search

miikka / clj-nvd

Scan your deps.edn dependencies for known vulnerabilities
Eclipse Public License 2.0
15 stars 3 forks source link
clojure dependencies vulnerability-scanner

readme

clj-nvd

Check your deps.edn dependencies against known security vulnerabilities in National Vulnerability Database. In other words, like lein-nvd but for deps.edn.

clj-nvd uses lein-nvd as a library. To learn how the checking works, check out lein-nvd's README.

Installation

clj-nvd has not been released yet, so you'll have to use a git dependency.

clojure -Sdeps '{:deps {clj-nvd/clj-nvd {:git/url "https://github.com/miikka/clj-nvd.git" :sha "f2ec98699e057a379baf170cb49cf7ad76874a70"}}}' -m clj-nvd.core check

Alternatively, add clj-nvd as a git dependency to your deps.edn:

{:aliases
 {:clj-nvd {:extra-deps {clj-nvd/clj-nvd {:git/url "https://github.com/miikka/clj-nvd.git"
                                          :sha "f2ec98699e057a379baf170cb49cf7ad76874a70"}}
            :main-opts ["-m" "clj-nvd.core"]}}}
clojure -A:clj-nvd check

Usage

clj-nvd supports the same commands as lein-nvd: check, update, and purge. To specify the :extra-deps aliases to check, use -A:

clojure -A:clj-nvd check -A backend:frontend

More detailed reports are created in the directory target/nvd.

Configuration

The configuration is loaded from the file clj-nvd.edn. See configuration options in lein-nvd's documentation.

Attribution

clj-nvd is just small wrapper on lein-nvd by Richard Hull, which in turns relies on DependencyCheck by Jeremy Long. To understand how to use tools.deps.alpha, I looked at the source code of Pack and Depot.

License

Copyright © Metosin Oy and contributors.

Distributed under the Eclipse Public License 2.0.