Fork me on GitHub
#announcements
<
2021-11-16
>
Matheus Bernardes14:11:57

Introducing https://github.com/clj-holmes/clj-holmes a CLI SAST (Static application security testing) tool which was build with the intent to find vulnerable Clojure code via https://github.com/clj-holmes/clj-holmes-rules that use a simple https://github.com/clj-holmes/shape-shifter but it can also be used to find any kind of https://github.com/clj-holmes/clj-holmes-rules/blob/main/correctness/schema-require-typo.yml. By now we're going to focus our efforts to properly document and test all the projects in the clj-holmes ecosystem but please fell free to open discussions and contribute with it.

šŸ‘ 11
šŸš€ 6
1
borkdude16:11:30

@U02M2U71Q79 Interesting project. I see in the readme that you were inspired by grape. I've also used that inspiration to use clojure.spec here: https://github.com/borkdude/grasp.

Matheus Bernardes17:11:07

Yeah, I'm still working in the doc but grasp was also one of my inspirations t-hanks. I just wrote it from "scratch" because I was trying to learn new things during the process.

borkdude17:11:08

Of course! :)

Matheus Bernardes17:11:45

Also the idea was to provide a really simple API for creating rules since the security folks from my team does not know exactly how to write code.

mynomoto19:11:57

It's this like semgrep but clojure specific? https://semgrep.dev/

Matheus Bernardes19:11:23

it is exactly where I'm aiming @U05094X3J

vemv19:11:52

yeah tooling-wise sky is the limit. something like grasp seems a reasonable baseline, not sure if that will survive a macroexpansion like -> (clj-kondo certainly does that) Something like https://github.com/clj-holmes/clj-holmes-rules/blob/295aafe4420b8e9e2ce1f9f9e795233fd8c5f189/security/weak-hash-function-md5.yml#L11 is very accurately implementable with Eastwood (tools.analyzer) tech - it will survive arbitrary macroexpansions, and values known at compile-time (e.g. "MD5" is the value of a var) Either way, šŸ‘ && šŸŽ© s off!

t-hanks 1
borkdude20:11:00

It depends entirely on the use case. Currently grasp doesn't expand any macros. But I can imagine hooking it up with tools analyzer or so wouldn't hard and then it could. Right now it (ab)uses SCI to understand the ns form with respect to resolving symbols, but this could also be handled 1) using the clj-kondo approach, or 2) tools analyzer.

borkdude20:11:51

The use case can also be to grep for the surface form, not the expanded form

borkdude20:11:39

I'm using grasp myself mostly for statistical purposes: how do people use X, to inform choices like: how much time do I want to spend on feature X for clj-kondo or SCI or JIRA-1xxx

Matheus Bernardes11:11:12

In the beginning of the project we tried to use tools.analyzer but we kind of get lost in the AST and we did not had the time to understand it since we're going to use it at the company we work for šŸ˜• so the currently use case is to only grep the surface without macro expansion.

wilkerlucio22:11:12

Release [com.wsscode/pathom3 "2021.11.16-alpha"]! This release includes: ā€¢ Add extension point ::p.error/wrap-attribute-error ā€¢ Fix batch calls with distinct parameters ā€¢ Add pco/final-value helper to mark a value as final https://clojars.org/com.wsscode/pathom3

ā¤ļø 12
šŸŽ‰ 2