search

rm-hull / nvd-clojure

National Vulnerability Database dependency checker for Clojure projects
MIT License
273 stars 35 forks source link

Using nvd-clojure for JS dependencies, too #133

Closed DerGuteMoritz closed 2 years ago

DerGuteMoritz commented 2 years ago

Hi,

we're successfully using nvd-clojure in a cljs project against Clojure dependencies. However, the project also depends on a few NPM libs via package.json. Now I found in the Dependency-Check docs that there is a Node.js analyzer which should work for also checking these dependencies. However, I can't seem to make nvd-clojure apply that analyzer. What I tried so far is tacking package.json, package-lock.json or NODE_PATH (i.e. node_modules) onto the :classpath argument, but no dice. Any hints greatly appreciated :pray:

Oh yeah and thanks for making this package, of course!

vemv commented 2 years ago

Hi!

Thank you for using nvd-clojure.

Apparently you can use this config: "analyzer": {"node-package-enabled": true}.

It might well work. OTOH only .jar files will be analyzed:

https://github.com/rm-hull/nvd-clojure/blob/c0b4171fed7ba92ebc7ab2147c891a37efa681e0/src/nvd/task/check.clj#L49-L51

I'm willing to remove that check since there's already earlier processing that sanitizes the classpath.

However, bear in mind that nvd-clojure is intended for JVM and Clojure projects. This tool is practically as good as its supported feature set and unit tests are.

Since we don't particularly aim for supporting arbitrary programming languages, you'll be using a second-class feature.

I don't intend to remove access to such features but I'd recommend using more specialized tools. For Node.js, there certainly are Node-centric analyzers which would be better supported.

Perhaps you are well aware of them in which case I'd be grateful for an overview of why nvd-clojure would be better than those (which seems unlikely to me atm).

Cheers - V

DerGuteMoritz commented 2 years ago

Heya, thanks a lot for your quick and well-considered reply :bow: Your points are well taken. Given your input, I think switching to a first-class tool for this purpose makes most sense indeed.

Perhaps you are well aware of them in which case I'd be grateful for an overview of why nvd-clojure would be better than those (which seems unlikely to me atm).

I was unaware of the fact that nvd-clojure doesn't aim to make all functionality of Dependency-Check transparently available though I guess it can be inferred from "When run in your project, all the JARs on the classpath will be checked" - just wasn't 100% clear to me at the time :smile: Also, I did run into a case where it flagged a vulnerable React version bundled in one of our dependency's jars which led me to assume that this is generally supported.

FWIW, the one reason that would have made using nvd-clojure for both purposes convenient is that it produces junit reports out of the box which are picked up by GitLab and formatted nicely along with an MR. But all things considered, that's just cosmetics.

Closing this issue then - thanks again!