search

rm-hull / nvd-clojure

National Vulnerability Database dependency checker for Clojure projects
MIT License
275 stars 36 forks source link

Remove documentation relative to Leiningen config #131

Closed elzibubble closed 2 years ago

elzibubble commented 2 years ago

Suppressions don't work when supplied from project.clj

(defproject nvd-helper "local"
  :description "nvd-clojure helper project"
  :dependencies [[nvd-clojure "2.2.0"]]
                 [org.clojure/clojure "1.10.3"]]

  :nvd {:suppression-file "../nvd/nvd-suppressions.xml"})

In this case, the suppressions don't apply. However if I put nvd-config.json into the command line:

{"delete-config?": false,
 "nvd": {"suppression-file":  "../nvd/nvd-suppressions.xml"}}

Then the suppressions do apply. So the suppressions file is good but nvd-clojure isn't getting the config out of project.clj successfully.

I looked at https://github.com/rm-hull/nvd-clojure/blob/master/README.md?plain=1#L154 to write the project.clj, I hope it's correct.

elzibubble commented 2 years ago

On a very peripherally related topic - I don't understand why delete-config? defaults to true? Why is it even an option?

vemv commented 2 years ago

Thanks for raising the topic.

Since the Lein plugin is deprecated, now the :nvd Leiningen config does nothing. In particular, for the following commmand:

lein with-profile -user run -m nvd.task.check "" "$(cd <YOUR_PROJECT>; lein with-profile -user,-dev classpath)"

The nvd.task.check program has no (good) way of reading :nvd Leiningen config.

Consequently I'll remove said config from the README, it's what I should have done when removing the lein-nvd plugin.

vemv commented 2 years ago

On a very peripherally related topic - I don't understand why delete-config? defaults to true? Why is it even an option?

For backwards compat reasons.

As we move from .json to .edn config files (https://github.com/rm-hull/nvd-clojure/issues/125) I'll use the occasion to get rid of this piece of config.

skat-kurt commented 2 years ago

As I hadn't read through the issues I used quite a bit of time trying to configure with the :nvd key in project.clj, obviously to no avail. I found the PR that improves the documentation but it isn't merged, probably because more documentation changes need to fall in place. Would you consider to create a smaller PR that at least removes wrong information from the readme and that can get merged quicker?

vemv commented 2 years ago

Thanks for the reminder - fixed now!

https://clojars.org/nvd-clojure/versions/2.6.0 has been released as well