Merge 178a479 into 6d82bce

rm-hull · Aug 21, 2022 · b0c7846 · b0c7846
2 parents 6d82bce + 178a479
commit b0c7846
Show file tree

Hide file tree

Showing 9 changed files with 61 additions and 31 deletions.
diff --git a/.github/bug.yml → .github/ISSUE_TEMPLATE/bug.yml b/.github/bug.yml → .github/ISSUE_TEMPLATE/bug.yml
@@ -48,8 +48,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v2.7.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v2.7.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v2.7.0#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v2.8.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v2.8.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v2.8.0#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v2.7.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v2.8.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 
diff --git a/.github/issue.yml → .github/ISSUE_TEMPLATE/issue.yml b/.github/issue.yml → .github/ISSUE_TEMPLATE/issue.yml
@@ -32,8 +32,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v2.7.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v2.7.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v2.7.0#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v2.8.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v2.8.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v2.8.0#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v2.7.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v2.8.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 
diff --git a/.github/integration_test.sh b/.github/integration_test.sh
@@ -64,7 +64,7 @@ example_classpath="$(clojure -Spath)"
 # cd to $HOME, to demonstrate that the Tool does not depend on a deps.edn file:
 cd || exit 1
 
-if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath '"'"$example_classpath"'"' > example-lein-output; then
+if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$example_classpath\"" > example-lein-output; then
   echo "Should have failed with non-zero code!"
   exit 1
 fi

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## Changes from 2.7.0 to 2.8.0
+
+* Update `dependency-check-core`.
+
 ## Changes from 2.6.0 to 2.7.0
 
 * Update `dependency-check-core`.

diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@
 
 # Example usage:
 # copy a one-off Clojars token to your clipboard
-# GIT_TAG=v2.7.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
+# GIT_TAG=v2.8.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
 
 deploy: check-env
 	lein clean

diff --git a/README.md b/README.md
@@ -26,12 +26,12 @@ dependencies and passes them to a library called [Dependency-Check](https://gith
 
 <details>
 
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "2.7.0"]`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting of `[nvd-clojure/nvd-clojure "2.8.0"]`. Said project can be located inside the targeted repo's Git repository.
 
 ```
 (defproject nvd-helper "local"
   :description "nvd-clojure helper project"
-  :dependencies [[nvd-clojure "2.7.0"]
+  :dependencies [[nvd-clojure "2.8.0"]
                  [org.clojure/clojure "1.11.1"]]
   :jvm-opts ["-Dclojure.main.report=stderr"])
 ```
@@ -56,7 +56,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
 
 <details>
 
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "2.7.0"}`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "2.8.0"}`. Said project can be located inside the targeted repo's Git repository.
 
 Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.
 
@@ -89,10 +89,14 @@ clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' :as n
 Then you can run:
 
 ```bash
-clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath '"'"$(clojure -Spath -A:any:aliases)"'"'
+clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$(clojure -Spath -A:any:aliases)\""
 ```
 
-You can optionally pass a `:config-filename`, denoting a .json file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.json)).
+You can optionally pass a `:config-filename`, denoting a .json file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.json), [doc](#configuration)).
+
+```bash
+clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$(clojure -Spath -A:any:aliases)\"" :config-filename \""nvd-config.json\""
+```
 
 The `-Spath` command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, etc.
 
@@ -123,7 +127,7 @@ which has dependencies with known vulnerabilities
 This can be demonstrated by running the following:
 
 ```bash
-clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath '"'"$(cd example; lein with-profile -user classpath)"'"'
+clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$(cd example; lein with-profile -user classpath)\""
 ```
 
 This will download the NVD database, and then cross-check the classpath
@@ -155,12 +159,22 @@ dependency relationships are:
 dependencies, and suggest upgraded versions, and can optionally be configured
 to update the project file.
 
-## Configuration options
+## Configuration
 
 The default settings for `nvd-clojure` are usually sufficient for most projects, but
-can be customized with  a .json config file ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.json)).
-
+can be customized with a .json config file ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.json)).
 The filename denoting that file is the first argument to be passed to nvd-clojure when invoking it as a `main` (`-m`) program.
+
+When invoking it via Clojure Tools, it must be passed as a `:config-filename` option, e.g.
+
+```bash
+clojure -Tnvd nvd.task/check :classpath \""$(clojure -Spath)\"" :config-filename \""nvd-config.json\""
+```
+
+Note the escaped double quotes around the filename, to ensure that Clojure reads the command line argument as a string, not a symbol.
+
+## Configuration options
+
 The keys must reside inside a `"nvd": {...}` entry, not at the top-level. A top-level `"delete-config?": false` entry is expected for the time being ([example](https://github.com/rm-hull/nvd-clojure/blob/59dd3f33cf87b1527fdc06f78eb97d9fad990ff0/.github/nvd-config.json)), for backwards compatibility reasons.
 
 There are many dependency-check settings (for example to connect via a proxy, or
@@ -187,6 +201,18 @@ There are some specific settings below which are worthy of a few comments:
 * `"throw-if-check-unsuccessful"` - makes the program exit by throwing an exception instead of by invoking `System/exit`.
   - This can ease certain usages.
 
+## Logging
+
+You can override the default logging behaviour by providing a `simplelogger.properties` file on the nvd-clojure classpath. 
+Note that this is not the classpath of your project. See `resources/simplelogger.properties` for the default
+config.
+
+You can also set logging properties directly through Java system properties (the `-D` flags), for example:
+
+```
+clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ...
+```
+
 ## Avoiding classpath interference
 
 nvd-clojure has some Java dependencies, which in turn can have CVEs themselves.

diff --git a/deps.edn b/deps.edn
@@ -3,8 +3,8 @@
         org.clojure/java.classpath {:mvn/version "1.0.0"}
         clansi/clansi {:mvn/version "1.0.0"}
         org.clojure/data.json {:mvn/version "2.4.0"}
-        org.slf4j/slf4j-simple {:mvn/version "2.0.0-alpha1"}
-        org.owasp/dependency-check-core {:mvn/version "7.1.1"}
+        org.slf4j/slf4j-simple {:mvn/version "2.0.0"}
+        org.owasp/dependency-check-core {:mvn/version "7.1.2"}
         rm-hull/table {:mvn/version "0.7.1"}
         trptcolin/versioneer {:mvn/version "0.2.0"}}
  :mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"}

diff --git a/project.clj b/project.clj
@@ -1,13 +1,13 @@
-(defproject nvd-clojure "2.7.0"
+(defproject nvd-clojure "2.8.0"
   :description "National Vulnerability Database dependency checker"
   :url "https://github.com/rm-hull/nvd-clojure"
   :license {:name "The MIT License (MIT)"
             :url "https://opensource.org/licenses/MIT"}
   :dependencies [[org.clojure/clojure "1.11.0"]
                  [clansi "1.0.0"]
                  [org.clojure/data.json "2.4.0"]
-                 [org.slf4j/slf4j-simple "2.0.0-alpha1"]
-                 [org.owasp/dependency-check-core "7.1.1"]
+                 [org.slf4j/slf4j-simple "2.0.0"]
+                 [org.owasp/dependency-check-core "7.1.2"]
                  [rm-hull/table "0.7.1"]
                  [trptcolin/versioneer "0.2.0"]
                  ;; Explicitly depend on a certain Jackson, consistently.
@@ -16,16 +16,16 @@
                  [com.fasterxml.jackson.core/jackson-annotations "2.13.3"]
                  [com.fasterxml.jackson.core/jackson-core "2.13.3"]
                  [com.fasterxml.jackson.module/jackson-module-afterburner "2.13.3"]
-                 [org.apache.maven.resolver/maven-resolver-transport-http "1.8.1" #_"Fixes a CVE"]
+                 [org.apache.maven.resolver/maven-resolver-transport-http "1.8.2" #_"Fixes a CVE"]
                  [org.apache.maven/maven-core "3.8.6" #_"Fixes a CVE"]
-                 [org.eclipse.jetty/jetty-client "11.0.9" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]]
-                 [org.apache.maven.resolver/maven-resolver-spi "1.8.1" #_"Satisfies :pedantic?"]
-                 [org.apache.maven.resolver/maven-resolver-api "1.8.1" #_"Satisfies :pedantic?"]
-                 [org.apache.maven.resolver/maven-resolver-util "1.8.1" #_"Satisfies :pedantic?"]
-                 [org.apache.maven.resolver/maven-resolver-impl "1.8.1" #_"Satisfies :pedantic?"]
+                 [org.eclipse.jetty/jetty-client "11.0.11" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]]
+                 [org.apache.maven.resolver/maven-resolver-spi "1.8.2" #_"Satisfies :pedantic?"]
+                 [org.apache.maven.resolver/maven-resolver-api "1.8.2" #_"Satisfies :pedantic?"]
+                 [org.apache.maven.resolver/maven-resolver-util "1.8.2" #_"Satisfies :pedantic?"]
+                 [org.apache.maven.resolver/maven-resolver-impl "1.8.2" #_"Satisfies :pedantic?"]
                  [org.apache.maven/maven-resolver-provider "3.8.6" #_"Satisfies :pedantic?"]
                  [org.codehaus.plexus/plexus-utils "3.4.2" #_"Satisfies :pedantic?"]]
-  :managed-dependencies [[com.google.code.gson/gson "2.8.9"]]
+  :managed-dependencies [[com.google.code.gson/gson "2.9.1"]]
   :scm {:url "git@github.com:rm-hull/nvd-clojure.git"}
   :source-paths ["src"]
   :jar-exclusions [#"(?:^|/).git"]
@@ -39,13 +39,13 @@
                              [lein-codox "0.10.7"]
                              [lein-cloverage "1.2.3"]
                              [lein-ancient "0.7.0"]
-                             [jonase/eastwood "1.2.3"]]
+                             [jonase/eastwood "1.2.4"]]
                    :eastwood {:add-linters [:boxed-math
                                             :performance]}
-                   :dependencies [[clj-kondo "2022.05.31"]
+                   :dependencies [[clj-kondo "2022.08.03"]
                                   [commons-collections "20040616"]]}
              :ci {:pedantic? :abort}
-             :clj-kondo {:dependencies [[clj-kondo "2022.05.31"]]}
+             :clj-kondo {:dependencies [[clj-kondo "2022.08.03"]]}
              :skip-self-check {:jvm-opts ["-Dnvd-clojure.internal.skip-self-check=true"
                                           "-Dclojure.main.report=stderr"]}}
   :deploy-repositories [["clojars" {:url "https://clojars.org/repo"

diff --git a/test/nvd/config_test.clj b/test/nvd/config_test.clj
@@ -27,7 +27,7 @@
    [clojure.test :refer [deftest is]]
    [nvd.config :refer [app-name with-config]]))
 
-(def dependency-check-version "7.1.1")
+(def dependency-check-version "7.1.2")
 
 (deftest check-app-name
   (is (= "stdin" (app-name {:nome "hello-world" :version "0.0.1"})))