add -w / --clj-watson-properties option (#40)

this allows for a properties file that **merges** additional properties into the defaults, making it easier to customize watson's behavior

Co-authored-by: Matheus Bernardes <12648924+mthbernardes@users.noreply.github.com>

README.md

@@ -84,8 +84,8 @@ In order to get the auto remediate suggestion it's necessary to provide a `--sug
 # Installation
 It's possible to install clj-watson as a clojure tool and invoke it.
 ```bash
-$ clojure -Ttools install-latest :lib io.github.clj-holmes/clj-watson :as clj-watson
-$ clojure -Tclj-watson scan '{:output "stdout" :dependency-check-properties nil :fail-on-result true :deps-edn-path "deps.edn" :suggest-fix true :aliases ["*"] :database-strategy "dependency-check"}'
+$ clojure -Ttools install io.github.clj-holmes/clj-watson '{:git/tag "v4.1.2" :git/sha "eb15492"}' :as clj-watson
+$ clojure -Tclj-watson scan '{:output "stdout" :fail-on-result true :deps-edn-path "deps.edn" :suggest-fix true :aliases ["*"] :database-strategy "dependency-check"}'
 ```
 It can also be called directly.
 ```bash
@@ -113,12 +113,28 @@ OPTIONS:
    -o, --output edn|json|stdout|stdout-simple|sarif                report      Output type.
    -a, --aliases S                                                             Specify a alias that will have the dependencies analysed alongside with the project deps.It's possible to provide multiple aliases. If a * is provided all the aliases are going to be analysed.
    -d, --dependency-check-properties S                                         [ONLY APPLIED IF USING DEPENDENCY-CHECK STRATEGY] Path of a dependency-check properties file. If not provided uses resources/dependency-check.properties.
+   -w, --clj-watson-properties S                                               [ONLY APPLIED IF USING DEPENDENCY-CHECK STRATEGY] Path of an additional, optional properties file.
    -t, --database-strategy dependency-check|github-advisory  dependency-check  Vulnerability database strategy.
    -s, --[no-]suggest-fix                                                      Suggest a new deps.edn file fixing all vulnerabilities found.
    -f, --[no-]fail-on-result                                                   Enable or disable fail if results were found (useful for CI/CD).
    -?, --help
 ```
 
+By default, when using the DEPENDENCY-CHECK strategy, clj-watson will load
+its own `dependency-check.properties` file, and then look for a
+`clj-watson.properties` file on the classpath and load that if found, for
+additional properties to apply to the dependency-check scan.
+
+If you provide `-d` (or `--dependency-check-properties`) then clj-watson will
+load that file instead of its own `dependency-check.properties` file so it
+needs to be a complete properties file, not just the properties you want to
+override.
+
+If you provide `-w` (or `--clj-watson-properties`) then clj-watson will load
+that file and apply those properties to the dependency-check scan. This is
+in addition to the properties loaded from the `dependency-check.properties`
+or the `-d` file. This can be useful to override just a few properties.
+
 # Execution
 The minimum necessary to execute clj-watson is to provide the path to a `deps.edn` file, but it's recommended that you all provide the `-s` option so `clj-watson` will try to provide a remediation suggestion to the vulnerabilities.
 

src/clj_watson/cli.clj

@@ -25,6 +25,10 @@
                               :type    :string
                               :default nil
                               :as      "[ONLY APPLIED IF USING DEPENDENCY-CHECK STRATEGY] Path of a dependency-check properties file. If not provided uses resources/dependency-check.properties."}
+                             {:option  "clj-watson-properties" :short "w"
+                              :type    :string
+                              :default nil
+                              :as      "[ONLY APPLIED IF USING DEPENDENCY-CHECK STRATEGY] Path of an additional, optional properties file."}
                              {:option "database-strategy" :short "t"
                               :type    #{"dependency-check" "github-advisory"}
                               :default "dependency-check"

src/clj_watson/controller/dependency_check/scanner.clj

@@ -14,24 +14,27 @@
     (.doUpdates engine)
     (println "Download/Update completed.")))
 
-(defn ^:private create-settings [^String properties-file-path]
+(defn ^:private create-settings [^String properties-file-path ^String additional-properties-file-path]
   (let [settings (Settings.)]
     (if properties-file-path
       (->> properties-file-path File. (.mergeProperties settings))
       (->> "dependency-check.properties" io/resource slurp .getBytes ByteArrayInputStream. (.mergeProperties settings)))
+    (when additional-properties-file-path
+      (->> additional-properties-file-path File. (.mergeProperties settings))
+      (some->> "clj-watson.properties" io/resource slurp .getBytes ByteArrayInputStream. (.mergeProperties settings)))
     settings))
 
-(defn ^:private build-engine [dependency-check-properties]
-  (let [settings (create-settings dependency-check-properties)
+(defn ^:private build-engine [dependency-check-properties clj-watson-properties]
+  (let [settings (create-settings dependency-check-properties clj-watson-properties)
         engine (Engine. settings)]
     (update-download-database engine)
     engine))
 
 (defn ^:private clojure-file? [dependency-path]
   (string/ends-with? dependency-path ".jar"))
 
-(defn ^:private scan-jars [dependencies dependency-check-properties]
-  (let [engine (build-engine dependency-check-properties)]
+(defn ^:private scan-jars [dependencies dependency-check-properties clj-watson-properties]
+  (let [engine (build-engine dependency-check-properties clj-watson-properties)]
     (->> dependencies
          (map :paths)
          (apply concat)
@@ -41,7 +44,7 @@
     (.analyzeDependencies engine)
     engine))
 
-(defn start! [dependencies dependency-check-properties]
-  (let [engine (scan-jars dependencies dependency-check-properties)
+(defn start! [dependencies dependency-check-properties clj-watson-properties]
+  (let [engine (scan-jars dependencies dependency-check-properties clj-watson-properties)
         scanned-dependencies (->> engine .getDependencies Arrays/asList)]
     scanned-dependencies))

src/clj_watson/entrypoint.clj

@@ -22,10 +22,13 @@
       (controller.remediate/scan vulnerable-dependencies deps)
       vulnerable-dependencies)))
 
-(defmethod scan* :dependency-check [{:keys [deps-edn-path suggest-fix aliases dependency-check-properties]}]
+(defmethod scan* :dependency-check [{:keys [deps-edn-path suggest-fix aliases
+                                            dependency-check-properties clj-watson-properties]}]
   (let [{:keys [deps dependencies]} (controller.deps/parse deps-edn-path aliases)
         repositories (select-keys deps [:mvn/repos])
-        scanned-dependencies (controller.dc.scanner/start! dependencies dependency-check-properties)
+        scanned-dependencies (controller.dc.scanner/start! dependencies
+                                                           dependency-check-properties
+                                                           clj-watson-properties)
         vulnerable-dependencies (controller.dc.vulnerability/extract scanned-dependencies dependencies repositories)]
     (if suggest-fix
       (controller.remediate/scan vulnerable-dependencies deps)