From 421853fb47fc3656004aea825772d6dbdbac33be Mon Sep 17 00:00:00 2001 From: vemv Date: Thu, 23 Dec 2021 12:30:28 +0100 Subject: [PATCH] Deprecate Leiningen plugin Part of https://github.com/rm-hull/nvd-clojure/issues/113 --- .github/integration_test.sh | 53 ----------------------------- README.md | 29 +++------------- example/project.clj | 9 +---- plugin/project.clj | 17 +--------- plugin/src/leiningen/nvd.clj | 56 +++++-------------------------- plugin/src/leiningen/nvd/deps.clj | 33 ------------------ src/nvd/config.clj | 10 +++--- 7 files changed, 19 insertions(+), 188 deletions(-) delete mode 100644 plugin/src/leiningen/nvd/deps.clj diff --git a/.github/integration_test.sh b/.github/integration_test.sh index c7e1b5c..7548abe 100755 --- a/.github/integration_test.sh +++ b/.github/integration_test.sh @@ -16,48 +16,8 @@ if ! clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' exit 1 fi -cd "$PROJECT_DIR/plugin" || exit 1 - -if ! lein with-profile -user,-dev,+ci install; then - exit 1 -fi - cd "$PROJECT_DIR/example" || exit 1 -# 1.- Exercise Lein plugin - -if lein with-profile -user nvd check > example-lein-output; then - echo "Should have failed with non-zero code!" - exit 1 -fi - -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities!" - exit 1 -fi - -# 2.- Exercise Lein plugin, with :throw-if-check-unsuccessful? option - -if lein with-profile -user,+nvd-throw-on-exit nvd check > example-lein-output 2>&1; then - echo "Should have failed with non-zero code!" - exit 1 -fi - -if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then - echo "Should have found vulnerabilities!" - exit 1 -fi - -if ! grep --silent "Error encountered performing task 'nvd'" example-lein-output; then - echo "Should have thrown an exception!" - exit 1 -fi - -if ! grep --silent "clojure.lang.ExceptionInfo: nvd-clojure failed / found vulnerabilities" example-lein-output; then - echo "Should have thrown an exception with a specific message!" - exit 1 -fi - # 3.- Exercise `main` program example_classpath="$(lein with-profile -user,-dev,-test classpath)" @@ -124,17 +84,4 @@ if ! lein with-profile -user,-dev,+ci run -m nvd.task.check "$DOGFOODING_CONFIG_ exit 1 fi -# 7.- Dogfood the `lein-nvd` project - -cd "$PROJECT_DIR/plugin" || exit 1 - -plugin_classpath="$(lein with-profile -user,-dev,-test classpath)" - -cd "$PROJECT_DIR" || exit 1 - -if ! lein with-profile -user,-dev,+ci run -m nvd.task.check "$DOGFOODING_CONFIG_FILE" "$plugin_classpath"; then - echo "lein-nvd did not pass dogfooding!" - exit 1 -fi - exit 0 diff --git a/README.md b/README.md index c13c54d..34fe694 100644 --- a/README.md +++ b/README.md @@ -9,8 +9,8 @@ [![Clojars Project](https://img.shields.io/clojars/v/nvd-clojure.svg)](https://clojars.org/nvd-clojure) [![Maintenance](https://img.shields.io/maintenance/yes/2021.svg?maxAge=2592000)]() -[National Vulnerability Database](https://nvd.nist.gov/) dependency-checker -library (and plugin for Leiningen). +[National Vulnerability Database](https://nvd.nist.gov/) dependency checker +library. When run in your project, all the JARs on the classpath will be checked for known security vulnerabilities. `nvd-clojure` extracts project @@ -49,16 +49,9 @@ the project local `deps.edn`, to look something like this: :main-opts ["-m" "nvd.task.check"]}} ``` -#### Leiningen - -To install globally, add `[lein-nvd "1.9.0"]` into the `:plugins` vector of -your `:user` profile in _~/.lein/profiles.clj_, or on a per-project basis, add -to the profiles section of your _project.clj_. - ## Usage -Run `lein nvd check` or `clj -M:nvd` (if you've chosen the alias `:nvd`, like -above) in your project. The first time the plugin runs,it will download (and +Run the program. The first time it runs, it will download (and cache) various databases from https://nvd.nist.gov. Subsequent runs will periodically check and update the local database, but the initial run could therefore be quite slow - of the order of ten minutes or more, so give it time. @@ -186,7 +179,7 @@ nvd-clojure has some Java dependencies, which in turn can have CVEs themselves, For this reason, you might want to invoke `nvd.task.check`'s main function by passing a classpath string as an argument. -Said classpath string should try reflecting a _production's classpath_ as accurately as possible: it should not include dev/test tooling, plugins (like nvd-clojure or any other), etc. +Said classpath string should try reflecting a _production's classpath_ as accurately as possible: it should not include dev/test tooling, plugins, etc. #### Lein example @@ -204,20 +197,6 @@ clojure -m nvd.task.check "" "$(clojure -Spath)" For extra isolation, it is recommended that you invoke `nvd.task.check` from _outside_ your project - e.g. from an empty project, a git clone of this very repo, or from $HOME (assuming you have nvd-clojure as a dependency in your [user-wide Lein profile](https://github.com/technomancy/leiningen/blob/2586957f9d099ff11d50d312a6daf397c2a06fb1/doc/PROFILES.md)). -## Building locally - -Build and install the core module, then do the same for the plugin: - - $ lein test - $ lein install - $ cd plugin - $ lein test - $ lein install - $ cd ../example - $ lein nvd check - -A sample report is available for testing in the _example_ sub-directory. - ## Attribution `nvd-clojure` uses **Jeremy Long**'s [Dependency-Check](https://github.com/jeremylong/DependencyCheck) diff --git a/example/project.clj b/example/project.clj index 0b68739..0f94cf8 100644 --- a/example/project.clj +++ b/example/project.clj @@ -20,11 +20,4 @@ [org.slf4j/slf4j-api "1.7.25"] ] :source-paths ["src"] - :min-lein-version "2.6.1" - :profiles { - :nvd-throw-on-exit {:nvd {:throw-if-check-unsuccessful? true}} - :dev { - :dependencies [ - [lein-nvd "RELEASE"]] - :plugins [ - [lein-nvd "RELEASE"]]}}) + :min-lein-version "2.6.1") diff --git a/plugin/project.clj b/plugin/project.clj index acc5435..7849788 100644 --- a/plugin/project.clj +++ b/plugin/project.clj @@ -3,22 +3,7 @@ :url "https://github.com/rm-hull/nvd-clojure" :license {:name "The MIT License (MIT)" :url "http://opensource.org/licenses/MIT"} - :dependencies [[clj-commons/pomegranate "1.2.1" :exclusions [org.clojure/clojure - org.apache.maven/maven-resolver-provider - org.apache.maven.resolver/maven-resolver-api - org.apache.maven.resolver/maven-resolver-spi - org.apache.maven.resolver/maven-resolver-util - commons-codec - org.apache.maven.resolver/maven-resolver-impl - org.apache.maven.resolver/maven-resolver-transport-file - org.apache.maven.resolver/maven-resolver-transport-http - org.apache.maven.resolver/maven-resolver-connector-basic - org.apache.httpcomponents/httpclient - org.apache.httpcomponents/httpcore - org.slf4j/slf4j-api - org.codehaus.plexus/plexus-utils]] - [org.slf4j/jcl-over-slf4j "1.7.30"] - [nvd-clojure "1.9.0"]] + :dependencies [] :scm {:url "git@github.com:rm-hull/nvd-clojure.git"} :source-paths ["src"] :jar-exclusions [#"(?:^|/).git"] diff --git a/plugin/src/leiningen/nvd.clj b/plugin/src/leiningen/nvd.clj index f0caec7..f34e154 100644 --- a/plugin/src/leiningen/nvd.clj +++ b/plugin/src/leiningen/nvd.clj @@ -22,54 +22,14 @@ (ns leiningen.nvd (:require - [clojure.string :as s] - [clojure.data.json :as json] - [leiningen.core.main :as main] - [leiningen.nvd.deps :refer [get-classpath]] - [nvd.task.update-database] - [nvd.task.purge-database] - [nvd.task.check]) - (:import - [java.io File])) + [leiningen.core.main :as main])) -(def ^File temp-file (File/createTempFile ".nvd-clojure_" ".json")) +(defn nvd + "nvd-clojure's Lein plugin is now deprecated. -(defn nvd " - Scans project dependencies, attempting to detect publicly disclosed - vulnerabilities contained within dependent JAR files. It does this by - determining if there is a Common Platform Enumeration (CPE) identifier - for a given dependency. On completion, a summary table is displayed on - the console (showing the status for each dependency), and detailed report - linking to the associated CVE entries. + Please use a newer API as described in the nvd-clojure's README." + [& _] + (main/warn "nvd-clojure's Lein plugin is now deprecated. - This task should be invoked with one of three commands: - - check - will optionally download the latest database update files, - and then run the analyze and report stages. Typically, if - the database has been updated recently, then the update - stage will be skipped. - - purge - will remove the local database files. Subsequently running - the 'check' command will force downloading the files again, - which could take a long time. - - update - will attempt to download the latest database updates, and - incorporate them into the local store. Usually not necessary, - as this is incorporated into the 'check' command. - - Any text after the command are treated as arguments and are passed directly - directly to the command for further processing. - " - [project command & args] - (let [path (.getAbsolutePath temp-file) - opts (merge - (select-keys project [:name :group :version :nvd]) - {:classpath (get-classpath project) :cmd-args args})] - - (spit path (json/write-str opts)) - - (case command - "check" (nvd.task.check/-main path) - "purge" (nvd.task.purge-database/-main path) - "update" (nvd.task.update-database/-main path) - (main/abort "No such command:" command)))) + Please use a newer API as described in the nvd-clojure's README.") + (main/exit 1)) diff --git a/plugin/src/leiningen/nvd/deps.clj b/plugin/src/leiningen/nvd/deps.clj deleted file mode 100644 index 2e406e0..0000000 --- a/plugin/src/leiningen/nvd/deps.clj +++ /dev/null @@ -1,33 +0,0 @@ -;; The MIT License (MIT) -;; -;; Copyright (c) 2016 Richard Hull -;; -;; Permission is hereby granted, free of charge, to any person obtaining a copy -;; of this software and associated documentation files (the "Software"), to deal -;; in the Software without restriction, including without limitation the rights -;; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -;; copies of the Software, and to permit persons to whom the Software is -;; furnished to do so, subject to the following conditions: -;; -;; The above copyright notice and this permission notice shall be included in all -;; copies or substantial portions of the Software. -;; -;; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -;; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -;; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -;; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -;; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -;; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -;; SOFTWARE. - -(ns leiningen.nvd.deps - (:import - [java.io File]) - (:require - [leiningen.core.project :refer [unmerge-profiles]] - [leiningen.core.classpath :refer [resolve-managed-dependencies]])) - -(defn get-classpath [project] - (->> (unmerge-profiles project [:base :system :user]) - (resolve-managed-dependencies :dependencies :managed-dependencies) - (map (memfn ^File getAbsolutePath)))) diff --git a/src/nvd/config.clj b/src/nvd/config.clj index 908f3e3..25c67de 100644 --- a/src/nvd/config.clj +++ b/src/nvd/config.clj @@ -49,7 +49,7 @@ (def ^:private boolean-mappings {Settings$KEYS/AUTO_UPDATE [:auto-update] -; Settings$KEYS/ANALYZER_EXPERIMENTAL_ENABLED [:analyzer :experimental-enabled] + ; Settings$KEYS/ANALYZER_EXPERIMENTAL_ENABLED [:analyzer :experimental-enabled] Settings$KEYS/ANALYZER_JAR_ENABLED [:analyzer :jar-enabled] Settings$KEYS/ANALYZER_PYTHON_DISTRIBUTION_ENABLED [:analyzer :python-distribution-enabled] Settings$KEYS/ANALYZER_PYTHON_PACKAGE_ENABLED [:analyzer :python-package-enabled] @@ -91,14 +91,14 @@ (defn populate-settings! [config-file] (let [project (deep-merge default-settings (read-opts config-file)) - plugin-settings (:nvd project) + nvd-settings (:nvd project) settings (Settings.)] (doseq [[prop path] integer-mappings] - (.setIntIfNotNull settings prop (get-in plugin-settings path))) + (.setIntIfNotNull settings prop (get-in nvd-settings path))) (doseq [[prop path] boolean-mappings] - (.setBooleanIfNotNull settings prop (get-in plugin-settings path))) + (.setBooleanIfNotNull settings prop (get-in nvd-settings path))) (doseq [[prop path] string-mappings] - (.setStringIfNotEmpty settings prop (str (get-in plugin-settings path)))) + (.setStringIfNotEmpty settings prop (str (get-in nvd-settings path)))) (-> project (assoc-in [:nvd :data-directory] (.getDataDirectory settings))