This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
- # announcements (3)
- # babashka (63)
- # beginners (55)
- # calva (14)
- # cider (12)
- # clj-commons (20)
- # clj-kondo (22)
- # clojure (149)
- # clojure-europe (4)
- # clojurescript (25)
- # community-development (3)
- # conjure (9)
- # datomic (5)
- # emacs (2)
- # fulcro (2)
- # hyperfiddle (6)
- # lsp (23)
- # nbb (4)
- # pedestal (2)
- # reagent (26)
- # releases (3)
- # sql (3)
- # xtdb (6)
I just made a https://github.com/clj-commons/clj-yaml/pulls for clj-yaml to set up a nvd scanner. I think that would be useful for the other projects with transitive deps?
Probably makes sense? Might want to ask @U04V70XH6 what he uses, I vaguely remember him liking an alternative? I use the nvd scanner manually on cljdoc. I very much appreciated it. The only things I’m not crazy about are the overly wordy output and that it can generate quite a few false positives.
We were using https://github.com/rm-hull/nvd-clojure for a while but we switched to https://github.com/clj-holmes/clj-watson -- I prefer the output/control it provides and the ability to mark certain CVEs as "acceptable".
nvd-clojure accepts suppressions in this format https://jeremylong.github.io/DependencyCheck/general/suppression.html, which means one has control over what is "acceptable"
other than that I'd happily accept a specific issue with a suggestion! nvd-clojure tries to stand out by being very strict - we prioritize simple over easy when it comes to security. no second-guessing of classpath, or such
(un)fortunately you can skip the whole template machinery :) gh offers a link for that or you can delete the query params from the url
Thought/question: I'm a fan of specifying exact versions for deps, but is the nvd dep version one that should be set to RELEASE? I'm thinking it would be important to always use the latest security scanner.
An altermative would be to also check for outdated deps, but maybe RELEASE is a simpler compromise.
Good q! I would recomend to use fixed versions. That way you are encouraged to read the changelog (which
antq now links to!) and not possibly use a backwards-incompatible version (which I try to avoid as much as poss of course, but sometimes it's the right thing for security)
depends, I'm not much into blindly updating stuff. But maybe it makes sense for something like a clj-commons lib (whereas in an app it's just too much of a can of 🪱s) I do have antq (and clj-kondo) hard-failing Eastwood :)
as mentioned it depends :) antq in particular can be configured in a fine-grained way. also, I don't know the backstory of that snakeyaml upgrade but if it caused any problem, it might have been a good stimulus to revamp the CI / test suite
I typically update deps. I do read the changelogs. And do nvd security scans. And npm audits. And trivy image scans. For a lib I’m extra careful if the dep is included with a release. The only app I work on these days is cljdoc. Cons are these changes introduce some risk and can break things. Pros are that newcomers will have an easier time contributing, and I help the OSS community by ensuring my stuff works with current deps, and by uncovering and reporting issues in updates.