Fork me on GitHub

maintainer here, how can I help you?


We started using it at our company and it's been useful in finding CVEs in our products.

❤️ 1

@U45T93RA6 I´m trying to use it, but I don´t know what is the problem running it

clj -M:nvd
Execution error (ArtifactNotFoundException) at org.eclipse.aether.connector.basic.ArtifactTransportListener/transferFailed (
Could not find artifact in glassfish-repository ()


clj -M:nvd doesn't look like one of the APIs we intend to keep supporting. All the more recent APIs are based in receiving a classpath string that users are responsible for computing. So nvd-clojure doesn't have to be concerned at all with Maven repositories. This is well described in Next release will make the README clearer in this regard, and also deprecate old APIs :)

🙌 1

I use it via the "tools" install. Very convenient since it's globally available and easy to run inside any project!

👍 1

@U45T93RA6 Indeed, I tried using the -M alias the first time I used it, and it resulted in similar errors. Instead we came up with a reliable solution: Add the following to your deps.edn file:

{:replace-deps {nvd-clojure/nvd-clojure {:mvn/version "1.9.0"}}
 :ns-default   nvd.task}
Then perform the following on the CLI (or stick it in a Makefile):
clojure -Xnvd check :classpath '"'"$$(clojure -Spath -A:your:aliases:here)"'"'

👍 1

Yes, that looks reasonable as well!

Drew Verlee05:12:40

The end result is something checks your deps verison numbers against a list of repored bugs right? It's not doing some sort of analysis and sending your code into the could anywhere right?


@U0DJ4T5U1 Right, it checks your dependencies against known vulnerabilities -- so it won't report problems in libraries that it doesn't know anything about (like "most Clojure libraries" -- it's pretty much all about well-known Java libraries).

👍 2

Related I gave an honorary mention to :replace-deps in the updated README. Generally I don't want to invite people to hack much with Lein or deps.edn (especially Lein!) since any mistake can mean that the tool becomes less useful for you, and needs more babysitting for us maintainers in form of issue reports. But as long as you know what you're doing / can ensure it, it SGTM!

👍 1
paola pereira01:05:27

Hello! Using here, but I got an error that appear to be a false positive on core.async (CVE-2021-43138). Trying to supress this specific vulnerability creating my config file. I followed example, but when I run

clojure -Xnvd check :config-filename "$(pwd)/nvd/config.json" :classpath '"'"$(clojure -Spath -A:any:aliases)"'"'
I got:

paola pereira01:05:13

Am I doing something wrong?


Strings need to be quoted for EDN consumption on the command-line, so it would be '"string"' however that won't expand $(..) which is why the :classpath is specified with that strange quote pattern


This should work:

clojure -Xnvd check :config-filename '"'"$(pwd)/nvd/config.json"'"' :classpath '"'"$(clojure -Spath -A:any:aliases)"'"'


(that's a feature of the Clojure CLI -- )

🙌 1
paola pereira01:05:00

nice!! It worked!


Don't hesitate to use the issue tracker for further questions. Cheers 🙂

Muhammad Hamza Chippa19:12:14

can I use ajax (or similar) in .clj file ?

Cora (she/her)20:12:39

you can make http calls, if that's what you mean

Muhammad Hamza Chippa20:12:41

like we call the API in .cljs file using ajax, ajax is not available for .clj file

Cora (she/her)20:12:20

ajax, at its core, is just sending http requests and doing something with the response. more specifically it is making the calls asynchronously and doing something with the response

🙌 1
Cora (she/her)20:12:10

so any http library in clojure will be able to perform requests like that and some even support doing them asynchronously out of the box. if they don't support it natively you could always use a future to make it be async

🙌 1
Cora (she/her)20:12:42

a commonly used library is clj-http and that supports async http requests. another is httpkit which also supports them. hato is a lightweight http client library for jdk11+ which also supports async requests.

👍 1

Is there a channel for mentioning a Clojure job (in Austin)?




Or #jobs (be sure to mention the location) or #remote-jobs (if remote is applicable).

👍 1