Merge 2987426 into ef64495

rm-hull · Feb 22, 2023 · b93a6c4 · b93a6c4
2 parents ef64495 + 2987426
commit b93a6c4
Show file tree

Hide file tree

Showing 8 changed files with 26 additions and 18 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
@@ -48,8 +48,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.0.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.0.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.0.0#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.0.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 
diff --git a/.github/ISSUE_TEMPLATE/issue.yml b/.github/ISSUE_TEMPLATE/issue.yml
@@ -32,8 +32,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.0.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.0.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.0.0#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.0.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,13 @@
+## Changes from 3.0.0 to 3.0.1
+
+* Parse classpaths in a cross-platform manner.
+  * Closes [#158](https://github.com/rm-hull/nvd-clojure/issues/158)
+
 ## Changes from 2.13.0 to 3.0.0
 
 * Introduce .edn configuration format.
   * .json files will remain working as-is indefinitely.
-  * If you wish to migrate to the .edn format, doing so is easy - please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.0.0/FAQ.md).
+  * If you wish to migrate to the .edn format, doing so is easy - please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.0.1/FAQ.md).
   * If you specify the blank string as the config file to be used, a useful, sample .edn file will be generated.
 * Automatically create a .xml suppression file when a `:suppression-file` is specified and no such file exists
   * In practice, this means that on the first run, if you specify the blank string as the config file to be used, two files will be created for you:

diff --git a/FAQ.md b/FAQ.md
@@ -70,14 +70,14 @@ CVEs can be remediated in a variety of ways:
 * Replacing a dependency for another one
   * e.g. change the choice of JSON parser
 * Upgrading a managed dependency
-* Declaring transitive dependency, setting it to a newer version
+* Declaring a transitive dependency, setting it to a newer version
 * Upgrading a transitive dependency
 * Removing a direct dependency
 * Adding `:exclusions` such that a transitive dependency will be removed
 * Adding an entry to `nvd-suppressions.xml`
   * Fine-grained (exact)
   * Coarse-grained (wildcard)
-  * Temporal (with an expiration date)
+  * Temporary (with an expiration date)
 
 Devising a sensible remediation for a specific scenario will depend on your project and its needs. Completing one of the choices outlined above might need application-level code changes.
 

diff --git a/README.md b/README.md
@@ -24,12 +24,12 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to
 
 <details>
 
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "3.0.0"]`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting of `[nvd-clojure/nvd-clojure "3.0.1"]`. Said project can be located inside the targeted repo's Git repository.
 
 ```clj
 (defproject nvd-helper "local"
   :description "nvd-clojure helper project"
-  :dependencies [[nvd-clojure "3.0.0"]
+  :dependencies [[nvd-clojure "3.0.1"]
                  [org.clojure/clojure "1.11.1"]]
   :jvm-opts ["-Dclojure.main.report=stderr"])
 ```
@@ -42,7 +42,7 @@ Then you can run, within this helper project:
 lein with-profile -user run -m nvd.task.check "nvd-clojure.edn" "$(cd <YOUR_PROJECT>; lein with-profile -user,-dev classpath)"
 ```
 
-The first argument denotes a .edn file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.edn), [doc](#configuration)). You can pass an empty string `""` to mean "please use the default filename" (which is `nvd-clojure.edn`). If this file didn't exist, it will be automatically created for you, with some useful contents and comments.
+The first argument denotes a .edn file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.edn), [doc](#configuration-options)). You can pass an empty string `""` to mean "please use the default filename" (which is `nvd-clojure.edn`). If this file didn't exist, it will be automatically created for you, with some useful contents and comments.
 
 The `classpath` Leiningen command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, plugins, etc.
 
@@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
 
 <details>
 
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "3.0.0"}`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "3.0.1"}`. Said project can be located inside the targeted repo's Git repository.
 
 Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.
 
@@ -66,7 +66,7 @@ Then you can run, within this helper project:
 clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "nvd-clojure.edn" "$(cd <YOUR_PROJECT>; clojure -Spath -A:any:aliases)"
 ```
 
-The first argument denotes a .edn file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.edn), [doc](#configuration)). You can pass an empty string `""` to mean "please use the default filename" (which is `nvd-clojure.edn`). If this file didn't exist, it will be automatically created for you, with some useful contents and comments.
+The first argument denotes a .edn file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.edn), [doc](#configuration-options)). You can pass an empty string `""` to mean "please use the default filename" (which is `nvd-clojure.edn`). If this file didn't exist, it will be automatically created for you, with some useful contents and comments.
 
 The `-Spath` command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, etc.
 
@@ -90,7 +90,7 @@ Then you can run:
 clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$(clojure -Spath -A:any:aliases)\"" :config-filename \""nvd-config.edn\""
 ```
 
-The `:config-filename` argument denotes an .edn file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.edn), [doc](#configuration)).
+The `:config-filename` argument denotes an .edn file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/master/.github/nvd-config.edn), [doc](#configuration-options)).
 If this file didn't exist, it will be automatically created for you, with some useful contents and comments.
 
 The `-Spath` command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, etc.
@@ -155,7 +155,7 @@ dependency relationships are:
 dependencies, and suggest upgraded versions, and can optionally be configured
 to update the project file.
 
-(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.0.0/FAQ.md))
+(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.0.1/FAQ.md))
 
 ## Configuration
 
@@ -209,7 +209,7 @@ You can also set logging properties directly through Java system properties (the
 clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ...
 ```
 
-## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.0.0/FAQ.md)
+## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.0.1/FAQ.md)
 
 ## Avoiding classpath interference
 

diff --git a/project.clj b/project.clj
@@ -1,4 +1,4 @@
-(defproject nvd-clojure "3.0.0"
+(defproject nvd-clojure "3.0.1"
   :description "National Vulnerability Database dependency checker"
   :url "https://github.com/rm-hull/nvd-clojure"
   :license {:name "The MIT License (MIT)"

diff --git a/resources/nvd_clojure/default_config_content.edn b/resources/nvd_clojure/default_config_content.edn
@@ -6,7 +6,7 @@
 
 ;; Feel free to tweak it, version-control it and remove any comment.
 
-;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v3.0.0#configuration-options
+;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#configuration-options
 
 {;; You can use the `:suppression-file` in order to silence false positives.
  ;; This file will be automatically created, with whatever filename is specified here, if it didn't exist already.

diff --git a/src/nvd/task/check.clj b/src/nvd/task/check.clj
@@ -94,12 +94,15 @@
         fail-build?
         conditional-exit)))
 
+(def classpath-separator-re
+  (re-pattern (str File/pathSeparatorChar)))
+
 (defn -main [& [config-filename ^String classpath-string]]
   (when (s/blank? classpath-string)
     (throw (ex-info "nvd-clojure requires a classpath value to be explicitly passed as a CLI argument.
 Older usages are deprecated." {})))
 
-  (let [classpath (s/split classpath-string #":")
+  (let [classpath (s/split classpath-string classpath-separator-re)
         classpath (into []
                         (remove (fn [^String s]
                                   ;; Only .jar (and perhaps .zip) files are relevant.