Explicitly only analyze dependencies/artifacts that are relevant to J…

…VM projects

Fixes #123

.github/integration_test.sh

@@ -3,6 +3,7 @@ set -Euxo pipefail
 
 cd "${BASH_SOURCE%/*}/.." || exit 1
 
+export LEIN_JVM_OPTS="-Dclojure.main.report=stderr"
 PROJECT_DIR="$PWD"
 CONFIG_FILE="$PROJECT_DIR/.github/nvd-config.json"
 DOGFOODING_CONFIG_FILE="$PROJECT_DIR/.github/nvd-dogfooding-config.json"

CHANGELOG.md

@@ -1,3 +1,10 @@
+## Changes from 2.3.0 to 2.4.0
+
+* [#123](https://github.com/rm-hull/nvd-clojure/issues/123): Explicitly only analyze dependencies/artifacts that are relevant to JVM projects.
+  * i.e. the internal analyzers that are specialized in other ecosystems e.g. .NET, Ruby, Node.js, etc will not be run at all, improving performance and accuracy.
+  * The nvd-clojure implementation never allowed non-jar files to be analyzed, so in practice no behavior has possibly been changed.  
+  * ([Read more](https://github.com/rm-hull/nvd-clojure/tree/v2.4.0#configuration-options))
+
 ## Changes from 2.2.0 to 2.3.0
 
 * Update `dependency-check-core`.

LICENSE.md

@@ -1,6 +1,6 @@
 # The MIT License (MIT)
 
-Copyright (c) 2016-19 Richard Hull
+Copyright (c) 2016-22 Richard Hull
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -2,11 +2,8 @@
 
 > _Formerly known as_ `lein-nvd`
 
-[![Build Status](https://github.com/rm-hull/nvd-clojure/workflows/Continuous%20Integration/badge.svg)](https://github.com/rm-hull/nvd-clojure/actions?query=workflow%3A%22Continuous+Integration%22)
-[![Dependencies Status](https://byob.yarr.is/dotemacs/actions-play/dependencies)](https://github.com/rm-hull/nvd-clojure/actions?query=workflow%3A%22dependencies%22)
 [![Downloads](https://versions.deps.co/rm-hull/nvd-clojure/downloads.svg)](https://versions.deps.co/rm-hull/nvd-clojure)
 [![Clojars Project](https://img.shields.io/clojars/v/nvd-clojure.svg)](https://clojars.org/nvd-clojure)
-[![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?maxAge=2592000)]()
 
 [National Vulnerability Database](https://nvd.nist.gov/) dependency checker
 library.

example/project.clj

@@ -1,7 +1,9 @@
 (defproject example-with-known-vulnerabilities "1.4.17"
   :description "Example project with dependencies that have known vulnerabilities"
   :license {:name "The MIT License (MIT)"
-            :url "http://opensource.org/licenses/MIT"}
+            :url "https://opensource.org/licenses/MIT"}
+  :jvm-opts ["-Dclojure.main.report=stderr"
+             "-XX:-OmitStackTraceInFastThrow"]
   :dependencies [[org.clojure/clojure "1.10.3"]
                  ;; No known vulnerabilities, but have dependencies
                  [org.clojure/data.json "0.2.6"]

plugin/src/leiningen/nvd.clj

@@ -1,6 +1,6 @@
 ;; The MIT License (MIT)
 ;;
-;; Copyright (c) 2016 Richard Hull
+;; Copyright (c) 2016- Richard Hull
 ;;
 ;; Permission is hereby granted, free of charge, to any person obtaining a copy
 ;; of this software and associated documentation files (the "Software"), to deal

resources/simplelogger.properties

@@ -1,4 +1,4 @@
-# See: http://www.slf4j.org/api/org/slf4j/impl/SimpleLogger.html
+# See: https://www.slf4j.org/api/org/slf4j/impl/SimpleLogger.html
 org.slf4j.simpleLogger.showLogName = false
 org.slf4j.simpleLogger.showShortLogName = true
 org.slf4j.simpleLogger.showThreadName = false

src/nvd/config.clj

@@ -1,6 +1,6 @@
 ;; The MIT License (MIT)
 ;;
-;; Copyright (c) 2016 Richard Hull
+;; Copyright (c) 2016- Richard Hull
 ;;
 ;; Permission is hereby granted, free of charge, to any person obtaining a copy
 ;; of this software and associated documentation files (the "Software"), to deal
@@ -29,42 +29,60 @@
    [org.owasp.dependencycheck.utils Settings Settings$KEYS]))
 
 (def ^:private string-mappings
-  {Settings$KEYS/ANALYZER_NEXUS_URL [:analyzer :nexus-url]
-   Settings$KEYS/SUPPRESSION_FILE [:suppression-file]
+  {Settings$KEYS/ANALYZER_NEXUS_URL        [:analyzer :nexus-url]
+   Settings$KEYS/SUPPRESSION_FILE          [:suppression-file]
    Settings$KEYS/ADDITIONAL_ZIP_EXTENSIONS [:zip-extensions]
-   Settings$KEYS/PROXY_SERVER [:proxy :server]
-   Settings$KEYS/PROXY_PORT [:proxy :port]
-   Settings$KEYS/PROXY_USERNAME [:proxy :user]
-   Settings$KEYS/PROXY_PASSWORD [:proxy :password]
-   Settings$KEYS/CONNECTION_TIMEOUT [:database :connection-timeout]
-   Settings$KEYS/DATA_DIRECTORY [:data-directory]
-   Settings$KEYS/DB_DRIVER_NAME [:database :driver-name]
-   Settings$KEYS/DB_DRIVER_PATH [:database :driver-path]
-   Settings$KEYS/DB_CONNECTION_STRING [:database :connection-string]
-   Settings$KEYS/DB_USER [:database :user]
-   Settings$KEYS/DB_PASSWORD [:database :password]})
+   Settings$KEYS/PROXY_SERVER              [:proxy :server]
+   Settings$KEYS/PROXY_PORT                [:proxy :port]
+   Settings$KEYS/PROXY_USERNAME            [:proxy :user]
+   Settings$KEYS/PROXY_PASSWORD            [:proxy :password]
+   Settings$KEYS/CONNECTION_TIMEOUT        [:database :connection-timeout]
+   Settings$KEYS/DATA_DIRECTORY            [:data-directory]
+   Settings$KEYS/DB_DRIVER_NAME            [:database :driver-name]
+   Settings$KEYS/DB_DRIVER_PATH            [:database :driver-path]
+   Settings$KEYS/DB_CONNECTION_STRING      [:database :connection-string]
+   Settings$KEYS/DB_USER                   [:database :user]
+   Settings$KEYS/DB_PASSWORD               [:database :password]})
 
 (def ^:private integer-mappings
   {Settings$KEYS/CVE_CHECK_VALID_FOR_HOURS [:cve :valid-for-hours]})
 
 (def ^:private boolean-mappings
-  {Settings$KEYS/AUTO_UPDATE [:auto-update]
-   ;; Settings$KEYS/ANALYZER_EXPERIMENTAL_ENABLED [:analyzer :experimental-enabled]
-   Settings$KEYS/ANALYZER_JAR_ENABLED [:analyzer :jar-enabled]
-   Settings$KEYS/ANALYZER_PYTHON_DISTRIBUTION_ENABLED [:analyzer :python-distribution-enabled]
-   Settings$KEYS/ANALYZER_PYTHON_PACKAGE_ENABLED [:analyzer :python-package-enabled]
-   Settings$KEYS/ANALYZER_RUBY_GEMSPEC_ENABLED [:analyzer :ruby-gemspec-enabled]
-   Settings$KEYS/ANALYZER_OPENSSL_ENABLED [:analyzer :openssl-enabled]
-   Settings$KEYS/ANALYZER_CMAKE_ENABLED [:analyzer :cmake-enabled]
-   Settings$KEYS/ANALYZER_AUTOCONF_ENABLED [:analyzer :autoconf-enabled]
-   Settings$KEYS/ANALYZER_COMPOSER_LOCK_ENABLED [:analyzer :composer-lock-enabled]
-   Settings$KEYS/ANALYZER_NODE_PACKAGE_ENABLED [:analyzer :node-package-enabled]
-   Settings$KEYS/ANALYZER_NUSPEC_ENABLED [:analyzer :nuspec-enabled]
-   Settings$KEYS/ANALYZER_CENTRAL_ENABLED [:analyzer :central-enabled]
-   Settings$KEYS/ANALYZER_NEXUS_ENABLED [:analyzer :nexus-enabled]
-   Settings$KEYS/ANALYZER_ARCHIVE_ENABLED [:analyzer :archive-enabled]
-   Settings$KEYS/ANALYZER_ASSEMBLY_ENABLED [:analyzer :assembly-enabled]
-   Settings$KEYS/ANALYZER_NEXUS_USES_PROXY [:analyzer :nexus-uses-proxy]})
+  {Settings$KEYS/ANALYZER_ARCHIVE_ENABLED                [:analyzer :archive-enabled]
+   Settings$KEYS/ANALYZER_ARTIFACTORY_ENABLED            [:analyzer :artifactory-enabled]
+   Settings$KEYS/ANALYZER_ASSEMBLY_ENABLED               [:analyzer :assembly-enabled]
+   Settings$KEYS/ANALYZER_AUTOCONF_ENABLED               [:analyzer :autoconf-enabled]
+   Settings$KEYS/ANALYZER_BUNDLE_AUDIT_ENABLED           [:analyzer :bundle-audit-enabled]
+   Settings$KEYS/ANALYZER_CENTRAL_ENABLED                [:analyzer :central-enabled]
+   Settings$KEYS/ANALYZER_CMAKE_ENABLED                  [:analyzer :cmake-enabled]
+   Settings$KEYS/ANALYZER_COCOAPODS_ENABLED              [:analyzer :cocoapods-enabled]
+   Settings$KEYS/ANALYZER_COMPOSER_LOCK_ENABLED          [:analyzer :composer-lock-enabled]
+   Settings$KEYS/ANALYZER_CPANFILE_ENABLED               [:analyzer :cpanfile-enabled]
+   Settings$KEYS/ANALYZER_EXPERIMENTAL_ENABLED           [:analyzer :experimental-enabled]
+   Settings$KEYS/ANALYZER_GOLANG_DEP_ENABLED             [:analyzer :golang-dep-enabled]
+   Settings$KEYS/ANALYZER_GOLANG_MOD_ENABLED             [:analyzer :golang-mod-enabled]
+   Settings$KEYS/ANALYZER_JAR_ENABLED                    [:analyzer :jar-enabled]
+   Settings$KEYS/ANALYZER_MIX_AUDIT_ENABLED              [:analyzer :mix-audit-enabled]
+   Settings$KEYS/ANALYZER_MSBUILD_PROJECT_ENABLED        [:analyzer :msbuild-project-enabled]
+   Settings$KEYS/ANALYZER_NEXUS_ENABLED                  [:analyzer :nexus-enabled]
+   Settings$KEYS/ANALYZER_NEXUS_USES_PROXY               [:analyzer :nexus-uses-proxy]
+   Settings$KEYS/ANALYZER_NODE_AUDIT_ENABLED             [:analyzer :node-audit-enabled]
+   Settings$KEYS/ANALYZER_NODE_PACKAGE_ENABLED           [:analyzer :node-package-enabled]
+   Settings$KEYS/ANALYZER_NPM_CPE_ENABLED                [:analyzer :npm-cpe-enabled]
+   Settings$KEYS/ANALYZER_NUGETCONF_ENABLED              [:analyzer :nugetconf-enabled]
+   Settings$KEYS/ANALYZER_NUSPEC_ENABLED                 [:analyzer :nuspec-enabled]
+   Settings$KEYS/ANALYZER_OPENSSL_ENABLED                [:analyzer :openssl-enabled]
+   Settings$KEYS/ANALYZER_PIPFILE_ENABLED                [:analyzer :pipfile-enabled]
+   Settings$KEYS/ANALYZER_PIP_ENABLED                    [:analyzer :pip-enabled]
+   Settings$KEYS/ANALYZER_PNPM_AUDIT_ENABLED             [:analyzer :pnpm-package-enabled]
+   Settings$KEYS/ANALYZER_PYTHON_DISTRIBUTION_ENABLED    [:analyzer :python-distribution-enabled]
+   Settings$KEYS/ANALYZER_PYTHON_PACKAGE_ENABLED         [:analyzer :python-package-enabled]
+   Settings$KEYS/ANALYZER_RETIREJS_ENABLED               [:analyzer :retirejs-enabled]
+   Settings$KEYS/ANALYZER_RUBY_GEMSPEC_ENABLED           [:analyzer :ruby-gemspec-enabled]
+   Settings$KEYS/ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED  [:analyzer :swift-package-manager-enabled]
+   Settings$KEYS/ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED [:analyzer :swift-package-resolved-enabled]
+   Settings$KEYS/ANALYZER_YARN_AUDIT_ENABLED             [:analyzer :yarn-audit-enabled]
+   Settings$KEYS/AUTO_UPDATE                             [:auto-update]})
 
 (defn app-name [project]
   (let [name (get project :name "stdin")
@@ -76,11 +94,42 @@
 (defn- read-opts [config-file]
   (json/read-str (slurp config-file) :key-fn keyword))
 
-(def default-settings
+(defn- default-settings
   {:exit-after-check true
-   :delete-config? true
-   :verbose-summary false
-   :nvd {:analyzer {:assembly-enabled false}}})
+   :delete-config?   true
+   :verbose-summary  false
+   :nvd              {:analyzer {:assembly-enabled               false
+                                 :archive-enabled                true
+                                 :autoconf-enabled               false
+                                 :bundle-audit-enabled           false
+                                 :central-enabled                true
+                                 :cmake-enabled                  false
+                                 :cocoapods-enabled              false
+                                 :composer-lock-enabled          false
+                                 :cpanfile-enabled               false
+                                 :experimental-enabled           false
+                                 :golang-dep-enabled             false
+                                 :golang-mod-enabled             false
+                                 :jar-enabled                    true
+                                 :mix-audit-enabled              false
+                                 :msbuild-project-enabled        false
+                                 :nexus-enabled                  true
+                                 :node-audit-enabled             false
+                                 :node-package-enabled           false
+                                 :npm-cpe-enabled                false
+                                 :nugetconf-enabled              false
+                                 :nuspec-enabled                 false
+                                 :openssl-enabled                false
+                                 :pip-enabled                    false
+                                 :pipfile-enabled                false
+                                 :pnpm-package-enabled           false
+                                 :python-distribution-enabled    false
+                                 :python-package-enabled         false
+                                 :retirejs-enabled               false
+                                 :ruby-gemspec-enabled           false
+                                 :swift-package-manager-enabled  false
+                                 :swift-package-resolved-enabled false
+                                 :yarn-audit-enabled             false}}})
 
 (defn- deep-merge [a b]
   (merge-with (fn [x y]
@@ -90,7 +139,8 @@
               a b))
 
 (defn populate-settings! [config-file]
-  (let [project (deep-merge default-settings (read-opts config-file))
+  (let [config (read-opts config-file)
+        project (deep-merge default-settings config)
         nvd-settings (:nvd project)
         settings (Settings.)]
     (doseq [[prop path] integer-mappings]
@@ -99,14 +149,12 @@
       (.setBooleanIfNotNull settings prop (get-in nvd-settings path)))
     (doseq [[prop path] string-mappings]
       (.setStringIfNotEmpty settings prop (str (get-in nvd-settings path))))
-    (->
-     project
-     (assoc-in [:nvd :data-directory] (.getDataDirectory settings))
-     (assoc
-      :engine (Engine. settings)
-      :title (str (app-name project) " " (:version project))
-      :start-time (System/currentTimeMillis)
-      :config-file config-file))))
+    (-> project
+        (assoc-in [:nvd :data-directory] (.getDataDirectory settings))
+        (assoc :engine      (Engine. settings)
+               :title       (str (app-name project) " " (:version project))
+               :start-time  (System/currentTimeMillis)
+               :config-file config-file))))
 
 (defn cleanup [project]
   (let [engine ^Engine (:engine project)

src/nvd/log.clj

@@ -0,0 +1,10 @@
+(ns nvd.log
+  "Uses the same logging pattern `dependency-check-core` does,
+  keeping the dependency tree simple."
+  (:import
+   (org.slf4j LoggerFactory)
+   (org.slf4j.simple SimpleLogger)))
+
+(defrecord nvd-clojure [])
+
+(def ^SimpleLogger logger (LoggerFactory/getLogger nvd-clojure))

src/nvd/report.clj

@@ -1,6 +1,6 @@
 ;; The MIT License (MIT)
 ;;
-;; Copyright (c) 2016 Richard Hull
+;; Copyright (c) 2016- Richard Hull
 ;;
 ;; Permission is hereby granted, free of charge, to any person obtaining a copy
 ;; of this software and associated documentation files (the "Software"), to deal

src/nvd/task/check.clj

@@ -1,6 +1,6 @@
 ;; The MIT License (MIT)
 ;;
-;; Copyright (c) 2016 Richard Hull
+;; Copyright (c) 2016- Richard Hull
 ;;
 ;; Permission is hereby granted, free of charge, to any person obtaining a copy
 ;; of this software and associated documentation files (the "Software"), to deal

test/nvd/config_test.clj

@@ -1,6 +1,6 @@
 ;; The MIT License (MIT)
 ;;
-;; Copyright (c) 2016 Richard Hull
+;; Copyright (c) 2016- Richard Hull
 ;;
 ;; Permission is hereby granted, free of charge, to any person obtaining a copy
 ;; of this software and associated documentation files (the "Software"), to deal