Deprecate Leiningen plugin

Part of #113

.github/integration_test.sh

@@ -16,48 +16,8 @@ if ! clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}'
   exit 1
 fi
 
-cd "$PROJECT_DIR/plugin" || exit 1
-
-if ! lein with-profile -user,-dev,+ci install; then
-  exit 1
-fi
-
 cd "$PROJECT_DIR/example" || exit 1
 
-# 1.- Exercise Lein plugin
-
-if lein with-profile -user nvd check > example-lein-output; then
-  echo "Should have failed with non-zero code!"
-  exit 1
-fi
-
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities!"
-  exit 1
-fi
-
-# 2.- Exercise Lein plugin, with :throw-if-check-unsuccessful? option
-
-if lein with-profile -user,+nvd-throw-on-exit nvd check > example-lein-output 2>&1; then
-  echo "Should have failed with non-zero code!"
-  exit 1
-fi
-
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities!"
-  exit 1
-fi
-
-if ! grep --silent "Error encountered performing task 'nvd'" example-lein-output; then
-  echo "Should have thrown an exception!"
-  exit 1
-fi
-
-if ! grep --silent "clojure.lang.ExceptionInfo: nvd-clojure failed / found vulnerabilities" example-lein-output; then
-  echo "Should have thrown an exception with a specific message!"
-  exit 1
-fi
-
 # 3.- Exercise `main` program
 
 example_classpath="$(lein with-profile -user,-dev,-test classpath)"
@@ -124,17 +84,4 @@ if ! lein with-profile -user,-dev,+ci run -m nvd.task.check "$DOGFOODING_CONFIG_
   exit 1
 fi
 
-# 7.- Dogfood the `lein-nvd` project
-
-cd "$PROJECT_DIR/plugin" || exit 1
-
-plugin_classpath="$(lein with-profile -user,-dev,-test classpath)"
-
-cd "$PROJECT_DIR" || exit 1
-
-if ! lein with-profile -user,-dev,+ci run -m nvd.task.check "$DOGFOODING_CONFIG_FILE" "$plugin_classpath"; then
-  echo "lein-nvd did not pass dogfooding!"
-  exit 1
-fi
-
 exit 0

README.md

@@ -9,8 +9,8 @@
 [![Clojars Project](https://img.shields.io/clojars/v/nvd-clojure.svg)](https://clojars.org/nvd-clojure)
 [![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?maxAge=2592000)]()
 
-[National Vulnerability Database](https://nvd.nist.gov/) dependency-checker
-library (and plugin for Leiningen).
+[National Vulnerability Database](https://nvd.nist.gov/) dependency checker
+library.
 
 When run in your project, all the JARs on the classpath
 will be checked for known security vulnerabilities. `nvd-clojure` extracts project
@@ -49,16 +49,9 @@ the project local `deps.edn`, to look something like this:
                 :main-opts ["-m" "nvd.task.check"]}}
 ```
 
-#### Leiningen
-
-To install globally, add `[lein-nvd "1.9.0"]` into the `:plugins` vector of
-your `:user` profile in _~/.lein/profiles.clj_, or on a per-project basis, add
-to the profiles section of your _project.clj_.
-
 ## Usage
 
-Run `lein nvd check` or `clj -M:nvd` (if you've chosen the alias `:nvd`, like
-above) in your project. The first time the plugin runs,it will download (and
+Run the program. The first time it runs, it will download (and
 cache) various databases from https://nvd.nist.gov. Subsequent runs will
 periodically check and update the local database, but the initial run could
 therefore be quite slow - of the order of ten minutes or more, so give it time.
@@ -186,7 +179,7 @@ nvd-clojure has some Java dependencies, which in turn can have CVEs themselves,
 
 For this reason, you might want to invoke `nvd.task.check`'s main function by passing a classpath string as an argument.
 
-Said classpath string should try reflecting a _production's classpath_ as accurately as possible: it should not include dev/test tooling, plugins (like nvd-clojure or any other), etc.
+Said classpath string should try reflecting a _production's classpath_ as accurately as possible: it should not include dev/test tooling, plugins, etc.
 
 #### Lein example
 
@@ -204,20 +197,6 @@ clojure -m nvd.task.check "" "$(clojure -Spath)"
 
 For extra isolation, it is recommended that you invoke `nvd.task.check` from _outside_ your project - e.g. from an empty project, a git clone of this very repo, or from $HOME (assuming you have nvd-clojure as a dependency in your [user-wide Lein profile](https://github.com/technomancy/leiningen/blob/2586957f9d099ff11d50d312a6daf397c2a06fb1/doc/PROFILES.md)).
 
-## Building locally
-
-Build and install the core module, then do the same for the plugin:
-
-    $ lein test
-    $ lein install
-    $ cd plugin
-    $ lein test
-    $ lein install
-    $ cd ../example
-    $ lein nvd check
-
-A sample report is available for testing in the _example_ sub-directory.
-
 ## Attribution
 
 `nvd-clojure` uses **Jeremy Long**'s [Dependency-Check](https://github.com/jeremylong/DependencyCheck)

example/project.clj

@@ -20,11 +20,4 @@
     [org.slf4j/slf4j-api "1.7.25"]
   ]
   :source-paths ["src"]
-  :min-lein-version "2.6.1"
-  :profiles {
-    :nvd-throw-on-exit {:nvd {:throw-if-check-unsuccessful? true}}
-    :dev {
-      :dependencies [
-        [lein-nvd "RELEASE"]]
-      :plugins [
-        [lein-nvd "RELEASE"]]}})
+  :min-lein-version "2.6.1")

plugin/project.clj

@@ -3,22 +3,7 @@
   :url "https://github.com/rm-hull/nvd-clojure"
   :license {:name "The MIT License (MIT)"
             :url "http://opensource.org/licenses/MIT"}
-  :dependencies [[clj-commons/pomegranate "1.2.1" :exclusions [org.clojure/clojure
-                                                               org.apache.maven/maven-resolver-provider
-                                                               org.apache.maven.resolver/maven-resolver-api
-                                                               org.apache.maven.resolver/maven-resolver-spi
-                                                               org.apache.maven.resolver/maven-resolver-util
-                                                               commons-codec
-                                                               org.apache.maven.resolver/maven-resolver-impl
-                                                               org.apache.maven.resolver/maven-resolver-transport-file
-                                                               org.apache.maven.resolver/maven-resolver-transport-http
-                                                               org.apache.maven.resolver/maven-resolver-connector-basic
-                                                               org.apache.httpcomponents/httpclient
-                                                               org.apache.httpcomponents/httpcore
-                                                               org.slf4j/slf4j-api
-                                                               org.codehaus.plexus/plexus-utils]]
-                 [org.slf4j/jcl-over-slf4j "1.7.30"]
-                 [nvd-clojure "1.9.0"]]
+  :dependencies []
   :scm {:url "[email protected]:rm-hull/nvd-clojure.git"}
   :source-paths ["src"]
   :jar-exclusions [#"(?:^|/).git"]

plugin/src/leiningen/nvd.clj

@@ -22,54 +22,14 @@
 
 (ns leiningen.nvd
   (:require
-   [clojure.string :as s]
-   [clojure.data.json :as json]
-   [leiningen.core.main :as main]
-   [leiningen.nvd.deps :refer [get-classpath]]
-   [nvd.task.update-database]
-   [nvd.task.purge-database]
-   [nvd.task.check])
-  (:import
-   [java.io File]))
+   [leiningen.core.main :as main]))
 
-(def ^File temp-file (File/createTempFile ".nvd-clojure_" ".json"))
+(defn nvd
+  "nvd-clojure's Lein plugin is now deprecated.
 
-(defn nvd "
-  Scans project dependencies, attempting to detect publicly disclosed
-  vulnerabilities contained within dependent JAR files. It does this by
-  determining if there is a Common Platform Enumeration (CPE) identifier
-  for a given dependency. On completion, a summary table is displayed on
-  the console (showing the status for each dependency), and detailed report
-  linking to the associated CVE entries.
+  Please use a newer API as described in the nvd-clojure's README."
+  [& _]
+  (main/warn "nvd-clojure's Lein plugin is now deprecated.
 
-  This task should be invoked with one of three commands:
-
-      check  - will optionally download the latest database update files,
-               and then run the analyze and report stages. Typically, if
-               the database has been updated recently, then the update
-               stage will be skipped.
-
-      purge  - will remove the local database files. Subsequently running
-               the 'check' command will force downloading the files again,
-               which could take a long time.
-
-      update - will attempt to download the latest database updates, and
-               incorporate them into the local store. Usually not necessary,
-               as this is incorporated into the 'check' command.
-
-  Any text after the command are treated as arguments and are passed directly
-  directly to the command for further processing.
-  "
-  [project command & args]
-  (let [path (.getAbsolutePath temp-file)
-        opts    (merge
-                 (select-keys project [:name :group :version :nvd])
-                 {:classpath (get-classpath project) :cmd-args args})]
-
-    (spit path (json/write-str opts))
-
-    (case command
-      "check"  (nvd.task.check/-main path)
-      "purge"  (nvd.task.purge-database/-main path)
-      "update" (nvd.task.update-database/-main path)
-      (main/abort "No such command:" command))))
+  Please use a newer API as described in the nvd-clojure's README.")
+  (main/exit 1))

src/nvd/config.clj

@@ -49,7 +49,7 @@
 
 (def ^:private boolean-mappings
   {Settings$KEYS/AUTO_UPDATE [:auto-update]
-;  Settings$KEYS/ANALYZER_EXPERIMENTAL_ENABLED [:analyzer :experimental-enabled]
+                                        ;  Settings$KEYS/ANALYZER_EXPERIMENTAL_ENABLED [:analyzer :experimental-enabled]
    Settings$KEYS/ANALYZER_JAR_ENABLED [:analyzer :jar-enabled]
    Settings$KEYS/ANALYZER_PYTHON_DISTRIBUTION_ENABLED [:analyzer :python-distribution-enabled]
    Settings$KEYS/ANALYZER_PYTHON_PACKAGE_ENABLED [:analyzer :python-package-enabled]
@@ -91,14 +91,14 @@
 
 (defn populate-settings! [config-file]
   (let [project (deep-merge default-settings (read-opts config-file))
-        plugin-settings (:nvd project)
+        nvd-settings (:nvd project)
         settings (Settings.)]
     (doseq [[prop path] integer-mappings]
-      (.setIntIfNotNull settings prop (get-in plugin-settings path)))
+      (.setIntIfNotNull settings prop (get-in nvd-settings path)))
     (doseq [[prop path] boolean-mappings]
-      (.setBooleanIfNotNull settings prop (get-in plugin-settings path)))
+      (.setBooleanIfNotNull settings prop (get-in nvd-settings path)))
     (doseq [[prop path] string-mappings]
-      (.setStringIfNotEmpty settings prop (str (get-in plugin-settings path))))
+      (.setStringIfNotEmpty settings prop (str (get-in nvd-settings path))))
     (->
      project
      (assoc-in [:nvd :data-directory] (.getDataDirectory settings))