2.10.0

rm-hull · Oct 25, 2022 · 1a734b4 · 1a734b4
1 parent 4bdc690
commit 1a734b4
Show file tree

Hide file tree

Showing 8 changed files with 27 additions and 13 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
@@ -48,8 +48,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v2.9.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v2.9.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v2.9.0#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v2.10.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v2.10.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v2.10.0#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v2.9.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v2.10.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 
diff --git a/.github/ISSUE_TEMPLATE/issue.yml b/.github/ISSUE_TEMPLATE/issue.yml
@@ -32,8 +32,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v2.9.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v2.9.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v2.9.0#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v2.10.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v2.10.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v2.10.0#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v2.9.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v2.10.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 
diff --git a/.github/dogfooding_suppressions.xml b/.github/dogfooding_suppressions.xml
@@ -9,4 +9,8 @@
     <filePath regex="true">.*\bh2-2\.1\.210\.jar</filePath>
     <cve>CVE-2018-14335</cve>
   </suppress>
+  <suppress>
+    <filePath regex="true">.*\bsnakeyaml-1\.33\.jar</filePath>
+    <cve>CVE-2022-38752</cve>
+  </suppress>
 </suppressions>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Changes from 2.9.0 to 2.10.0
+
+* Update `dependency-check-core`.
+
 ## Changes from 2.8.0 to 2.9.0
 
 * Update `dependency-check-core`.

diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@
 
 # Example usage:
 # copy a one-off Clojars token to your clipboard
-# GIT_TAG=v2.9.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
+# GIT_TAG=v2.10.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
 
 deploy: check-env
 	lein clean

diff --git a/README.md b/README.md
@@ -26,12 +26,12 @@ dependencies and passes them to a library called [Dependency-Check](https://gith
 
 <details>
 
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "2.9.0"]`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting of `[nvd-clojure/nvd-clojure "2.10.0"]`. Said project can be located inside the targeted repo's Git repository.
 
 ```
 (defproject nvd-helper "local"
   :description "nvd-clojure helper project"
-  :dependencies [[nvd-clojure "2.9.0"]
+  :dependencies [[nvd-clojure "2.10.0"]
                  [org.clojure/clojure "1.11.1"]]
   :jvm-opts ["-Dclojure.main.report=stderr"])
 ```
@@ -56,7 +56,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
 
 <details>
 
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "2.9.0"}`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "2.10.0"}`. Said project can be located inside the targeted repo's Git repository.
 
 Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.
 

diff --git a/project.clj b/project.clj
@@ -1,4 +1,4 @@
-(defproject nvd-clojure "2.9.0"
+(defproject nvd-clojure "2.10.0"
   :description "National Vulnerability Database dependency checker"
   :url "https://github.com/rm-hull/nvd-clojure"
   :license {:name "The MIT License (MIT)"
@@ -17,6 +17,7 @@
                  [com.fasterxml.jackson.core/jackson-core "2.13.4"]
                  [com.fasterxml.jackson.module/jackson-module-afterburner "2.13.4"]
                  [org.apache.maven.resolver/maven-resolver-transport-http "1.8.2" #_"Fixes a CVE"]
+                 [org.yaml/snakeyaml "1.33" #_"Fixes a CVE"]
                  [org.apache.maven/maven-core "3.8.6" #_"Fixes a CVE"]
                  [org.eclipse.jetty/jetty-client "12.0.0.alpha2" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]]
                  [org.apache.maven.resolver/maven-resolver-spi "1.8.2" #_"Satisfies :pedantic?"]

diff --git a/test/nvd/config_test.clj b/test/nvd/config_test.clj
@@ -22,16 +22,21 @@
 
 (ns nvd.config-test
   (:require
-   [clojure.edn :as edn]
    [clojure.java.io :as io]
    [clojure.string :as string]
    [clojure.test :refer [deftest is]]
    [nvd.config :refer [app-name with-config]]))
 
 (def dependency-check-version
-  (let [v (-> "project.clj" io/file slurp edn/read-string (nth 2))]
-    (assert (double? v))
-    (str v)))
+  (let [dependencies (-> "project.clj" io/file slurp read-string (nth 10))
+        _ (assert (vector? dependencies))
+        _ (assert (vector? (first dependencies)))
+        found (->> dependencies
+                   (some (fn [[d v]]
+                           (when (= d 'org.owasp/dependency-check-core)
+                             v))))]
+    (assert (string? found))
+    found))
 
 (deftest check-app-name
   (is (= "stdin" (app-name {:nome "hello-world" :version "0.0.1"})))