Closed DerGuteMoritz closed 2 years ago
Hi!
Thank you for using nvd-clojure.
Apparently you can use this config: "analyzer": {"node-package-enabled": true}
.
It might well work. OTOH only .jar files will be analyzed:
I'm willing to remove that check since there's already earlier processing that sanitizes the classpath.
However, bear in mind that nvd-clojure is intended for JVM and Clojure projects. This tool is practically as good as its supported feature set and unit tests are.
Since we don't particularly aim for supporting arbitrary programming languages, you'll be using a second-class feature.
I don't intend to remove access to such features but I'd recommend using more specialized tools. For Node.js, there certainly are Node-centric analyzers which would be better supported.
Perhaps you are well aware of them in which case I'd be grateful for an overview of why nvd-clojure would be better than those (which seems unlikely to me atm).
Cheers - V
Heya, thanks a lot for your quick and well-considered reply :bow: Your points are well taken. Given your input, I think switching to a first-class tool for this purpose makes most sense indeed.
Perhaps you are well aware of them in which case I'd be grateful for an overview of why nvd-clojure would be better than those (which seems unlikely to me atm).
I was unaware of the fact that nvd-clojure
doesn't aim to make all functionality of Dependency-Check transparently available though I guess it can be inferred from "When run in your project, all the JARs on the classpath will be checked" - just wasn't 100% clear to me at the time :smile: Also, I did run into a case where it flagged a vulnerable React version bundled in one of our dependency's jars which led me to assume that this is generally supported.
FWIW, the one reason that would have made using nvd-clojure
for both purposes convenient is that it produces junit
reports out of the box which are picked up by GitLab and formatted nicely along with an MR. But all things considered, that's just cosmetics.
Closing this issue then - thanks again!
Hi,
we're successfully using
nvd-clojure
in a cljs project against Clojure dependencies. However, the project also depends on a few NPM libs viapackage.json
. Now I found in the Dependency-Check docs that there is a Node.js analyzer which should work for also checking these dependencies. However, I can't seem to makenvd-clojure
apply that analyzer. What I tried so far is tackingpackage.json
,package-lock.json
orNODE_PATH
(i.e.node_modules
) onto the:classpath
argument, but no dice. Any hints greatly appreciated :pray:Oh yeah and thanks for making this package, of course!