Address #103 properties file simplification

README.md

@@ -40,8 +40,8 @@ clojure -M:clj-watson scan -p deps.edn
 The first time it runs, it will download the entire vulnerability database, which
 can take several minutes. Subsequent runs will be much faster.
 
-> [!NOTE] 
-> The database is stored in the `/tmp/db/` folder (on macOS/Linux) - in case you ever need to delete that folder, if it looks like the database is corrupted.
+> [!NOTE]
+> The database is stored in your local Maven cache (on macOS/Linux, that's under `~/.m2/repository/org/owasp/dependency-check-utils/10.0.3/data/9.0/` currently) - in case you ever need to delete that folder, if it looks like the database is corrupted.
 
 `clj-watson` can also be installed as a Clojure CLI tool:
 
@@ -82,7 +82,7 @@ can be shortened to `:p` (matching the `-p` short form of `--deps-edn-path`).
 
 [DependencyCheck](https://github.com/jeremylong/DependencyCheck) is the most
 widely used method among the Clojure/Java SCA tools. It:
-1. Downloads a database of known vulnerabilities from [NIST NVD](https://nvd.nist.gov/), storing it locally under your `/tmp/db/` folder
+1. Downloads a database of known vulnerabilities from [NIST NVD](https://nvd.nist.gov/), storing it locally (inside your local Maven cache, under `~/.m2/repository/org/owasp/dependency-check-utils/10.0.3/data/9.0/` currently).
 3. Scans JARs from dependencies specified in your `deps.edn`
 4. Composes a [Common Platform Enumeration (CPE)](https://nvd.nist.gov/products/cpe) based on your dependencies
 5. Returns any matching vulnerabilities
@@ -129,7 +129,7 @@ clojure -J-Dnvd.api.key=<your key here> -Tclj-watson scan :p deps.edn
 Replace `<your key here>` with your actual api key.
 
 > [!CAUTION]
-> You could specify this system property under `:jvm-opts` in your `deps.edn` under your `:clj-watson` alias, but be careful not to commit it to version control. 
+> You could specify this system property under `:jvm-opts` in your `deps.edn` under your `:clj-watson` alias, but be careful not to commit it to version control.
 
 ##### Via the `clj-watson.properties` File
 
@@ -154,7 +154,7 @@ Or:
 clojure -Tclj-watson scan :p deps.edn :clj-watson-properties ./clj-watson.properties
 ```
 
-> [!CAUTION] 
+> [!CAUTION]
 > Be careful not to commit your key to version control.
 
 ### GitHub Advisory Database [experimental]
@@ -233,7 +233,7 @@ the `--suggest-fix` or `-s` option when running `clj-watson`.
 # Installation
 
 > [!IMPORTANT]
-> You'll need to [setup your NVD API key](#nist-nvd-api). 
+> You'll need to [setup your NVD API key](#nist-nvd-api).
 
 `clj-watson` can be installed as a Clojure CLI tool, as shown above. While
 this is the easiest way to install the latest version and keep it up-to-date
@@ -315,9 +315,7 @@ its own `dependency-check.properties` file, and then look for a
 additional properties to apply to the DependencyCheck scan.
 
 If you provide `-d` (or `--dependency-check-properties`) then `clj-watson` will
-load that file instead of its own `dependency-check.properties` file so it
-needs to be a complete properties file, not just the properties you want to
-override.
+load that file instead of its own `dependency-check.properties` file.
 
 If you provide `-w` (or `--clj-watson-properties`) then `clj-watson` will load
 that file and apply those properties to the dependency-check scan. This is
@@ -331,7 +329,7 @@ file, but it is recommended that you also provide the `-s` option so
 `clj-watson` will try to suggest remediations for any vulnerabilities found.
 
 > [!IMPORTANT]
-> You'll need to first [setup your NVD API key](#nist-nvd-api). 
+> You'll need to first [setup your NVD API key](#nist-nvd-api).
 
 ```bash
 clojure -M:clj-watson -p deps.edn

resources/dependency-check.properties

@@ -1,119 +1,36 @@
 # replaced ${pom.*} with actual values:
 odc.application.name=clj-watson
 odc.application.version=5.0.0
-odc.autoupdate=true
-odc.analysis.timeout=30
-odc.settings.mask=.*password.*,.*token.*
-odc.reports.pretty.print=false
-odc.ecosystem.maxquerylimit.native=1000
-odc.ecosystem.maxquerylimit.default=100
 
-engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt
-
-database.batchinsert.enabled=true
-database.batchinsert.maxsize=3000
-
-data.version=5.2
-data.directory=/tmp/db/
-data.connection_string=jdbc:h2:file:%s;AUTOCOMMIT=ON;CACHE_SIZE=65536;RETENTION_TIME=1000;MAX_COMPACT_TIME=10000;
-data.writelock.shutdownhook=org.owasp.dependencycheck.utils.WriteLockCleanupHook
-data.driver_name=org.h2.Driver
-
-proxy.disableSchemas=true
-
-# nvd.api.key must be provided by the user:
-#nvd.api.key=...
-nvd.api.check.validforhours=12
-nvd.api.datafeed.startyear=2002
-nvd.api.datafeed.validfordays=7
-nvd.api.delay=2000
-nvd.api.max.retry.count=10
-# unused nvd.api.* keys:
-#nvd.api.datafeed.url=
-#nvd.api.datafeed.user=
-#nvd.api.datafeed.password=
-
-cve.url.modified.validfordays=7
-cve.check.validforhours=12
-cve.startyear=2002
-cve.url.original=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
-cve.url.modified=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
-cve.url.base=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz
-cve.cpe.startswith.filter=cpe:2.3:a:
-
-nvd.newyear.grace.period=10
-
-max.download.threads=8
-
-cpe.validfordays=30
-
-cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
-
-central.content.url=https://search.maven.org/remotecontent?filepath=
-
-archive.scan.depth=10
-
-downloader.quick.query.timestamp=true
-downloader.tls.protocols=TLSv1.1,TLSv1.2,TLSv1.3
-
-junit.fail.on.cvss=0
-
-analyzer.nexus.url=https://repository.sonatype.org/service/local/
-analyzer.central.url=https://search.maven.org/solrsearch/select
-analyzer.central.query=%s?q=1:%s&wt=xml
-analyzer.central.retry.count=7
-analyzer.central.parallel.analysis=true
-analyzer.central.use.cache=true
-analyzer.ossindex.enabled=true
-analyzer.ossindex.url=https://ossindex.sonatype.org
-analyzer.ossindex.use.cache=true
-analyzer.node.audit.url=https://registry.npmjs.org/-/npm/v1/security/audits
-analyzer.node.audit.use.cache=false
-analyzer.experimental.enabled=false
-analyzer.retired.enabled=false
-analyzer.jar.enabled=true
+# turn off all the analyzers that don't matter for JVM projects:
 analyzer.archive.enabled=false
-analyzer.node.package.enabled=false
-analyzer.node.audit.enabled=false
-analyzer.yarn.audit.enabled=true
+analyzer.artifactory.enabled=false
+analyzer.assembly.enabled=false
+analyzer.autoconf.enabled=false
+analyzer.bundle.audit.enabled=false
+analyzer.carthage.enabled=false
+analyzer.cmake.enabled=false
+analyzer.cocoapods.enabled=false
+analyzer.composer.lock.enabled=false
+analyzer.cpanfile.enabled=false
+analyzer.dart.enabled=false
 analyzer.golang.dep.enabled=false
-analyzer.retirejs.enabled=false
-analyzer.retirejs.repo.validforhours=24
-analyzer.retirejs.repo.js.url=https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
-analyzer.retirejs.filternonvulnerable=false
 analyzer.golang.mod.enabled=false
-analyzer.mix.audit.enabled=true
-analyzer.composer.lock.enabled=false
+analyzer.msbuildproject.enabled=false
+analyzer.nexus.proxy=false
+analyzer.node.audit.enabled=false
+analyzer.node.audit.use.cache=false
+analyzer.node.package.enabled=false
+analyzer.nugetconf.enabled=false
+analyzer.nuspec.enabled=false
+analyzer.pip.enabled=false
+analyzer.pipfile.enabled=false
+analyzer.pnpm.audit.enabled=false
+analyzer.poetry.enabled=false
 analyzer.python.distribution.enabled=false
 analyzer.python.package.enabled=false
+analyzer.retirejs.enabled=false
+analyzer.retirejs.filternonvulnerable=false
 analyzer.ruby.gemspec.enabled=false
-analyzer.bundle.audit.enabled=false
-analyzer.autoconf.enabled=false
-analyzer.pip.enabled=false
-analyzer.pipfile.enabled=false
-analyzer.cmake.enabled=false
-analyzer.assembly.enabled=false
-analyzer.nuspec.enabled=false
-analyzer.nugetconf.enabled=false
-analyzer.msbuildproject.enabled=false
-analyzer.openssl.enabled=true
-analyzer.central.enabled=true
-analyzer.nexus.enabled=false
-analyzer.cocoapods.enabled=true
 analyzer.swift.package.manager.enabled=false
-analyzer.nexus.proxy=false
-analyzer.cpe.enabled=true
-analyzer.npm.cpe.enabled=true
-analyzer.cpesuppression.enabled=true
-analyzer.dependencybundling.enabled=true
-analyzer.dependencymerging.enabled=true
-analyzer.falsepositive.enabled=true
-analyzer.filename.enabled=true
-analyzer.pe.enabled=true
-analyzer.hint.enabled=true
-analyzer.nvdcve.enabled=true
-analyzer.vulnerabilitysuppression.enabled=true
-updater.nvdcve.enabled=true
-updater.versioncheck.enabled=true
-analyzer.versionfilter.enabled=true
-analyzer.artifactory.enabled=false
+analyzer.swift.package.resolved.enabled=false