search

livingsocial / lein-dependency-check

A leiningen plugin for detecting vulnerable project dependencies
MIT License
33 stars 14 forks source link

Project map options to log or throw vulnerabilities #7

Closed brabster closed 7 years ago

brabster commented 7 years ago

This update allows a user to declare whether to log found vulnerabilities and/or throw an exception at end of processing if any vulnerabilities are found. That makes it much more useful for me as a scheduled build plugin.

I added the config to the project.clj instead of as command line args because the command-line args approach would require some potentially breaking rework of the existing command line arguments.

Project version bumped to 0.2.0-SNAPSHOT as this adds a minor feature. Not sure what your release process is so this may not be correct?

Fixes #6 Fixes #5

Wasn't sure how to go about unit testing this. Installing this branch locally and testing on a minimal project with a vulnerable dep:

No :dependency-check config in project.clj

[paul@Unknown-60-6c-66-2a-db-9a foo]$ lein dependency-check
"Scanning" 5 "file(s)..."
"Scanning file" "/home/paul/.m2/repository/org/clojure/clojure/1.8.0/clojure-1.8.0.jar"
"Scanning file" "/home/paul/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar"
"Scanning file" "/home/paul/.m2/repository/commons-logging/commons-logging/1.1.1/commons-logging-1.1.1.jar"
"Scanning file" "/home/paul/.m2/repository/org/clojure/tools.nrepl/0.2.12/tools.nrepl-0.2.12.jar"
"Scanning file" "/home/paul/.m2/repository/clojure-complete/clojure-complete/0.2.4/clojure-complete-0.2.4.jar"
"Done."
"Analyzing dependencies..."
"Done."
"Generating report..."
"Done."
[paul@Unknown-60-6c-66-2a-db-9a foo]$

With :log only in :dependency-check

[paul@Unknown-60-6c-66-2a-db-9a foo]$ lein dependency-check
"Scanning" 5 "file(s)..."
"Scanning file" "/home/paul/.m2/repository/org/clojure/clojure/1.8.0/clojure-1.8.0.jar"
"Scanning file" "/home/paul/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar"
"Scanning file" "/home/paul/.m2/repository/commons-logging/commons-logging/1.1.1/commons-logging-1.1.1.jar"
"Scanning file" "/home/paul/.m2/repository/org/clojure/tools.nrepl/0.2.12/tools.nrepl-0.2.12.jar"
"Scanning file" "/home/paul/.m2/repository/clojure-complete/clojure-complete/0.2.4/clojure-complete-0.2.4.jar"
"Done."
"Analyzing dependencies..."
"Done."
"Generating report..."
"Done."
"Vulnerable Dependency:" "Dependency{ fileName='commons-beanutils-1.8.0.jar', actualFilePath='/home/paul/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar', filePath='/home/paul/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar'}"
[paul@Unknown-60-6c-66-2a-db-9a foo]$

With :throw in :dependency-check

[paul@Unknown-60-6c-66-2a-db-9a foo]$ lein dependency-check
"Scanning" 5 "file(s)..."
"Scanning file" "/home/paul/.m2/repository/org/clojure/clojure/1.8.0/clojure-1.8.0.jar"
"Scanning file" "/home/paul/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar"
"Scanning file" "/home/paul/.m2/repository/commons-logging/commons-logging/1.1.1/commons-logging-1.1.1.jar"
"Scanning file" "/home/paul/.m2/repository/org/clojure/tools.nrepl/0.2.12/tools.nrepl-0.2.12.jar"
"Scanning file" "/home/paul/.m2/repository/clojure-complete/clojure-complete/0.2.4/clojure-complete-0.2.4.jar"
"Done."
"Analyzing dependencies..."
"Done."
"Generating report..."
"Done."
Exception in thread "main" clojure.lang.ExceptionInfo: Vulnerable Dependencies! {:vulnerable (#object[org.owasp.dependencycheck.dependency.Dependency 0x2575f671 "Dependency{ fileName='commons-beanutils-1.8.0.jar', actualFilePath='/home/paul/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar', filePath='/home/paul/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar'}"])}, compiling:(/tmp/form-init5298508938903603170.clj:1:73)
    at clojure.lang.Compiler.load(Compiler.java:7391)
    at clojure.lang.Compiler.loadFile(Compiler.java:7317)
    at clojure.main$load_script.invokeStatic(main.clj:275)
    at clojure.main$init_opt.invokeStatic(main.clj:277)
    at clojure.main$init_opt.invoke(main.clj:277)
    at clojure.main$initialize.invokeStatic(main.clj:308)
    at clojure.main$null_opt.invokeStatic(main.clj:342)
    at clojure.main$null_opt.invoke(main.clj:339)
    at clojure.main$main.invokeStatic(main.clj:421)
    at clojure.main$main.doInvoke(main.clj:384)
    at clojure.lang.RestFn.invoke(RestFn.java:421)
    at clojure.lang.Var.invoke(Var.java:383)
    at clojure.lang.AFn.applyToHelper(AFn.java:156)
    at clojure.lang.Var.applyTo(Var.java:700)
    at clojure.main.main(main.java:37)
Caused by: clojure.lang.ExceptionInfo: Vulnerable Dependencies! {:vulnerable (#object[org.owasp.dependencycheck.dependency.Dependency 0x2575f671 "Dependency{ fileName='commons-beanutils-1.8.0.jar', actualFilePath='/home/paul/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar', filePath='/home/paul/.m2/repository/commons-beanutils/commons-beanutils/1.8.0/commons-beanutils-1.8.0.jar'}"])}
    at clojure.core$ex_info.invokeStatic(core.clj:4617)
    at clojure.core$ex_info.invoke(core.clj:4617)
    at lein_dependency_check.core$throw_exception_on_vulnerability.invokeStatic(core.clj:96)
    at lein_dependency_check.core$throw_exception_on_vulnerability.invoke(core.clj:88)
    at lein_dependency_check.core$main.invokeStatic(core.clj:109)
    at lein_dependency_check.core$main.invoke(core.clj:99)
    at user$eval53.invokeStatic(form-init5298508938903603170.clj:1)
    at user$eval53.invoke(form-init5298508938903603170.clj:1)
    at clojure.lang.Compiler.eval(Compiler.java:6927)
    at clojure.lang.Compiler.eval(Compiler.java:6917)
    at clojure.lang.Compiler.load(Compiler.java:7379)
    ... 14 more
Subprocess failed
[paul@Unknown-60-6c-66-2a-db-9a foo]$
dgknght commented 7 years ago

Thanks for the contribution and the very detailed description!

brabster commented 7 years ago

You're welcome, thanks for accepting. When will the new artifact appear in clojars?

dgknght commented 7 years ago

You should find it there now.

On Fri, Feb 3, 2017, 10:50 AM Paul Brabban notifications@github.com wrote:

You're welcome, thanks for accepting. When will the new artifact appear in clojars?

— You are receiving this because you modified the open/close state.

Reply to this email directly, view it on GitHub https://github.com/livingsocial/lein-dependency-check/pull/7#issuecomment-277299577, or mute the thread https://github.com/notifications/unsubscribe-auth/AFLaWCLjiS2xfpTzcX9MY_25i38nELBDks5rY1rMgaJpZM4L0zs- .