This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2024-01-09
Channels
- # announcements (9)
- # babashka (14)
- # beginners (27)
- # biff (4)
- # calva (3)
- # cider (14)
- # clojure (36)
- # clojure-austin (1)
- # clojure-europe (43)
- # clojure-japan (4)
- # clojure-nl (2)
- # clojure-norway (59)
- # clojure-uk (6)
- # clojurescript (13)
- # conjure (2)
- # data-science (3)
- # datomic (3)
- # deps-new (40)
- # hyperfiddle (72)
- # jobs (2)
- # lsp (8)
- # malli (10)
- # missionary (3)
- # off-topic (22)
- # overtone (3)
- # reagent (12)
- # releases (1)
- # squint (1)
For anyone with older projects using Drift, I have released a fork with Java 9+ support: https://github.com/Sardtok/drift All issues that were open in the original Drift project should be fixed. There's a single breaking change in command line argument handling, where args for your init function has to be separated from your Leiningen task args by double dashes. Feedback, especially bug reports, are very welcome. There's also an RC release on Clojars: https://clojars.org/com.sigmund-hansen/drift/versions/2.0.0-rc2
https://github.com/babashka/babashka: Native, fast starting Clojure interpreter for scripting
1.3.187 (2023-01-09)
• Add clojure.reflect/reflect
• Add java.util.ScheduledFuture, java.time.temporal.WeekFields
• Support Runnable to be used without import
• Allow catch to be used as var name
• https://github.com/babashka/babashka/issues/1646: command-line-args are dropped when file exists with same name
• https://github.com/babashka/babashka/issues/1645: Support for clojure.lang.LongRange
• https://github.com/babashka/babashka/issues/1652: allow bb.edn to be empty
• https://github.com/babashka/babashka/issues/1586: warn when config file doesn't exist and --debug is enabled
• https://github.com/babashka/babashka/issues/1410: better error message when exec fn doesn't exist
• Bump babashka.cli to 0.8.55 which contains subcommand improvements
• Bump deps.clj to 1.11.1.1435
• Bump babashka.fs to 0.5.20
• Compatibility with plumbing.core
• Compatibility with shadow.css by improving tools.reader compatibility
• https://github.com/babashka/babashka/issues/1647: Allow capturing env vars at build time (only relevant for building bb)
8https://github.com/clj-holmes/clj-watson -- Vulnerability Checker (NIST NVD and GitHub Advisory Database) that can provide suggested remediations -- io.github.clj-holmes/clj-watson {:git/tag "v5.0.1" :git/sha "d1ec6e5"}
This is a bug fix for 5.0.0 but since that wasn't announced here either, here's what's in both releases:
• Updated to use DependencyCheck 9.0.6 and the new NIST NVD API (the data feeds API used in earlier versions of clj-watson / DependencyCheck is going away)
• Supports a clj-watson.properties file -- on the classpath or via the new -w command-line option -- which can contain your (free) NVD API key (the README explains how to get one)
I have taken over maintenance of clj-watson and plan to spend quite a bit of time on its documentation and keeping it updated going forward (because we use it at work). Follow-up in #clj-holmes
5
1I did consider clj-watson very recently but eventually picked nvd-clojure which looked better maintained at the time. It seems clj-watson is more helpful for remediation suggestions. Other than that, what would you say are the advantages over nvd-clojure ?
Good luck with the maintenance 💪
clj-watson also supports the GitHub Advisory Database (although we use NVD at work right now).
I seem to recall it was a bit easier to use clj-watson with our Polylith monorepo but I'd have to redo those experience tests again and write it up.
The monorepo / polylith case is interesting. nvd-clojure accepts a classpath, nothing else, no second-guessing (older versions did, which caused enough issues for us to remove it) So, computing a classpath (or series thereof) that is correct+complete is something that application developers should know best how to compute. It also should be pretty trivial to accomplish. I'm not saying that clj-watson computes it incorrectly, but I'd rather have zero place for doubt when we're talking security.
Automated remediation is exclusively offered by clj-watson. It seems certainly a nice feature, but my personal take is that manual remediation generally leads to more conscious decision-making, which again, seems highly relevant in the context of security. https://github.com/rm-hull/nvd-clojure/blob/v4.0.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation Anyway, having choice seems good to me - it means more people are using NVD tooling. nvd-clojure's flavor aims to be simple and minimalistic.
It's true that in my custom monorepo setup, working with the classpath has been convenient. I have "modules" that can be combined in all sorts of ways and to be thorough it is best checking each meaningful combination.
Although in that particular setup I still end up with a "master" deps.edn file so it looks like clj-holmes would work just as well.