diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
index e35f99b..877bdd6 100644
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -48,8 +48,8 @@ body:
label: Installation compliance
description:
options:
- - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli-tool)).
+ - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#clojure-cli-tool)).
required: true
- - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+ - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
required: false
diff --git a/.github/ISSUE_TEMPLATE/issue.yml b/.github/ISSUE_TEMPLATE/issue.yml
index b5d4977..db7388e 100644
--- a/.github/ISSUE_TEMPLATE/issue.yml
+++ b/.github/ISSUE_TEMPLATE/issue.yml
@@ -32,8 +32,8 @@ body:
label: Installation compliance
description:
options:
- - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli-tool)).
+ - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#clojure-cli-tool)).
required: true
- - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+ - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
required: false
diff --git a/.github/dogfooding_suppressions.xml b/.github/dogfooding_suppressions.xml
index e4b902f..7d201b5 100644
--- a/.github/dogfooding_suppressions.xml
+++ b/.github/dogfooding_suppressions.xml
@@ -37,6 +37,14 @@
.*\bbcprov-jdk18on-1\.71\.jar
CVE-2023-33201
+
+ .*\bbcprov-jdk18on-1\.71\.jar
+ CVE-2023-33202
+
+
+ .*\bbcpg-jdk18on-1\.71\.jar
+ CVE-2023-33202
+
^pkg:maven/org\.codehaus\.plexus/plexus-.*$
cpe:/a:codehaus-plexus_project:codehaus-plexus
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 410113e..2cbe7c1 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -11,6 +11,8 @@ on:
jobs:
test_suite:
name: Linting and tests
+ env:
+ NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
runs-on: ubuntu-latest
strategy:
matrix:
@@ -39,6 +41,8 @@ jobs:
continue-on-error: true
integration:
name: Integration test suite
+ env:
+ NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
runs-on: ubuntu-latest
strategy:
matrix:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3281aba..eef4a72 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## Changes from 4.0.0 to 4.0.0
+
+* Update `dependency-check-core` to the 9.x series ([9.0.8](https://github.com/jeremylong/DependencyCheck/blob/v9.0.8/CHANGELOG.md))
+ * This **requires** nvd-clojure users to request a NVD API key and configure it correctly.
+ * You can [obtain an API key](https://nvd.nist.gov/developers/request-an-api-key) in a few minutes - it's an automated process.
+ * Then, you can configure it in nvd-clojure by setting it in the `:nvd-api :key` path, or as a `NVD_API_TOKEN` environment variable.
+
## Changes from 3.5.0 to 3.6.0
* Update `dependency-check-core`.
diff --git a/Makefile b/Makefile
index 0096d04..b877fcd 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
# Example usage:
# copy a one-off Clojars token to your clipboard
-# GIT_TAG=v3.6.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
+# GIT_TAG=v4.0.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
deploy: check-env
lein clean
diff --git a/README.md b/README.md
index 5fc9681..0415fbf 100644
--- a/README.md
+++ b/README.md
@@ -18,18 +18,18 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to
### Installation and basic usage
-> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v3.6.0/FAQ.md#what-is-classpath-interference)
+> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v4.0.0/FAQ.md#what-is-classpath-interference)
#### Leiningen
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "3.6.0"]`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting of `[nvd-clojure/nvd-clojure "4.0.0"]`. Said project can be located inside the targeted repo's Git repository.
```clj
(defproject nvd-helper "local"
:description "nvd-clojure helper project"
- :dependencies [[nvd-clojure "3.6.0"]
+ :dependencies [[nvd-clojure "4.0.0"]
[org.clojure/clojure "1.11.1"]]
:jvm-opts ["-Dclojure.main.report=stderr"])
```
@@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "3.6.0"}`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "4.0.0"}`. Said project can be located inside the targeted repo's Git repository.
Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.
@@ -155,7 +155,7 @@ dependency relationships are:
dependencies, and suggest upgraded versions, and can optionally be configured
to update the project file.
-(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.6.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))
+(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v4.0.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))
## Configuration
@@ -180,6 +180,9 @@ wiki.
There are some specific settings below which are worthy of a few comments:
+* `:nvd-api` - map of:
+ * :key - **MANDATORY** (unless you set an `NVD_API_TOKEN` environment variable) - must contain an API key that you can obtain in https://nvd.nist.gov/developers/request-an-api-key
+ * other keys: `:endpoint`, `:delay`, `:max-retry-count`, `:valid-for-hours`, `:datafeed` - advanced, please refer to the source code.
* `:fail-threshold` default value `0`; checks the highest CVSS score across all dependencies, and fails if this threshold is breached.
- As CVSS score ranges from `0..10`, the default value will cause a build to fail even for the lowest rated
vulnerability.
@@ -209,7 +212,7 @@ You can also set logging properties directly through Java system properties (the
clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ...
```
-## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.6.0/FAQ.md)
+## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v4.0.0/FAQ.md)
## Attribution
diff --git a/deps.edn b/deps.edn
index c486d52..545315a 100644
--- a/deps.edn
+++ b/deps.edn
@@ -2,9 +2,9 @@
:deps {org.clojure/clojure {:mvn/version "1.11.1"}
org.clojure/java.classpath {:mvn/version "1.0.0"}
clansi/clansi {:mvn/version "1.0.0"}
- org.clojure/data.json {:mvn/version "2.4.0"}
- org.slf4j/slf4j-simple {:mvn/version "2.0.9"}
- org.owasp/dependency-check-core {:mvn/version "8.4.3"}
+ org.clojure/data.json {:mvn/version "2.5.0"}
+ org.slf4j/slf4j-simple {:mvn/version "2.0.10"}
+ org.owasp/dependency-check-core {:mvn/version "9.0.8"}
rm-hull/table {:mvn/version "0.7.1"}
trptcolin/versioneer {:mvn/version "0.2.0"}}
:mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"}
diff --git a/project.clj b/project.clj
index 91c2b34..d520b1f 100644
--- a/project.clj
+++ b/project.clj
@@ -1,30 +1,30 @@
-(defproject nvd-clojure "3.6.0"
+(defproject nvd-clojure "4.0.0"
:description "National Vulnerability Database dependency checker"
:url "https://github.com/rm-hull/nvd-clojure"
:license {:name "The MIT License (MIT)"
:url "https://opensource.org/licenses/MIT"}
:dependencies [[org.clojure/clojure "1.11.1"]
[clansi "1.0.0"]
- [org.clojure/data.json "2.4.0"]
- [org.slf4j/slf4j-simple "2.0.9"]
- [org.owasp/dependency-check-core "8.4.3"]
+ [org.clojure/data.json "2.5.0"]
+ [org.slf4j/slf4j-simple "2.0.10"]
+ [org.owasp/dependency-check-core "9.0.8"]
[rm-hull/table "0.7.1"]
[trptcolin/versioneer "0.2.0"]
;; Explicitly depend on a certain Jackson, consistently.
;; (See also: https://github.com/jeremylong/DependencyCheck/issues/3441)
- [com.fasterxml.jackson.core/jackson-databind "2.16.0"]
- [com.fasterxml.jackson.core/jackson-annotations "2.16.0"]
- [com.fasterxml.jackson.core/jackson-core "2.16.0"]
- [com.fasterxml.jackson.module/jackson-module-afterburner "2.16.0"]
- [org.apache.maven.resolver/maven-resolver-transport-http "1.9.16" #_"Fixes a CVE"]
+ [com.fasterxml.jackson.core/jackson-databind "2.16.1"]
+ [com.fasterxml.jackson.core/jackson-annotations "2.16.1"]
+ [com.fasterxml.jackson.core/jackson-core "2.16.1"]
+ [com.fasterxml.jackson.module/jackson-module-afterburner "2.16.1"]
+ [org.apache.maven.resolver/maven-resolver-transport-http "1.9.18" #_"Fixes a CVE"]
[org.yaml/snakeyaml "2.2" #_"Fixes a CVE"]
- [org.apache.maven/maven-core "3.9.5" #_"Fixes a CVE"]
- [org.eclipse.jetty/jetty-client "12.0.3" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]]
- [org.apache.maven.resolver/maven-resolver-spi "1.9.16" #_"Satisfies :pedantic?"]
- [org.apache.maven.resolver/maven-resolver-api "1.9.16" #_"Satisfies :pedantic?"]
- [org.apache.maven.resolver/maven-resolver-util "1.9.16" #_"Satisfies :pedantic?"]
- [org.apache.maven.resolver/maven-resolver-impl "1.9.16" #_"Satisfies :pedantic?"]
- [org.apache.maven/maven-resolver-provider "3.9.5" #_"Satisfies :pedantic?"]
+ [org.apache.maven/maven-core "3.9.6" #_"Fixes a CVE"]
+ [org.eclipse.jetty/jetty-client "12.0.5" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]]
+ [org.apache.maven.resolver/maven-resolver-spi "1.9.18" #_"Satisfies :pedantic?"]
+ [org.apache.maven.resolver/maven-resolver-api "1.9.18" #_"Satisfies :pedantic?"]
+ [org.apache.maven.resolver/maven-resolver-util "1.9.18" #_"Satisfies :pedantic?"]
+ [org.apache.maven.resolver/maven-resolver-impl "1.9.18" #_"Satisfies :pedantic?"]
+ [org.apache.maven/maven-resolver-provider "3.9.6" #_"Satisfies :pedantic?"]
[org.codehaus.plexus/plexus-utils "4.0.0" #_"Satisfies :pedantic?"]]
:managed-dependencies [[com.google.code.gson/gson "2.10.1"]]
:scm {:url "git@github.com:rm-hull/nvd-clojure.git"}
@@ -43,10 +43,10 @@
[jonase/eastwood "1.4.0"]]
:eastwood {:add-linters [:boxed-math
:performance]}
- :dependencies [[clj-kondo "2023.10.20"]
+ :dependencies [[clj-kondo "2023.12.15"]
[commons-collections "20040616"]]}
:ci {:pedantic? :abort}
- :clj-kondo {:dependencies [[clj-kondo "2023.10.20"]]}
+ :clj-kondo {:dependencies [[clj-kondo "2023.12.15"]]}
:skip-self-check {:jvm-opts ["-Dnvd-clojure.internal.skip-self-check=true"]}}
:deploy-repositories [["clojars" {:url "https://clojars.org/repo"
:username :env/clojars_username
diff --git a/resources/nvd_clojure/default_config_content.edn b/resources/nvd_clojure/default_config_content.edn
index 0887e2b..11c252c 100644
--- a/resources/nvd_clojure/default_config_content.edn
+++ b/resources/nvd_clojure/default_config_content.edn
@@ -6,12 +6,16 @@
;; Feel free to tweak it, version-control it and remove any comment.
-;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#configuration-options
+;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#configuration-options
{;; You can use the `:suppression-file` in order to silence false positives.
;; This file will be automatically created, with whatever filename is specified here, if it didn't exist already.
:suppression-file "nvd_suppressions.xml"
+ ;; MANDATORY - please set this (or a `NVD_API_TOKEN` environment variable, deleting this entry)
+ ;; according to an API key that you can obtain in https://nvd.nist.gov/developers/request-an-api-key
+ :nvd-api {:key nil}
+
#_:analyzer ;; Analyzer options, which are mostly advanced/internal
#_{:ossindex-warn-only-on-remote-errors
;; Occasionally necessary for not making HTTP 500 errors from OSS Index (one of the multiple analyzers internally used)
diff --git a/src/nvd/config.clj b/src/nvd/config.clj
index cd57454..9e5d680 100644
--- a/src/nvd/config.clj
+++ b/src/nvd/config.clj
@@ -46,10 +46,15 @@
Settings$KEYS/DB_DRIVER_PATH [:database :driver-path]
Settings$KEYS/DB_CONNECTION_STRING [:database :connection-string]
Settings$KEYS/DB_USER [:database :user]
- Settings$KEYS/DB_PASSWORD [:database :password]})
-
-(def ^:private integer-mappings
- {Settings$KEYS/CVE_CHECK_VALID_FOR_HOURS [:cve :valid-for-hours]})
+ Settings$KEYS/DB_PASSWORD [:database :password]
+ Settings$KEYS/NVD_API_KEY [:nvd-api :key]
+ Settings$KEYS/NVD_API_ENDPOINT [:nvd-api :endpoint]
+ Settings$KEYS/NVD_API_DELAY [:nvd-api :delay]
+ Settings$KEYS/NVD_API_MAX_RETRY_COUNT [:nvd-api :max-retry-count]
+ Settings$KEYS/NVD_API_VALID_FOR_HOURS [:nvd-api :valid-for-hours]
+ Settings$KEYS/NVD_API_DATAFEED_URL [:nvd-api :datafeed :url]
+ Settings$KEYS/NVD_API_DATAFEED_USER [:nvd-api :datafeed :user]
+ Settings$KEYS/NVD_API_DATAFEED_PASSWORD [:nvd-api :datafeed :password]})
(def ^:private boolean-mappings
{Settings$KEYS/ANALYZER_ARCHIVE_ENABLED [:analyzer :archive-enabled]
@@ -100,7 +105,9 @@
{:exit-after-check true
:delete-config? true
:verbose-summary false
- :nvd {:analyzer {:assembly-enabled false
+ :nvd {:nvd-api {:delay 5000 ;; Value based on https://github.com/jeremylong/DependencyCheck/commit/be5c4a4f39d
+ :max-retry-count 10}
+ :analyzer {:assembly-enabled false
:archive-enabled true
:autoconf-enabled false
:bundle-audit-enabled false
@@ -187,15 +194,21 @@ You can pass an empty string for an .edn file to be automatically created."
(maybe-create-suppression-file! nvd-settings)
- (doseq [[prop path] integer-mappings]
- (.setIntIfNotNull settings prop (get-in nvd-settings path)))
-
(doseq [[prop path] boolean-mappings]
(.setBooleanIfNotNull settings prop (get-in nvd-settings path)))
(doseq [[prop path] string-mappings]
(.setStringIfNotEmpty settings prop (str (get-in nvd-settings path))))
+ (when (= ::not-found (get-in nvd-settings [:nvd-api :key] ::not-found))
+ (let [api-key (System/getenv "NVD_API_TOKEN")]
+
+ (when (or (not api-key)
+ (string/blank? api-key))
+ (throw (ex-info "No NVD API key supplied as config settings or env var." {})))
+
+ (.setString settings Settings$KEYS/NVD_API_KEY api-key)))
+
(-> project
(assoc-in [:nvd :data-directory] (.getDataDirectory settings))
(assoc :engine (Engine. settings)
diff --git a/src/nvd/report.clj b/src/nvd/report.clj
index 77614a6..854e6c9 100644
--- a/src/nvd/report.clj
+++ b/src/nvd/report.clj
@@ -22,16 +22,17 @@
(ns nvd.report
(:require
- [clojure.string :as s]
- [clojure.java.io :as io]
[clansi :refer [style]]
+ [clojure.java.io :as io]
+ [clojure.string :as s]
+ [nvd.log :as log]
[table.core :refer [table]])
(:import
- [java.util Arrays]
- [org.owasp.dependencycheck Engine]
- [org.owasp.dependencycheck.dependency Dependency Vulnerability]
- [org.owasp.dependencycheck.exception ExceptionCollection]
- [org.owasp.dependencycheck.reporting ReportGenerator]))
+ (java.util Arrays)
+ (org.owasp.dependencycheck Engine)
+ (org.owasp.dependencycheck.dependency Dependency Vulnerability)
+ (org.owasp.dependencycheck.exception ExceptionCollection)
+ (org.owasp.dependencycheck.reporting ReportGenerator)))
(def default-output-dir "target/nvd")
@@ -53,9 +54,17 @@
(let [cvss2 (.getCvssV2 vulnerability)
cvss3 (.getCvssV3 vulnerability)]
(cond
- cvss2 (.getScore cvss2)
- cvss3 (.getBaseScore cvss3)
- :else 1)))
+ cvss2 (max (double (or (.getExploitabilityScore cvss2)
+ 0))
+ (double (or (.getImpactScore cvss2)
+ 0)))
+ cvss3 (max (double (or (.getExploitabilityScore cvss3)
+ 0))
+ (double (or (.getImpactScore cvss3)
+ 0)))
+ :else (do
+ (.warn log/logger (str "No CVSS found for: " (pr-str vulnerability)))
+ 1))))
(defn- severity [^long cvssScore]
(cond