clj-holmes / clj-watson

clojure deps SCA
Eclipse Public License 2.0
82 stars 8 forks source link

ci: Consider scanning clj-watson with clj-watson #84

Open lread opened 2 months ago

lread commented 2 months ago

We should check if clj-watson deps have CVEs. And what better way to do that than with clj-watson?

seancorfield commented 2 months ago

These are the CVEs that clj-watson currently reports against itself:

watson.cves.txt

seancorfield commented 2 months ago

I enabled --suggest-fix and most of the reported CVEs have "no secure version available" apparently, so whilst we could add a CI step to get the CVEs into the GHA output, we can't fail the build on them, and can't fix several of them.

lread commented 2 months ago

I've been running this over and over as my test but have not taken the time to read it!

I'll take a peek.

These seem fixable:

These all share the same: CVE-2022-4244, CVE-2022-4245

Analyzing false-positives is a bit tortuous, but I think the plexuses (plexi?) might be false positives: https://github.com/jeremylong/DependencyCheck/issues/5973, I think the CVEs are talking about plexus-utils.

seancorfield commented 2 months ago

I've removed the milestone because I don't want us to get distracted with addressing these until we have 6.0 and 6.1 out the door.

lread commented 2 months ago

Sure that's fine, but TLDR: I think we won't have any unfixable vulnerabilities for clj-watson itself.