rm-hull · tobias · Jun 25, 2025 · Mar 21, 2025 · Jun 25, 2025 · Jun 25, 2025
diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
@@ -48,8 +48,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v5.0.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v5.0.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v5.0.0#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v5.0.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 
diff --git a/.github/ISSUE_TEMPLATE/issue.yml b/.github/ISSUE_TEMPLATE/issue.yml
@@ -32,8 +32,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v5.0.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v5.0.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v5.0.0#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v5.0.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+# Changes from 5.0.0 to 5.1.0
+
+* Update `dependency-check-core` from 12.1.0 to [12.1.3](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1213-2025-06-10).
+* Support [reporting on vulnerabilities with a score of 0](https://github.com/rm-hull/nvd-clojure/pull/187)
+
 ## Changes from 4.0.0 to 5.0.0 
 
 * Update `dependency-check-core` to the 12.x series ([12.1.0](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1210-2025-02-16))

diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@
 
 # Example usage:
 # copy a one-off Clojars token to your clipboard
-# GIT_TAG=v5.0.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
+# GIT_TAG=v5.1.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
 
 deploy: check-env
 	lein clean

diff --git a/README.md b/README.md
@@ -18,18 +18,18 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to
 
 ### Installation and basic usage
 
-> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.0.0/FAQ.md#what-is-classpath-interference)
+> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.1.0/FAQ.md#what-is-classpath-interference)
 
 #### Leiningen
 
 <details>
 
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.0.0"]`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.1.0"]`. Said project can be located inside the targeted repo's Git repository.
 
 ```clj
 (defproject nvd-helper "local"
   :description "nvd-clojure helper project"
-  :dependencies [[nvd-clojure "5.0.0"]
+  :dependencies [[nvd-clojure "5.1.0"]
                  [org.clojure/clojure "1.12.0"]]
   :jvm-opts ["-Dclojure.main.report=stderr"])
 ```
@@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
 
 <details>
 
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.0.0"}`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.1.0"}`. Said project can be located inside the targeted repo's Git repository.
 
 Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.
 
@@ -155,7 +155,7 @@ dependency relationships are:
 dependencies, and suggest upgraded versions, and can optionally be configured
 to update the project file.
 
-(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.0.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))
+(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.1.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))
 
 ## Configuration
 
@@ -183,10 +183,10 @@ There are some specific settings below which are worthy of a few comments:
 * `:nvd-api` - map of:
   * :key - **MANDATORY** (unless you set an `NVD_API_TOKEN` environment variable) - must contain an API key that you can obtain in https://nvd.nist.gov/developers/request-an-api-key
   * other keys: `:endpoint`, `:delay`, `:max-retry-count`, `:valid-for-hours`, `:datafeed` - advanced, please refer to the source code.
-* `:fail-threshold` default value `0`; checks the highest CVSS score across all dependencies, and fails if this threshold is breached.
-  - As CVSS score ranges from `0..10`, the default value will cause a build to fail even for the lowest rated
-  vulnerability.
+* `:fail-threshold` default value `0`; checks the highest CVSS score across all dependencies, and fails if this threshold is breached (i.e. the highest score is greater than the threshold).
+  - As CVSS score ranges from `0..10`, the default value will cause a build to fail if at least one vulnerability with a score > 0 is detected.
   - Set to `11` if you never want the build to fail.
+  - Set to `-1` if you also want the build to fail when any vulnerabilities of score 0 or higher were detected (useful to be alerted of vulnerabilities which haven't yet been assigned a CVSS score, so have a score of 0).
 * `:data-directory` default value is the data dir of `DependencyCheck`, e.g. `~/.m2/repository/org/owasp/dependency-check-utils/3.2.1/data/`
   - It shouldn't normally be necessary to change this
 * `:suppression-file` default unset
@@ -212,7 +212,7 @@ You can also set logging properties directly through Java system properties (the
 clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ...
 ```
 
-## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.0.0/FAQ.md)
+## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.1.0/FAQ.md)
 
 ## Attribution
 

diff --git a/project.clj b/project.clj
@@ -1,4 +1,4 @@
-(defproject nvd-clojure "5.0.0"
+(defproject nvd-clojure "5.1.0"
   :description "National Vulnerability Database dependency checker"
   :url "https://github.com/rm-hull/nvd-clojure"
   :license {:name "The MIT License (MIT)"

diff --git a/resources/nvd_clojure/default_config_content.edn b/resources/nvd_clojure/default_config_content.edn
@@ -6,7 +6,7 @@
 
 ;; Feel free to tweak it, version-control it and remove any comment.
 
-;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v5.0.0#configuration-options
+;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v5.1.0#configuration-options
 
 {;; You can use the `:suppression-file` in order to silence false positives.
  ;; This file will be automatically created, with whatever filename is specified here, if it didn't exist already.

diff --git a/src/nvd/report.clj b/src/nvd/report.clj
@@ -123,9 +123,11 @@
 
 (defn fail-build? [project]
   (let [^Engine engine (:engine project)
-        highest-score (long (apply max 0 (scores engine)))
+        all-scores (scores engine)
+        highest-score (long (apply max 0 all-scores))
         fail-threshold (long (get-in project [:nvd :fail-threshold] 0))]
     (->
      project
      (assoc-in [:nvd :highest-score] highest-score)
-     (assoc :failed? (> highest-score fail-threshold)))))
+     (assoc :failed? (and (seq all-scores)
+                          (> highest-score fail-threshold))))))