clj-holmes / clj-watson Goto Github PK

clojure deps SCA

License: Eclipse Public License 2.0

Mustache 4.47% Clojure 95.53%

clj-watson's Introduction

clj-holmes

A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language. Although finding vulnerabilities is its main purpose, clj-holmes can also be used to find any kind of code pattern.

Installation

Download the release for your OS (mac or linux), copy it to a directory in your $PATH and add executable permission to the binary.

Linux example

curl -L https://github.com/clj-holmes/clj-holmes/releases/latest/download/clj-holmes-ubuntu-latest -o /tmp/clj-holmes
sudo install -m 755 /tmp/clj-holmes /usr/local/bin/clj-holmes
rm /tmp/clj-holmes

Rules

All public rules can be found here. It is also possible to maintain your own set of rules.

clj-holmes currently supports the following rules sources:

GitHub

The GitHub wagon supports public and private repositories. In order to fetch rules from a private repository the environment GITHUB_TOKEN variable needs to be set.

To fetch a rule set clj-holmes expects a GitHub repository URL following the specification below:

git://username/project-name#branch-name

Fetching Rules

NAME:
 clj-holmes fetch-rules - Fetch rules from an external server

USAGE:
 clj-holmes fetch-rules [command options] [arguments...]

OPTIONS:
   -r, --repository S        git://clj-holmes/clj-holmes-rules#main  Repository to download rules
   -o, --output-directory S  /tmp/clj-holmes-rules/                  Directory to save rules
   -?, --help

In order to execute a scan it is necessary to fetch the rules first. This can be achieve with the following command.

clj-holmes fetch-rules

It's also possible to provide another source for a rule set by adding the -r or --repository parameter followed by the GitHub repository URL.

clj-holmes fetch-rules -r git://clj-holmes/clj-holmes-private-rules#main

Scanning a Project


NAME:
 clj-holmes scan - Performs a scan for a path

USAGE:
 clj-holmes scan [command options] [arguments...]

OPTIONS:
   -p, --scan-path S*                                                Path to scan
   -d, --rules-directory S              /tmp/clj-holmes-rules/       Directory to read rules
   -o, --output-file S                  clj_holmes_scan_results.txt  Output file
   -t, --output-type json|sarif|stdout  stdout                       Output type
   -T, --rule-tags S                                                 Only use rules with specified tags to perform the scan
   -S, --rule-severity S                                             Only use rules with specified severity to perform the scan
   -P, --rule-precision S                                            Only use rules with specified precision to perform the scan
   -i, --ignored-paths S                                             Regex for paths and files that shouldn't be scanned
   -f, --[no-]fail-on-result                                         Enable or disable fail if results were found (useful for CI/CD)
   -v, --[no-]verbose                                                Enable or disable scan process feedback.
   -?, --help

After fetching the rules, it is possible to execute a scan by providing the -p or --scan-path parameter followed by the path of the Clojure project to be scanned.

clj-holmes scan -p /tmp/clojure-project

Who uses it

Build

Steps necessary to build clj-holmes.

Dependencies

graalvm
lein

Install native image

gu install native-image

Download project dependencies

lein deps

Clean target directory

lein clean

Generate clj-holmes uberjar

lein uberjar

Generate clj-holmes native binary

lein native -H:Name=clj-holmes

clj-watson's People

Contributors

Stargazers

Watchers

Forkers

carlosedoardo yongyan-gh devn seancorfield chrisetheridge billdp-gg

clj-watson's Issues

support sarif output for dependency-check scan strategy

Project- and version-based false positives when shadow-cljs is a dependency

At the bottom, a trimmed output generated by using the -Tclj-watson command from the README is attached.

By CVE ID:

CVE-2017-12424 - a completely unrelated product
CVE-2020-8910 - only relevant for version v20200224 and below, but the used version is 0.0-20211011-0726fdeb which is newer

Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-cljsjs
VERSION: 0.0.22

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: org.clojure/google-closure-library
VERSION: 0.0-20211011-0726fdeb

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: MEDIUM
IDENTIFIERS: CVE-2020-8910 
CVSS: 6.5
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-cljs
VERSION: 2.17.5

DEPENDENCY FOUND IN:

Direct dependency.

FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-util
VERSION: 0.7.0

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-client
VERSION: 1.3.3

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: thheller/shadow-undertow
VERSION: 0.2.0

DEPENDENCY FOUND IN:

[thheller/shadow-cljs]


FIX SUGGESTION: No secure version available
Vulnerabilities
-----------------------------------------------------

SEVERITY: CRITICAL
IDENTIFIERS: CVE-2017-12424 
CVSS: 9.8
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Clean up command-line tool invocation

Per the README:

clojure -Tclj-watson scan :deps-edn-path '"deps.edn"' :output '"stdout"'
#or:
clojure -Tclj-watson scan '{:deps-edn-path "deps.edn" :output "stdout"}'

(this is somewhat verbose now but it will be improved over the next few releases)

Bug in 5.0.0: clj-watson.properties file not found on classpath

Line 22 of clj-watson.controller.dependency-check.scanner should be if, not when.

Without -w option, the optional clj-watson.properties file is not found on the classpath.

With -w option, the file is read but ignored and then looked for on the classpath.

Switch from depstar to tools.build

Compare/contrast with nvd-clojure in README?

I wonder if you could add a section to the README outlining the pros of cons of clj-watson vs https://github.com/rm-hull/nvd-clojure (another Dependency-Check wrapper that has been around for a while)?

I'd be interested to know why/if we should switch from nvd-clojure at work to clj-watson.

CVE identifiers are missing in 3.0.2 output

Since you released a new version, I just tried to updated from 3.0.1-ALPHA to 3.0.2 and all the CVE identifiers disappeared in the output:

SEVERITY: MEDIUM
IDENTIFIERS:  
CVSS: 5.5
PATCHED VERSION: 66.1

This feels like a bug we've talked about on Slack some time back, that I thought had gotten fixed?

Also, a request: to make it easier to diff the output, can you sort by CVE identifier without each artifact so the output order is repeatable? I can create a separate issue for that if you'd like?

Persistent 503 errors?

For the last two or three days, I've been unable to run Watson:

Downloading/Updating database.
** ERROR: **
Exception: #error {
 :cause NVD Returned Status Code: 503
 :via
 [{:type org.owasp.dependencycheck.data.update.exception.UpdateException
   :message Error updating the NVD Data
   :at [org.owasp.dependencycheck.data.update.NvdApiDataSource processApi NvdApiDataSource.java 336]}
  {:type io.github.jeremylong.openvulnerability.client.nvd.NvdApiException
   :message NVD Returned Status Code: 503
   :at [io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient next NvdCveClient.java 327]}]
 :trace
 [[io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient next NvdCveClient.java 327]

I don't know whether this is genuinely due to some underlying service being down or whether it's a configuration issue (using a deprecated endpoint that has now been removed).

Can't run clj-watson as a -M alias

Hello,
First of all, thank you for the work you are doing with clj-watson! :)

I am receiving the following error when I run clj-watson as a -M alias:

Execution error - invalid arguments to cli-matic.utils-v2/cfg-v2 at (test.cljc:30). nil - failed: some? at: [:cfg :v1 :commands :opts :default] spec: :cli-matic.specs/default nil - failed: string? at: [:cfg :v1 :app :version] spec: :cli-matic.specs/existing-string

Running the command below fires the same error:
clojure -M:clj-watson scan -\?

There seems to be an issue with parsing of command line arguments and I wanted to ask if you are able to reproduce it?

Thank you!

Native SARIF output support

Hi,

We are working with the Github team on the SARIF ecosystem, looking for adding native SARIF output functionality of the clj-watson tool, so that customers can easily create a workflow to scan vulnerabilities in their repo using clj-watson, generate code scanning alerts in Github security tab for each vulnerability found.

To achieve this goal below 3 steps needed:

Native SARIF output support in clj-watson tool.
Add steps in clj-watson-action to upload the SARIF file to Github.
Create clj-watson Github starter workflow.

We are glad to help/contribute to these tasks. I see the SARIF report functionality in clj-holmes, according to the rule's definition and sample output I can find the fields map to SARIF report. But I don't find a document about clj-watson's output and from the sample output I don't figure out which properties should be used for SARIF report. Can you please provide the information about the tool's output?

Below are the required properties of a SARIF report according to a Github article at https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning. Can you please take a look and let me know what properties/values in clj-watson report can map to them?

SARIF properties	clj-watson properties	description
rule.Id		An unique identifier for the rule. The id is referenced from other parts of the SARIF file and may be used by code scanning to display URLs on GitHub.
rule.shortDescription.text		A concise description of the rule. Code scanning displays the short description on GitHub next to the associated results.
rule.fullDescription.text		A description of the rule. Code scanning displays the full description on GitHub next to the associated results.
rule.help.text		Documentation for the rule using text format. Code scanning displays this help documentation next to the associated results.
result.ruleId		The unique identifier of the rule (rule.Id)
result.level		The severity of the result. This level overrides the default severity defined by the rule. Code scanning uses the level to filter results by severity on GitHub.
result.message.text		A message that describes the result. Code scanning displays the message text as the title of the result.
result.location.physicalLocation.artifactLocation.uri		A URI indicating the location of an artifact, usually a file either in the repository or generated during a build.
result.location.physicalLocation.region.startLine		The line number of the first character in the region.
result.location.physicalLocation.region.startColumn		The column number of the first character in the region.
result.location.physicalLocation.region.endLine		The line number of the last character in the region.
result.location.physicalLocation.region.endColumn		The column number of the character following the end of the region.

Thanks!

cc @eddynaka @michaelcfanning

Score and severity missing from output

I recently upgraded Watson from v4.1.2 to v5.1.1. After upgrading, I no longer see scores or severities for the vulnerabilities in the output.

Output as of 5.1.1, using clojure -M:clj-watson -p deps.edn:

Dependency Information
-----------------------------------------------------
NAME: org.bouncycastle/bcprov-jdk15on
VERSION: 1.70

DEPENDENCY FOUND IN:

[buddy/buddy-sign]
	[buddy/buddy-core]
		[org.bouncycastle/bcpkix-jdk15on]

[buddy/buddy-sign]
	[buddy/buddy-core]
		[org.bouncycastle/bcpkix-jdk15on]
			[org.bouncycastle/bcutil-jdk15on]

[buddy/buddy-sign]
	[buddy/buddy-core]


FIX SUGGESTION:
Vulnerabilities
-----------------------------------------------------

SEVERITY: Information not available.
IDENTIFIERS: CVE-2023-33202
CVSS: Information not available.
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

It looks like since DependencyCheck moved to the NVD API, getBaseSore and getBaseSeverity have changed. You can see that in this PR.

I've created a fork that fixes this, which I can propose as a PR: chrisetheridge@af84533

Output with my fix in place:

Dependency Information
-----------------------------------------------------
NAME: org.bouncycastle/bcprov-jdk15on
VERSION: 1.70

DEPENDENCY FOUND IN:

[buddy/buddy-sign]
	[buddy/buddy-core]
		[org.bouncycastle/bcpkix-jdk15on]

[buddy/buddy-sign]
	[buddy/buddy-core]
		[org.bouncycastle/bcpkix-jdk15on]
			[org.bouncycastle/bcutil-jdk15on]

[buddy/buddy-sign]
	[buddy/buddy-core]


FIX SUGGESTION:
Vulnerabilities
-----------------------------------------------------

SEVERITY: MEDIUM
IDENTIFIERS: CVE-2023-33202
CVSS: 5.5
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Please let me know if I can add anything else :)

Error scanning after latest update

After updating to the latest version, I'm getting an error running a clj-watson scan. This is in the context of https://github.com/clojure/tools.deps:

$ clj -M:cve
...usual stuff...
INFO: Finished configuration in 52 ms.
Downloading/Updating database.
** ERROR: **
Exception: #error {
 :cause Function "MERGE_KNOWNEXPLOITED" not found; SQL statement:
CALL merge_knownexploited(?,?,?,?,?,?,?,?,?) [90022-214]
 :via
 [{:type org.owasp.dependencycheck.data.update.exception.UpdateException
   :message org.owasp.dependencycheck.data.nvdcve.DatabaseException: org.h2.jdbc.JdbcSQLSyntaxErrorException: Function "MERGE_KNOWNEXPLOITED" not found; SQL statement:
CALL merge_knownexploited(?,?,?,?,?,?,?,?,?) [90022-214]
   :at [org.owasp.dependencycheck.data.update.KnownExploitedDataSource update KnownExploitedDataSource.java 93]}
  {:type org.owasp.dependencycheck.data.nvdcve.DatabaseException
   :message org.h2.jdbc.JdbcSQLSyntaxErrorException: Function "MERGE_KNOWNEXPLOITED" not found; SQL statement:
CALL merge_knownexploited(?,?,?,?,?,?,?,?,?) [90022-214]
   :at [org.owasp.dependencycheck.data.nvdcve.CveDB getPreparedStatement CveDB.java 410]}
  {:type org.h2.jdbc.JdbcSQLSyntaxErrorException
   :message Function "MERGE_KNOWNEXPLOITED" not found; SQL statement:
CALL merge_knownexploited(?,?,?,?,?,?,?,?,?) [90022-214]
   :at [org.h2.message.DbException getJdbcSQLException DbException.java 632]}]
 :trace
 [[org.h2.message.DbException getJdbcSQLException DbException.java 632]
  [org.h2.message.DbException getJdbcSQLException DbException.java 477]
  [org.h2.message.DbException get DbException.java 223]
  [org.h2.message.DbException get DbException.java 199]
  [org.h2.command.Parser getFunctionAliasWithinPath Parser.java 2519]
  [org.h2.command.Parser readTableFunction Parser.java 2012]
  [org.h2.command.Parser parseCall Parser.java 6996]
  [org.h2.command.Parser parsePrepared Parser.java 765]
  [org.h2.command.Parser parse Parser.java 689]
  [org.h2.command.Parser parse Parser.java 661]
  [org.h2.command.Parser prepareCommand Parser.java 569]
  [org.h2.engine.SessionLocal prepareLocal SessionLocal.java 631]
  [org.h2.engine.SessionLocal prepareCommand SessionLocal.java 554]
  [org.h2.jdbc.JdbcConnection prepareCommand JdbcConnection.java 1116]
  [org.h2.jdbc.JdbcPreparedStatement <init> JdbcPreparedStatement.java 92]
  [org.h2.jdbc.JdbcConnection prepareStatement JdbcConnection.java 288]
  [org.apache.commons.dbcp2.DelegatingConnection prepareStatement DelegatingConnection.java 713]
  [org.apache.commons.dbcp2.DelegatingConnection prepareStatement DelegatingConnection.java 713]
  [org.owasp.dependencycheck.data.nvdcve.CveDB getPreparedStatement CveDB.java 402]
  [org.owasp.dependencycheck.data.nvdcve.CveDB updateKnownExploitedVulnerabilities CveDB.java 1128]
  [org.owasp.dependencycheck.data.update.KnownExploitedDataSource update KnownExploitedDataSource.java 85]
  [org.owasp.dependencycheck.Engine doUpdates Engine.java 906]
  [org.owasp.dependencycheck.Engine doUpdates Engine.java 878]
  [jdk.internal.reflect.NativeMethodAccessorImpl invoke0 NativeMethodAccessorImpl.java -2]
  [jdk.internal.reflect.NativeMethodAccessorImpl invoke NativeMethodAccessorImpl.java 62]
  [jdk.internal.reflect.DelegatingMethodAccessorImpl invoke DelegatingMethodAccessorImpl.java 43]
  [java.lang.reflect.Method invoke Method.java 566]
  [clojure.lang.Reflector invokeMatchingMethod Reflector.java 167]
  [clojure.lang.Reflector invokeNoArgInstanceMember Reflector.java 438]
  [clj_watson.controller.dependency_check.scanner$update_download_database invokeStatic scanner.clj 14]
  [clj_watson.controller.dependency_check.scanner$update_download_database invoke scanner.clj 11]
  [clj_watson.controller.dependency_check.scanner$build_engine invokeStatic scanner.clj 30]
  [clj_watson.controller.dependency_check.scanner$build_engine invoke scanner.clj 27]
  [clj_watson.controller.dependency_check.scanner$scan_jars invokeStatic scanner.clj 37]
  [clj_watson.controller.dependency_check.scanner$scan_jars invoke scanner.clj 36]
  [clj_watson.controller.dependency_check.scanner$start_BANG_ invokeStatic scanner.clj 48]
  [clj_watson.controller.dependency_check.scanner$start_BANG_ invoke scanner.clj 47]
  [clj_watson.entrypoint$eval11227$fn__11229 invoke entrypoint.clj 29]
  [clojure.lang.MultiFn invoke MultiFn.java 229]
  [clj_watson.entrypoint$scan invokeStatic entrypoint.clj 41]
  [clj_watson.entrypoint$scan invoke entrypoint.clj 40]
  [cli_matic.core$invoke_subcmd invokeStatic core.cljc 546]
  [cli_matic.core$invoke_subcmd invoke core.cljc 525]
  [cli_matic.core$run_cmd_STAR_ invokeStatic core.cljc 589]
  [cli_matic.core$run_cmd_STAR_ invoke core.cljc 560]
  [cli_matic.core$run_cmd invokeStatic core.cljc 601]
  [cli_matic.core$run_cmd invoke core.cljc 591]
  [clj_watson.cli$_main invokeStatic cli.clj 47]
  [clj_watson.cli$_main doInvoke cli.clj 46]
  [clojure.lang.RestFn applyTo RestFn.java 137]
  [clojure.lang.Var applyTo Var.java 705]
  [clojure.core$apply invokeStatic core.clj 667]
  [clojure.main$main_opt invokeStatic main.clj 514]
  [clojure.main$main_opt invoke main.clj 510]
  [clojure.main$main invokeStatic main.clj 664]
  [clojure.main$main doInvoke main.clj 616]
  [clojure.lang.RestFn applyTo RestFn.java 137]
  [clojure.lang.Var applyTo Var.java 705]
  [clojure.main main main.java 40]]}



Dec 28, 2023 1:41:53 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: Shutdown hook activated. Shutdown was not called. Shutting down JCS.

Add logging/printing to show additional properties

It's hard to know for sure whether additional properties have been picked up when running the tool.

Add some sort of logging or printing to list any additional properties loaded (obscuring the API key!).

Breaks on datahike dep

When I run it on an empty project with the following deps.edn it breaks.

{
 :deps {io.replikativ/datahike                  {:mvn/version "0.4.1480"}}
 :aliases {:clj-watson {:extra-deps {io.github.clj-holmes/clj-watson {:git/tag "v2.1.0" :git/sha "468f6fe"}}
                        :main-opts ["-m" "clj-watson.cli" "scan"]}}
}

clojure -M:clj-watson scan scan -p deps.edn -s                                                                                                           ok  13:10:56 
Downloading/Updating database.
Download/Update completed.
** ERROR: **
Exception: #error {
 :cause Cannot invoke "java.lang.CharSequence.length()" because "this.text" is null
 :via
 [{:type java.lang.NullPointerException
   :message Cannot invoke "java.lang.CharSequence.length()" because "this.text" is null
   :at [java.util.regex.Matcher getTextLength Matcher.java 1769]}]
 :trace
 [[java.util.regex.Matcher getTextLength Matcher.java 1769]
  [java.util.regex.Matcher reset Matcher.java 415]
  [java.util.regex.Matcher <init> Matcher.java 252]
  [java.util.regex.Pattern matcher Pattern.java 1134]
  [clojure.core$re_matcher invokeStatic core.clj 4845]
  [clojure.core$re_matcher invoke core.clj 4838]
  [version_clj.split$split_once invokeStatic split.cljc 32]
  [version_clj.split$split_once invoke split.cljc 21]
  [version_clj.split$split_known_qualifier invokeStatic split.cljc 128]
  [version_clj.split$split_known_qualifier invoke split.cljc 125]
  [version_clj.split$split_version_and_qualifier invokeStatic split.cljc 139]
  [version_clj.split$split_version_and_qualifier invoke split.cljc 135]
  [version_clj.split$version__GT_seq invokeStatic split.cljc 154]
  [version_clj.split$version__GT_seq doInvoke split.cljc 151]
  [clojure.lang.RestFn invoke RestFn.java 410]
  [version_clj.compare$version_compare invokeStatic compare.cljc 95]
  [version_clj.compare$version_compare doInvoke compare.cljc 90]
  [clojure.lang.RestFn invoke RestFn.java 442]
  [version_clj.core$version_compare invokeStatic core.cljc 31]
  [version_clj.core$version_compare doInvoke core.cljc 25]
  [clojure.lang.RestFn invoke RestFn.java 442]
  [version_clj.core$older_QMARK_ invokeStatic core.cljc 38]
  [version_clj.core$older_QMARK_ doInvoke core.cljc 35]
  [clojure.lang.RestFn invoke RestFn.java 442]
  [version_clj.core$newer_or_equal_QMARK_ invokeStatic core.cljc 55]
  [version_clj.core$newer_or_equal_QMARK_ doInvoke core.cljc 51]
  [clojure.lang.RestFn invoke RestFn.java 425]
  [clj_watson.diplomat.remediate$parent_dependency_contains_child_version_QMARK_ invokeStatic remediate.clj 26]
  [clj_watson.diplomat.remediate$parent_dependency_contains_child_version_QMARK_ invoke remediate.clj 17]
  [clj_watson.diplomat.remediate$find_bump_version_using_latest invokeStatic remediate.clj 40]
  [clj_watson.diplomat.remediate$find_bump_version_using_latest invoke remediate.clj 28]
  [clj_watson.diplomat.remediate$vulnerabilities_fix_suggestions$fn__12531 invoke remediate.clj 50]
  [clojure.core$map$fn__5884 invoke core.clj 2757]
  [clojure.lang.LazySeq sval LazySeq.java 42]
  [clojure.lang.LazySeq seq LazySeq.java 51]
  [clojure.lang.LazySeq first LazySeq.java 73]
  [clojure.lang.RT first RT.java 692]
  [clojure.core$first__5401 invokeStatic core.clj 55]
  [clojure.core$first__5401 invoke core.clj 55]
  [cljstache.core$render_section invokeStatic core.cljc 459]
  [cljstache.core$render_section invoke core.cljc 441]
  [cljstache.core$render_template invokeStatic core.cljc 479]
  [cljstache.core$render_template invoke core.cljc 468]
  [cljstache.core$render invokeStatic core.cljc 499]
  [cljstache.core$render invoke core.cljc 491]
  [cljstache.core$render invokeStatic core.cljc 496]
  [cljstache.core$render invoke core.cljc 491]
  [clj_watson.logic.stdout$generate invokeStatic stdout.clj 28]
  [clj_watson.logic.stdout$generate invoke stdout.clj 27]
  [clj_watson.controller.output$eval12163$fn__12164 invoke output.clj 12]
  [clojure.lang.MultiFn invoke MultiFn.java 234]
  [clj_watson.controller.output$generate invokeStatic output.clj 21]
  [clj_watson.controller.output$generate invoke output.clj 20]
  [clj_watson.entrypoint$_main invokeStatic entrypoint.clj 17]
  [clj_watson.entrypoint$_main invoke entrypoint.clj 15]
  [cli_matic.core$invoke_subcmd invokeStatic core.cljc 546]
  [cli_matic.core$invoke_subcmd invoke core.cljc 525]
  [cli_matic.core$run_cmd_STAR_ invokeStatic core.cljc 589]
  [cli_matic.core$run_cmd_STAR_ invoke core.cljc 560]
  [cli_matic.core$run_cmd invokeStatic core.cljc 601]
  [cli_matic.core$run_cmd invoke core.cljc 591]
  [clj_watson.cli$_main invokeStatic cli.clj 40]
  [clj_watson.cli$_main doInvoke cli.clj 39]
  [clojure.lang.RestFn applyTo RestFn.java 137]
  [clojure.lang.Var applyTo Var.java 705]
  [clojure.core$apply invokeStatic core.clj 667]
  [clojure.main$main_opt invokeStatic main.clj 514]
  [clojure.main$main_opt invoke main.clj 510]
  [clojure.main$main invokeStatic main.clj 664]
  [clojure.main$main doInvoke main.clj 616]
  [clojure.lang.RestFn applyTo RestFn.java 137]
  [clojure.lang.Var applyTo Var.java 705]
  [clojure.main main main.java 40]]}

core.async false positive

See jeremylong/DependencyCheck#4384 (comment) for background.

I thought clj-watson wrapped that library and therefore false positive fixes there would automatically apply to clj-watson, but I see core.async flagged as a FP with the latest clj-watson so I'm wondering what the actual wrapping is and why FP fixes wouldn't apply?

I can (and have) easily applied a suppression locally for my clj-watson config but feel like I shouldn't need to?

depstar is archived/deprecated and will get no updates

Please consider switching to tools.build instead. My https://github.com/seancorfield/build-clj wrapper makes it a pretty painless replacement for depstar.

Sorted report

Sort dependencies by name and vulnerabilities by cve year and identification.

Unable to update watson database, version exceeds column limit

Downloading/Updating database.
2023-01-09 12:23:13,935 ERROR [o.o.d.Engine] - org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:157)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:114)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:41)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
	at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:823)
	at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:114)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:141)
	at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:154)
	... 6 common frames omitted
Caused by: org.h2.jdbc.JdbcBatchUpdateException: Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:
INSERT INTO software (cveid, cpeEntryId, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable) VALUES (?, ?, ?, ?, ?, ?, ?) [22001-214]
	at org.h2.jdbc.JdbcPreparedStatement.executeBatch(JdbcPreparedStatement.java:1269)
	at org.apache.commons.dbcp2.DelegatingStatement.executeBatch(DelegatingStatement.java:241)
	at org.apache.commons.dbcp2.DelegatingStatement.executeBatch(DelegatingStatement.java:241)
	at org.owasp.dependencycheck.data.nvdcve.CveDB.executeBatch(CveDB.java:1248)
	at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerabilityInsertSoftware(CveDB.java:1098)
	at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:816)
	... 9 common frames omitted
** ERROR: **
Exception: #error {
 :cause Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:
INSERT INTO software (cveid, cpeEntryId, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable) VALUES (?, ?, ?, ?, ?, ?, ?) [22001-214]
 :via
 [{:type org.owasp.dependencycheck.data.update.exception.UpdateException
   :message org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
   :at [org.owasp.dependencycheck.data.update.nvd.ProcessTask processFiles ProcessTask.java 157]}
  {:type org.owasp.dependencycheck.data.nvdcve.DatabaseException
   :message Error updating 'CVE-2020-36569'
   :at [org.owasp.dependencycheck.data.nvdcve.CveDB updateVulnerability CveDB.java 823]}
  {:type org.h2.jdbc.JdbcBatchUpdateException
   :message Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:
INSERT INTO software (cveid, cpeEntryId, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable) VALUES (?, ?, ?, ?, ?, ?, ?) [22001-214]
   :at [org.h2.jdbc.JdbcPreparedStatement executeBatch JdbcPreparedStatement.java 1269]}]
 :trace
 [[org.h2.jdbc.JdbcPreparedStatement executeBatch JdbcPreparedStatement.java 1269]
  [org.apache.commons.dbcp2.DelegatingStatement executeBatch DelegatingStatement.java 241]
  [org.apache.commons.dbcp2.DelegatingStatement executeBatch DelegatingStatement.java 241]
  [org.owasp.dependencycheck.data.nvdcve.CveDB executeBatch CveDB.java 1248]
  [org.owasp.dependencycheck.data.nvdcve.CveDB updateVulnerabilityInsertSoftware CveDB.java 1098]
  [org.owasp.dependencycheck.data.nvdcve.CveDB updateVulnerability CveDB.java 816]
  [org.owasp.dependencycheck.data.update.nvd.NvdCveParser parse NvdCveParser.java 114]
  [org.owasp.dependencycheck.data.update.nvd.ProcessTask importJSON ProcessTask.java 141]
  [org.owasp.dependencycheck.data.update.nvd.ProcessTask processFiles ProcessTask.java 154]
  [org.owasp.dependencycheck.data.update.nvd.ProcessTask call ProcessTask.java 114]
  [org.owasp.dependencycheck.data.update.nvd.ProcessTask call ProcessTask.java 41]
  [java.util.concurrent.FutureTask run FutureTask.java 264]
  [java.util.concurrent.ThreadPoolExecutor runWorker ThreadPoolExecutor.java 1136]
  [java.util.concurrent.ThreadPoolExecutor$Worker run ThreadPoolExecutor.java 635]
  [java.lang.Thread run Thread.java 833]]}

Update DependencyCheck to latest version

clojure -M:outdated =>

Checking for old versions in: deps.edn
  org.clojure/tools.deps {:mvn/version "0.18.1374"} -> {:mvn/version "0.18.1398"}
  org.owasp/dependency-check-core {:mvn/version "9.0.6"} -> {:mvn/version "9.0.8"}
  org.slf4j/slf4j-nop {:mvn/version "2.0.9"} -> {:mvn/version "2.0.11"}

comparing version in a really wrong way.

clj-watson/src/clj_watson/logic/version.clj

Lines 5 to 9 in b61274b

 (def ^:private version-operators 

 {:version-end-excluding > 

 :version-end-including >= 

 :version-start-excluding < 

 :version-start-including <=})

missing LICENSE file

Please add a LICENSE - thank you

Document how to suppress false positives

Property:

suppression.file=false-positives.xml

and then that file on the classpath:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
</suppressions>

and link to the relevant parts of the DC docs.

Bug in 4.1.1?

I updated to 4.1.1 and tried to scan our repo and got this error:

...
Downloading: cli-matic/cli-matic/0.5.4/cli-matic-0.5.4.jar from clojars
Execution error (FileNotFoundException) at clj-watson.adapter.config/eval220$loading (config.clj:1).
Could not locate clj_time/format__init.class, clj_time/format.clj or clj_time/format.cljc on classpath. Please check that namespaces with dashes use underscores in the Clojure file name.

I reverted to 4.1.0 and the scan works fine.

Provide an additive properties file

Currently, Watson looks for dependency-check.properties on the classpath unless a different properties file is provided. So it's all or nothing -- you can't provide your own properties file that overrides just one or two properties. Given that the default properties file isn't easily "guessable" (you have to download it from GitHub -- and that makes it hard to keep in sync as changes are made), it would make sense for Watson to support an optional clj-watson.properties file on the classpath (or perhaps via a command-line option?) that could be read in and add to / override what is found in the default properties file.

	(def ^:private version-operators
	{:version-end-excluding >
	:version-end-including >=
	:version-start-excluding <
	:version-start-including <=})