala
4
star
43

ambages

A small prolog interpreter, implemented in Clojure.
Clojure
4
star
44

table

Display ascii tables for almost any data structure with ease.
Clojure
4
star
45

apds9960

Python
4
star
46

mcp23017

Schematics and build info for assembling a Raspberry Pi breakout board with multiple MCP23017 input/output port expanders
Python
3
star
47

jwi

(Mavenized version of) JWI 2.3.3
Java
3
star
48

zaup

TOTP authentication using ZeroSeg
Python
3
star
49

8-bit-trip

Algorithmic music streaming
TypeScript
3
star
50

helpmate

A Clojure library for emitting SGML (HTML,SVG,XML,MathML) fragments
Clojure
3
star
51

implicit-equations

A graphing library for implicit equations, in Clojure
Clojure
3
star
52

colorforth

cvs->git conversion of http://colorforth.cvs.sourceforge.net/viewvc/colorforth/colorforth/
Assembly
3
star
53

loose-labels

An implementation of "Nice numbers for graph labels" from Graphics Gems, vol. 1
Clojure
2
star
54

TR4-monitor

Small utility script to display TR4 system information on a 2.42" SSD1309 OLED
Python
2
star
55

treebank-viz

SVG graph generation of treebank language parsing
Clojure
2
star
56

zaup2

A TOTP authenticator for the web
TypeScript
2
star
57

newell-teapot

Shadow of ftp://ftp.funet.fi/pub/sci/graphics/packages/objects/teaset.tar.Z
C
2
star
58

image-preview

CLI takes in an image file, and using ANSI escape sequences, outputs a low-fidelity preview of the image in the terminal.
Rust
2
star
59

pysensors3

Python3 bindings to libsensors (via ctypes)
Python
1
star
60

rg-matrix

Python library to drive a 32x16 red/green LED matrix
1
star
61

vim-locate

A vim plugin that integrates the unix locate database
Vim Script
1
star
62

henry

HTML
1
star
63

glsl-transpiler

A ClojureScript to GLSL cross compiler ... probably
1
star
64

webrot

Clojure, Noir and Clojurescript toy implementations for mandlebrot, julia & sierpinski fractals
Clojure
1
star
65

sound-flour

An experiment in collaborative broadcast streaming computer-generated music, in Clojure
Clojure
1
star
66

polyhedra

A Clojure/Clojurescript library for reading netlib polyhedra data files
Clojure
1
star
67

boyer-moore-search

Boyer-Moore string search library in Clojure
Clojure
1
star
68

ods-search-appliance

A JSON full-text search endpoint API onto NHS ODS data
Clojure
1
star
69

kebab

An ad-scrubbing web proxy, focusing on subverting commercial tracking and other general panoptic shenanigans. [Scala / Play 2.1]
CSS
1
star
70

proliant-microserver

1
star
71

led-blaster

C
1
star
72

nostalgia

A trip back though some personal 1980's & 90's computing memorabilia
1
star
73

cellular-automata

Migrating from CA code in webrot into separate stand-alone project
Clojure
1
star
74

cljs-dataview

A ClojureScript library for asynchronously fetching & dicing remote binary objects
Clojure
1
star
75

dotfiles

Essentials pour le vim exigeants basés programmeur informatique agiotage
Vim Script
1
star
76

speedtest-logger

Broadband speedtest logger
JavaScript
1
star