This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-11-16
Channels
- # adventofcode (1)
- # announcements (16)
- # babashka (7)
- # beginners (77)
- # calva (31)
- # cider (18)
- # clj-commons (16)
- # cljfx (5)
- # clojars (5)
- # clojure (33)
- # clojure-europe (15)
- # clojure-nl (1)
- # clojure-norway (15)
- # clojure-uk (4)
- # clojurescript (1)
- # conjure (1)
- # core-logic (7)
- # cursive (16)
- # data-science (4)
- # datalevin (6)
- # emacs (20)
- # events (5)
- # fulcro (15)
- # holy-lambda (1)
- # introduce-yourself (1)
- # jobs (2)
- # lsp (30)
- # luminus (3)
- # malli (3)
- # membrane-term (19)
- # missionary (62)
- # off-topic (39)
- # pathom (24)
- # polylith (5)
- # portal (9)
- # practicalli (3)
- # re-frame (16)
- # reagent (5)
- # remote-jobs (1)
- # reveal (21)
- # rewrite-clj (8)
- # shadow-cljs (13)
- # spacemacs (23)
- # sql (12)
- # timbre (2)
- # tools-deps (1)
- # xtdb (4)
Introducing https://github.com/clj-holmes/clj-holmes a CLI SAST (Static application security testing) tool which was build with the intent to find vulnerable Clojure code via https://github.com/clj-holmes/clj-holmes-rules that use a simple https://github.com/clj-holmes/shape-shifter but it can also be used to find any kind of https://github.com/clj-holmes/clj-holmes-rules/blob/main/correctness/schema-require-typo.yml.
By now we're going to focus our efforts to properly document and test all the projects in the clj-holmes
ecosystem but please fell free to open discussions and contribute with it.
@U02M2U71Q79 Interesting project. I see in the readme that you were inspired by grape. I've also used that inspiration to use clojure.spec here: https://github.com/borkdude/grasp.
Yeah, I'm still working in the doc but grasp was also one of my inspirations . I just wrote it from "scratch" because I was trying to learn new things during the process.
Also the idea was to provide a really simple API for creating rules since the security folks from my team does not know exactly how to write code.
It's this like semgrep but clojure specific? https://semgrep.dev/
it is exactly where I'm aiming @U05094X3J
yeah tooling-wise sky is the limit. something like grasp
seems a reasonable baseline, not sure if that will survive a macroexpansion like ->
(clj-kondo certainly does that)
Something like https://github.com/clj-holmes/clj-holmes-rules/blob/295aafe4420b8e9e2ce1f9f9e795233fd8c5f189/security/weak-hash-function-md5.yml#L11 is very accurately implementable with Eastwood (tools.analyzer) tech - it will survive arbitrary macroexpansions, and values known at compile-time (e.g. "MD5"
is the value of a var)
Either way, π && π© s off!
It depends entirely on the use case. Currently grasp doesn't expand any macros. But I can imagine hooking it up with tools analyzer or so wouldn't hard and then it could. Right now it (ab)uses SCI to understand the ns form with respect to resolving symbols, but this could also be handled 1) using the clj-kondo approach, or 2) tools analyzer.
I'm using grasp myself mostly for statistical purposes: how do people use X, to inform choices like: how much time do I want to spend on feature X for clj-kondo or SCI or JIRA-1xxx
In the beginning of the project we tried to use tools.analyzer but we kind of get lost in the AST and we did not had the time to understand it since we're going to use it at the company we work for π so the currently use case is to only grep the surface without macro expansion.
sorry for the necro; Iβm curious what motivated having this as a separate tool vs integrating with semgrep (or other tools)? Are there some limitations to semgrep that make it unfit for clojure usage?
I was just on the mood to code it from scratch. But itβs in my personal todo to implement it using semgrep.
ah thanks. let me know if i can help out, as im using semgrep at work for other stuff and it would be cool to apply it to clojure too
Release [com.wsscode/pathom3 "2021.11.16-alpha"]
! This release includes:
β’ Add extension point ::p.error/wrap-attribute-error
β’ Fix batch calls with distinct parameters
β’ Add pco/final-value
helper to mark a value as final
https://clojars.org/com.wsscode/pathom3