From 31a01fb98666e1d7307b6b6976e76f6f3ec2e066 Mon Sep 17 00:00:00 2001 From: vemv Date: Sun, 7 Jan 2024 21:54:42 +0100 Subject: [PATCH 1/5] Fix a typo in the CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eef4a72..9cf0297 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -## Changes from 4.0.0 to 4.0.0 +## Changes from 3.6.0 to 4.0.0 * Update `dependency-check-core` to the 9.x series ([9.0.8](https://github.com/jeremylong/DependencyCheck/blob/v9.0.8/CHANGELOG.md)) * This **requires** nvd-clojure users to request a NVD API key and configure it correctly. From 92271ac34f6ff8c81f3bada529e5c031dbc4ab32 Mon Sep 17 00:00:00 2001 From: vemv Date: Tue, 20 Feb 2024 07:38:58 +0000 Subject: [PATCH 2/5] Upgrade dependencies --- deps.edn | 6 +++--- project.clj | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/deps.edn b/deps.edn index 545315a..6459956 100644 --- a/deps.edn +++ b/deps.edn @@ -1,10 +1,10 @@ {:paths ["src"] :deps {org.clojure/clojure {:mvn/version "1.11.1"} - org.clojure/java.classpath {:mvn/version "1.0.0"} + org.clojure/java.classpath {:mvn/version "1.1.0"} clansi/clansi {:mvn/version "1.0.0"} org.clojure/data.json {:mvn/version "2.5.0"} - org.slf4j/slf4j-simple {:mvn/version "2.0.10"} - org.owasp/dependency-check-core {:mvn/version "9.0.8"} + org.slf4j/slf4j-simple {:mvn/version "2.0.12"} + org.owasp/dependency-check-core {:mvn/version "9.0.9"} rm-hull/table {:mvn/version "0.7.1"} trptcolin/versioneer {:mvn/version "0.2.0"}} :mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"} diff --git a/project.clj b/project.clj index d520b1f..dbe39e3 100644 --- a/project.clj +++ b/project.clj @@ -6,8 +6,8 @@ :dependencies [[org.clojure/clojure "1.11.1"] [clansi "1.0.0"] [org.clojure/data.json "2.5.0"] - [org.slf4j/slf4j-simple "2.0.10"] - [org.owasp/dependency-check-core "9.0.8"] + [org.slf4j/slf4j-simple "2.0.12"] + [org.owasp/dependency-check-core "9.0.9"] [rm-hull/table "0.7.1"] [trptcolin/versioneer "0.2.0"] ;; Explicitly depend on a certain Jackson, consistently. @@ -19,7 +19,7 @@ [org.apache.maven.resolver/maven-resolver-transport-http "1.9.18" #_"Fixes a CVE"] [org.yaml/snakeyaml "2.2" #_"Fixes a CVE"] [org.apache.maven/maven-core "3.9.6" #_"Fixes a CVE"] - [org.eclipse.jetty/jetty-client "12.0.5" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]] + [org.eclipse.jetty/jetty-client "12.0.6" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]] [org.apache.maven.resolver/maven-resolver-spi "1.9.18" #_"Satisfies :pedantic?"] [org.apache.maven.resolver/maven-resolver-api "1.9.18" #_"Satisfies :pedantic?"] [org.apache.maven.resolver/maven-resolver-util "1.9.18" #_"Satisfies :pedantic?"] @@ -43,10 +43,10 @@ [jonase/eastwood "1.4.0"]] :eastwood {:add-linters [:boxed-math :performance]} - :dependencies [[clj-kondo "2023.12.15"] + :dependencies [[clj-kondo "2024.02.12"] [commons-collections "20040616"]]} :ci {:pedantic? :abort} - :clj-kondo {:dependencies [[clj-kondo "2023.12.15"]]} + :clj-kondo {:dependencies [[clj-kondo "2024.02.12"]]} :skip-self-check {:jvm-opts ["-Dnvd-clojure.internal.skip-self-check=true"]}} :deploy-repositories [["clojars" {:url "https://clojars.org/repo" :username :env/clojars_username From 2f94402b62ab33e046f0fe11e81148f92276fc5c Mon Sep 17 00:00:00 2001 From: vemv Date: Tue, 20 Feb 2024 14:17:26 +0100 Subject: [PATCH 3/5] Use `DeLaGuardo/setup-clojure@12.1` --- .github/workflows/ci.yaml | 4 ++-- .github/workflows/dependencies.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2cbe7c1..bb45cf5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -27,7 +27,7 @@ jobs: ref: ${{ github.ref }} - run: .github/lint.sh - name: Install leiningen - uses: DeLaGuardo/setup-clojure@master + uses: DeLaGuardo/setup-clojure@12.1 with: lein: 2.9.4 - run: lein cljfmt check @@ -56,7 +56,7 @@ jobs: with: ref: ${{ github.ref }} - name: Install leiningen - uses: DeLaGuardo/setup-clojure@master + uses: DeLaGuardo/setup-clojure@12.1 with: cli: '1.10.3.1029' lein: '2.9.4' diff --git a/.github/workflows/dependencies.yaml b/.github/workflows/dependencies.yaml index d5f23fe..03aea66 100644 --- a/.github/workflows/dependencies.yaml +++ b/.github/workflows/dependencies.yaml @@ -15,7 +15,7 @@ jobs: with: java-version: '11' - name: Install Clojure CLI - uses: DeLaGuardo/setup-clojure@master + uses: DeLaGuardo/setup-clojure@12.1 with: cli: '1.10.3.933' lein: 2.9.5 From 29f3b7797fade2f4fbffe8390d77b787f597c84a Mon Sep 17 00:00:00 2001 From: vemv Date: Tue, 20 Feb 2024 14:45:08 +0100 Subject: [PATCH 4/5] dbg --- .github/lint.sh | 1 + .github/workflows/ci.yaml | 12 ++++++------ .github/workflows/dependencies.yaml | 6 +++--- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/lint.sh b/.github/lint.sh index bd8b9a9..73731f5 100755 --- a/.github/lint.sh +++ b/.github/lint.sh @@ -7,4 +7,5 @@ classpath="$(lein with-profile -user,+test classpath)" # populate a clj-kondo cache per https://github.com/clj-kondo/clj-kondo/tree/4f1252748b128da6ea23033f14b2bec8662dc5fd#project-setup : lein with-profile -user,+test,+clj-kondo run -m clj-kondo.main --lint "$classpath" --dependencies --parallel --copy-configs lein with-profile -user,+test,+clj-kondo run -m clj-kondo.main --lint src test +lein version lein eastwood diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index bb45cf5..83fda3d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -25,11 +25,11 @@ jobs: uses: actions/checkout@master with: ref: ${{ github.ref }} - - run: .github/lint.sh - name: Install leiningen - uses: DeLaGuardo/setup-clojure@12.1 + uses: DeLaGuardo/setup-clojure@12.5 with: - lein: 2.9.4 + lein: 2.9.1 + - run: .github/lint.sh - run: lein cljfmt check - run: lein with-profile +dev cloverage --lcov - name: Coveralls @@ -56,9 +56,9 @@ jobs: with: ref: ${{ github.ref }} - name: Install leiningen - uses: DeLaGuardo/setup-clojure@12.1 + uses: DeLaGuardo/setup-clojure@12.5 with: - cli: '1.10.3.1029' - lein: '2.9.4' + cli: 1.10.3.1029 + lein: 2.9.1 - run: shellcheck .github/*.sh - run: .github/integration_test.sh diff --git a/.github/workflows/dependencies.yaml b/.github/workflows/dependencies.yaml index 03aea66..f623ae2 100644 --- a/.github/workflows/dependencies.yaml +++ b/.github/workflows/dependencies.yaml @@ -15,10 +15,10 @@ jobs: with: java-version: '11' - name: Install Clojure CLI - uses: DeLaGuardo/setup-clojure@12.1 + uses: DeLaGuardo/setup-clojure@12.5 with: - cli: '1.10.3.933' - lein: 2.9.5 + cli: 1.10.3.933 + lein: 2.9.1 - name: check for outdated dependencies id: deps run: | From 4b1c86db6e975ebb7fa5819e523173ed50667064 Mon Sep 17 00:00:00 2001 From: vemv Date: Wed, 21 Feb 2024 14:13:29 +0100 Subject: [PATCH 5/5] dogfooding --- .github/dogfooding_suppressions.xml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/dogfooding_suppressions.xml b/.github/dogfooding_suppressions.xml index 7d201b5..0bacd43 100644 --- a/.github/dogfooding_suppressions.xml +++ b/.github/dogfooding_suppressions.xml @@ -49,4 +49,21 @@ ^pkg:maven/org\.codehaus\.plexus/plexus-.*$ cpe:/a:codehaus-plexus_project:codehaus-plexus + + .*\bclojure-complete-0\.2\.5\.jar + CVE-2017-20189 + + + .*\bcore\.specs\.alpha-0\.2\.62\.jar + CVE-2017-20189 + + + .*\bspec\.alpha-0\.3\.218\.jar + CVE-2017-20189 + + + .*\bcommons-compress-1\.25\.0\.jar + CVE-2024-25710 + CVE-2024-26308 +