This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-09-08
Channels
- # announcements (32)
- # aws (2)
- # babashka (21)
- # beginners (143)
- # cider (3)
- # cljsrn (13)
- # clojure (65)
- # clojure-dev (7)
- # clojure-europe (20)
- # clojure-losangeles (8)
- # clojure-nl (13)
- # clojure-norway (39)
- # clojure-uk (9)
- # clojurescript (39)
- # code-reviews (10)
- # conjure (2)
- # cursive (3)
- # datascript (6)
- # datomic (40)
- # events (5)
- # exercism (23)
- # fulcro (9)
- # funcool (2)
- # girouette (2)
- # graphql (4)
- # helix (8)
- # improve-getting-started (4)
- # integrant (7)
- # introduce-yourself (5)
- # jobs (3)
- # luminus (32)
- # malli (3)
- # off-topic (10)
- # pathom (9)
- # pedestal (4)
- # polylith (25)
- # practicalli (1)
- # re-frame (4)
- # sci (3)
- # shadow-cljs (5)
- # tools-deps (25)
- # vim (31)
- # xtdb (32)
Does anyone know if it's possible to trick github's Dependabot into scanning vulnerabilities for a Clojure-project if a pom.xml exists? I was thinking that the java-stuff should work 🙂
Currently using DependencyCheck/nvd from a pipeline. Would be cool to use dependabot though
I don't belive that dependabot is a good thing, but you can use clj -X:deps mvn-pom to create a pom file, commit it, then github will do the thing for you. dependabot IMHO has these same issues: https://overreacted.io/npm-audit-broken-by-design/
that article severely lacks nuance btw typical "famous twitter guy" syndrome most decent setups decouple dev/test from prod dependencies, if npm doesn't do that by default it's their problem
We have set up a lein-nvd job which runs nightly and on commits, and lein-nvd does search through the transitive deps as well.
lein-nvd is the way to go, I tried dependabot and generating a pom.xml does trigger it, but no transitive dependencies detection 😮.
Thanks for the heads-up @U04V5VAUN