Fork me on GitHub
Slack Archive

This page is not created by, affiliated with, or supported by Slack Technologies, Inc.

2023-08-21

Channels

#clojurescript
<
2023-08-21
>
pavlosmelissinos16:08:08

Hello! FYI Clojurescript apparently has some vulnerabilities, according to nvd-clojure... More info in ๐Ÿงต!

pavlosmelissinos16:08:57

On a project that has a single dependency on Clojurescript {:deps {org.clojure/clojurescript {:mvn/version "1.11.60"}}}, I'm getting this report: 

| dependency                                                                               | status                       |                                                                                                                                                               
+------------------------------------------------------------------------------------------+------------------------------+                                                                                                                                                               
| clojurescript-1.11.60.jar                                                                | CVE-2023-0247                |                                                                                                                                                               
| closure-compiler-unshaded-v20220502.jar/META-INF/maven/com.google.code.gson/gson/pom.xml | CVE-2022-25647               |                  
| closure-compiler-unshaded-v20220502.jar/META-INF/maven/com.google.guava/guava/pom.xml    | CVE-2023-2976, CVE-2020-8908 |                                                                                                                                                               
| google-closure-library-0.0-20211011-0726fdeb.jar                                         | CVE-2020-8910                |                                                                                                                                                               
| jackson-core-2.8.7.jar                                                                   | CVE-2018-1000873             |                                                                                                                                                               
+------------------------------------------------------------------------------------------+------------------------------+
If I use the latest version on github, 
{:deps {org.clojure/clojurescript {:git/sha "15539d253059e52dba600616b2a812206b29a171"
                                    :git/url ""}}}
I get this report instead: 
+------------------------------------------------------------------------------------------+------------------------------+
| dependency                                                                               | status                       |
+------------------------------------------------------------------------------------------+------------------------------+
| closure-compiler-unshaded-v20220502.jar/META-INF/maven/com.google.code.gson/gson/pom.xml | CVE-2022-25647               |
| closure-compiler-unshaded-v20220502.jar/META-INF/maven/com.google.guava/guava/pom.xml    | CVE-2023-2976, CVE-2020-8908 |
| google-closure-library-0.0-20230227-c7c0a541.jar                                         | CVE-2020-8910                |
| jackson-core-2.8.7.jar                                                                   | CVE-2018-1000873             |
+------------------------------------------------------------------------------------------+------------------------------+
If I modify my deps.edn to something like this: 
:deps      {org.clojure/clojurescript {:git/sha "15539d253059e52dba600616b2a812206b29a171"
                                        :git/url ""
                                        :exclusions [com.google.javascript/closure-compiler-unshaded
                                                     com.fasterxml.jackson.core/jackson-core]}
             com.google.javascript/closure-compiler-unshaded {:mvn/version "v20230802"
                                                              :exclusions [com.google.guava/guava]}
             com.fasterxml.jackson.core/jackson-core {:mvn/version "2.15.2"}
             com.google.guava/guava {:mvn/version "32.1.2-jre"}}
I get this report: 
+--------------------------------------------------+---------------+
| dependency                                       | status        |
+--------------------------------------------------+---------------+
| closure-compiler-unshaded-v20230802.jar          | CVE-2020-8910 |
| google-closure-library-0.0-20230227-c7c0a541.jar | CVE-2020-8910 |
+--------------------------------------------------+---------------+
which is the closest I've managed to get to zero reported vulnerabilities. I'm going to suppress all of these anyway because they're not important enough but I'd like to request: 1. a version bump of the dependencies that can actually be fixed 2. a new patch release if that's possible... 3. a way to fix closure-compiler and google closure library so I don't have to tell nvd-clojure to shush ๐Ÿ˜„ So is anything like this already on your radar, or should I open an ask? (I searched on http://ask.clojure.org but didn't find anything, apologies if I missed something) edit: CVE-2020-8910 suspiciously looks like a false positive :thinking_face:

vemv16:08:09

Note that this is a faq on the #C03S1L9DN channel, please check out the previous threads for understanding why this typically doesn't matter, and how you may want to set up nvd-clojure to not bother you with cljs deps (tldr: analyze it for your backend classpath, and making sure clojurescript is not in it. Which typically is good dependency management!) Thanks for using nvd-clojure.

pavlosmelissinos16:08:16

You're right, I should have searched here too before I asked... ๐Ÿ˜ž > analyze it for your backend classpath, and making sure clojurescript is not in it That's good advice! The thing is I'm using datahike, which brings in clojurescript. I asked them first and they said they're going to remove that dependency eventually but I thought I'd share my findings here too, just in case. Thanks again!

seancorfield16:08:33

Dev-time-only CVEs are annoying but can be ignored to some extent.

๐Ÿ‘ 4
vemv16:08:12

It's no issue @UEQPKG7HQ ! I quite often add :exclusions [org.clojure/clojurescript] , for reasons other than NVD. e.g. it can bloat/complicate the dependency tree.

๐Ÿ‘ 2
phill21:08:08

@UEQPKG7HQ, notwithstanding all the above, you could start a question on http://ask.clojure.org. The problem (as explained above) is usually not a security hole, the problem is tedious and burdensome questions about why the ClojureScript compiler involves CVEs. A ClojureScript kept tidy of CVEs would require fewer tedious explanations.

๐Ÿ‘ 4
djblue18:08:41

I do this with js exceptions: 

(defn error->data [ex]
  (merge
   (when-let [data (.-data ex)]
     {:data data})
   {:runtime :cljs
    :cause   (.-message ex)
    :via     [{:type    (symbol (.-name (type ex)))
               :message (.-message ex)}]
    :stack   (.-stack ex)}))
Although, I think the next release will have something similar baked into cljs via https://github.com/clojure/clojurescript/blob/master/src/main/cljs/cljs/core.cljs#L11825-L11860map>

๐Ÿ‘ 2