From 085ca83ebaf67df7017743f121988eaae32dbd48 Mon Sep 17 00:00:00 2001 From: Sean Corfield Date: Sun, 18 Aug 2024 22:24:08 -0700 Subject: [PATCH 1/4] address #103 Streamline dependency(-)check.properties overrides Signed-off-by: Sean Corfield --- README.md | 18 ++-- resources/dependency-check.properties | 133 +++++--------------------- 2 files changed, 33 insertions(+), 118 deletions(-) diff --git a/README.md b/README.md index 79b24cf..e77f64f 100644 --- a/README.md +++ b/README.md @@ -40,8 +40,8 @@ clojure -M:clj-watson scan -p deps.edn The first time it runs, it will download the entire vulnerability database, which can take several minutes. Subsequent runs will be much faster. -> [!NOTE] -> The database is stored in the `/tmp/db/` folder (on macOS/Linux) - in case you ever need to delete that folder, if it looks like the database is corrupted. +> [!NOTE] +> The database is stored in your local Maven cache (on macOS/Linux, that's under `~/.m2/repository/org/owasp/dependency-check-utils/10.0.3/data/9.0/` currently) - in case you ever need to delete that folder, if it looks like the database is corrupted. `clj-watson` can also be installed as a Clojure CLI tool: @@ -82,7 +82,7 @@ can be shortened to `:p` (matching the `-p` short form of `--deps-edn-path`). [DependencyCheck](https://github.com/jeremylong/DependencyCheck) is the most widely used method among the Clojure/Java SCA tools. It: -1. Downloads a database of known vulnerabilities from [NIST NVD](https://nvd.nist.gov/), storing it locally under your `/tmp/db/` folder +1. Downloads a database of known vulnerabilities from [NIST NVD](https://nvd.nist.gov/), storing it locally (inside your local Maven cache, under `~/.m2/repository/org/owasp/dependency-check-utils/10.0.3/data/9.0/` currently). 3. Scans JARs from dependencies specified in your `deps.edn` 4. Composes a [Common Platform Enumeration (CPE)](https://nvd.nist.gov/products/cpe) based on your dependencies 5. Returns any matching vulnerabilities @@ -129,7 +129,7 @@ clojure -J-Dnvd.api.key= -Tclj-watson scan :p deps.edn Replace `` with your actual api key. > [!CAUTION] -> You could specify this system property under `:jvm-opts` in your `deps.edn` under your `:clj-watson` alias, but be careful not to commit it to version control. +> You could specify this system property under `:jvm-opts` in your `deps.edn` under your `:clj-watson` alias, but be careful not to commit it to version control. ##### Via the `clj-watson.properties` File @@ -154,7 +154,7 @@ Or: clojure -Tclj-watson scan :p deps.edn :clj-watson-properties ./clj-watson.properties ``` -> [!CAUTION] +> [!CAUTION] > Be careful not to commit your key to version control. ### GitHub Advisory Database [experimental] @@ -233,7 +233,7 @@ the `--suggest-fix` or `-s` option when running `clj-watson`. # Installation > [!IMPORTANT] -> You'll need to [setup your NVD API key](#nist-nvd-api). +> You'll need to [setup your NVD API key](#nist-nvd-api). `clj-watson` can be installed as a Clojure CLI tool, as shown above. While this is the easiest way to install the latest version and keep it up-to-date @@ -315,9 +315,7 @@ its own `dependency-check.properties` file, and then look for a additional properties to apply to the DependencyCheck scan. If you provide `-d` (or `--dependency-check-properties`) then `clj-watson` will -load that file instead of its own `dependency-check.properties` file so it -needs to be a complete properties file, not just the properties you want to -override. +load that file instead of its own `dependency-check.properties` file. If you provide `-w` (or `--clj-watson-properties`) then `clj-watson` will load that file and apply those properties to the dependency-check scan. This is @@ -331,7 +329,7 @@ file, but it is recommended that you also provide the `-s` option so `clj-watson` will try to suggest remediations for any vulnerabilities found. > [!IMPORTANT] -> You'll need to first [setup your NVD API key](#nist-nvd-api). +> You'll need to first [setup your NVD API key](#nist-nvd-api). ```bash clojure -M:clj-watson -p deps.edn diff --git a/resources/dependency-check.properties b/resources/dependency-check.properties index f817b20..5ca7cca 100644 --- a/resources/dependency-check.properties +++ b/resources/dependency-check.properties @@ -1,119 +1,36 @@ # replaced ${pom.*} with actual values: odc.application.name=clj-watson odc.application.version=5.0.0 -odc.autoupdate=true -odc.analysis.timeout=30 -odc.settings.mask=.*password.*,.*token.* -odc.reports.pretty.print=false -odc.ecosystem.maxquerylimit.native=1000 -odc.ecosystem.maxquerylimit.default=100 -engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt - -database.batchinsert.enabled=true -database.batchinsert.maxsize=3000 - -data.version=5.2 -data.directory=/tmp/db/ -data.connection_string=jdbc:h2:file:%s;AUTOCOMMIT=ON;CACHE_SIZE=65536;RETENTION_TIME=1000;MAX_COMPACT_TIME=10000; -data.writelock.shutdownhook=org.owasp.dependencycheck.utils.WriteLockCleanupHook -data.driver_name=org.h2.Driver - -proxy.disableSchemas=true - -# nvd.api.key must be provided by the user: -#nvd.api.key=... -nvd.api.check.validforhours=12 -nvd.api.datafeed.startyear=2002 -nvd.api.datafeed.validfordays=7 -nvd.api.delay=2000 -nvd.api.max.retry.count=10 -# unused nvd.api.* keys: -#nvd.api.datafeed.url= -#nvd.api.datafeed.user= -#nvd.api.datafeed.password= - -cve.url.modified.validfordays=7 -cve.check.validforhours=12 -cve.startyear=2002 -cve.url.original=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz -cve.url.modified=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz -cve.url.base=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz -cve.cpe.startswith.filter=cpe:2.3:a: - -nvd.newyear.grace.period=10 - -max.download.threads=8 - -cpe.validfordays=30 - -cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz - -central.content.url=https://search.maven.org/remotecontent?filepath= - -archive.scan.depth=10 - -downloader.quick.query.timestamp=true -downloader.tls.protocols=TLSv1.1,TLSv1.2,TLSv1.3 - -junit.fail.on.cvss=0 - -analyzer.nexus.url=https://repository.sonatype.org/service/local/ -analyzer.central.url=https://search.maven.org/solrsearch/select -analyzer.central.query=%s?q=1:%s&wt=xml -analyzer.central.retry.count=7 -analyzer.central.parallel.analysis=true -analyzer.central.use.cache=true -analyzer.ossindex.enabled=true -analyzer.ossindex.url=https://ossindex.sonatype.org -analyzer.ossindex.use.cache=true -analyzer.node.audit.url=https://registry.npmjs.org/-/npm/v1/security/audits -analyzer.node.audit.use.cache=false -analyzer.experimental.enabled=false -analyzer.retired.enabled=false -analyzer.jar.enabled=true +# turn off all the analyzers that don't matter for JVM projects: analyzer.archive.enabled=false -analyzer.node.package.enabled=false -analyzer.node.audit.enabled=false -analyzer.yarn.audit.enabled=true +analyzer.artifactory.enabled=false +analyzer.assembly.enabled=false +analyzer.autoconf.enabled=false +analyzer.bundle.audit.enabled=false +analyzer.carthage.enabled=false +analyzer.cmake.enabled=false +analyzer.cocoapods.enabled=false +analyzer.composer.lock.enabled=false +analyzer.cpanfile.enabled=false +analyzer.dart.enabled=false analyzer.golang.dep.enabled=false -analyzer.retirejs.enabled=false -analyzer.retirejs.repo.validforhours=24 -analyzer.retirejs.repo.js.url=https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json -analyzer.retirejs.filternonvulnerable=false analyzer.golang.mod.enabled=false -analyzer.mix.audit.enabled=true -analyzer.composer.lock.enabled=false +analyzer.msbuildproject.enabled=false +analyzer.nexus.proxy=false +analyzer.node.audit.enabled=false +analyzer.node.audit.use.cache=false +analyzer.node.package.enabled=false +analyzer.nugetconf.enabled=false +analyzer.nuspec.enabled=false +analyzer.pip.enabled=false +analyzer.pipfile.enabled=false +analyzer.pnpm.audit.enabled=false +analyzer.poetry.enabled=false analyzer.python.distribution.enabled=false analyzer.python.package.enabled=false +analyzer.retirejs.enabled=false +analyzer.retirejs.filternonvulnerable=false analyzer.ruby.gemspec.enabled=false -analyzer.bundle.audit.enabled=false -analyzer.autoconf.enabled=false -analyzer.pip.enabled=false -analyzer.pipfile.enabled=false -analyzer.cmake.enabled=false -analyzer.assembly.enabled=false -analyzer.nuspec.enabled=false -analyzer.nugetconf.enabled=false -analyzer.msbuildproject.enabled=false -analyzer.openssl.enabled=true -analyzer.central.enabled=true -analyzer.nexus.enabled=false -analyzer.cocoapods.enabled=true analyzer.swift.package.manager.enabled=false -analyzer.nexus.proxy=false -analyzer.cpe.enabled=true -analyzer.npm.cpe.enabled=true -analyzer.cpesuppression.enabled=true -analyzer.dependencybundling.enabled=true -analyzer.dependencymerging.enabled=true -analyzer.falsepositive.enabled=true -analyzer.filename.enabled=true -analyzer.pe.enabled=true -analyzer.hint.enabled=true -analyzer.nvdcve.enabled=true -analyzer.vulnerabilitysuppression.enabled=true -updater.nvdcve.enabled=true -updater.versioncheck.enabled=true -analyzer.versionfilter.enabled=true -analyzer.artifactory.enabled=false +analyzer.swift.package.resolved.enabled=false From 1c9a1e7b418dd840a549e3b84dca11ac5a5ecc88 Mon Sep 17 00:00:00 2001 From: Sean Corfield Date: Sun, 18 Aug 2024 22:38:19 -0700 Subject: [PATCH 2/4] note #103 in the changelog Signed-off-by: Sean Corfield --- CHANGELOG.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c55a82f..d947a61 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # CHANGELOG -* Unreleased +* Unreleased (6.0.0): * Fix: show score and severity in dependency-check findings [#58](https://github.com/clj-holmes/clj-watson/issues/58) * Bump deps [#75](https://github.com/clj-holmes/clj-watson/issues/75) * Improve command line experience [#77](https://github.com/clj-holmes/clj-watson/issues/77) @@ -8,6 +8,8 @@ * Explicitly close the dependency-check engine when we are done with it [#86](https://github.com/clj-holmes/clj-watson/issues/86) * Respect dependency-check `odc.autoupdate` property [#88](https://github.com/clj-holmes/clj-watson/issues/88) * Replace deprecated clj-time dep with JDK8 java.time interop [#83](https://github.com/clj-holmes/clj-watson/issues/83) + * Streamline `dependency-check.properties` file [#103](https://github.com/clj-holmes/clj-watson/issues/103) so that it only includes properties which need to be different from the defaults in the core DependencyCheck configuration. + * This changes the default location of the local database used for analysis from `/tmp/db` to a directory within your local Maven cache (DependencyCheck's default location), which makes `clj-watson` more CI-friendly since `~/.m2` is typically cached in CI. **The first time you run `clj-watson` 6.0.0, it will download the entire NIST NVD database!** * Improve feedback during scan * Stop suppressing all logging [#68](https://github.com/clj-holmes/clj-watson/issues/68) * Suppress noisy INFO level logging from Apache Commons JCS [#69](https://github.com/clj-holmes/clj-watson/issues/69) @@ -15,10 +17,10 @@ * v5.1.3 5812615 -- 2024-07-31 * Address [#60](https://github.com/clj-holmes/clj-watson/issues/60) by updating `org.owasp/dependency-check-core` to 10.0.3. - + * v5.1.2 ae20e1e -- 2024-03-20 * GitHub Advisory: fix matching CVE for allowlist via PR [#59](https://github.com/clj-holmes/clj-watson/pull/59) [@markomafs](https://github.com/markomafs). - + * v5.1.1 ad5fe07 -- 2024-01-15 * Address [#49](https://github.com/clj-holmes/clj-watson/issues/49) by improving the `-T` invocation to support short names, symbols for strings, and all the defaults. * Address [#48](https://github.com/clj-holmes/clj-watson/issues/48) by updating all of the project dependencies, including DependencyCheck to 9.0.8. From df308c1d84537a5421ff69f305ff494ea6b70d19 Mon Sep 17 00:00:00 2001 From: Sean Corfield Date: Mon, 19 Aug 2024 14:02:50 -0700 Subject: [PATCH 3/4] match nvd-clojure per @lread Signed-off-by: Sean Corfield --- resources/dependency-check.properties | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/resources/dependency-check.properties b/resources/dependency-check.properties index 5ca7cca..06096f3 100644 --- a/resources/dependency-check.properties +++ b/resources/dependency-check.properties @@ -3,7 +3,6 @@ odc.application.name=clj-watson odc.application.version=5.0.0 # turn off all the analyzers that don't matter for JVM projects: -analyzer.archive.enabled=false analyzer.artifactory.enabled=false analyzer.assembly.enabled=false analyzer.autoconf.enabled=false @@ -16,13 +15,16 @@ analyzer.cpanfile.enabled=false analyzer.dart.enabled=false analyzer.golang.dep.enabled=false analyzer.golang.mod.enabled=false +analyzer.mix.audit.enabled=false analyzer.msbuildproject.enabled=false analyzer.nexus.proxy=false analyzer.node.audit.enabled=false analyzer.node.audit.use.cache=false analyzer.node.package.enabled=false +analyzer.npm.cpe.enabled=false analyzer.nugetconf.enabled=false analyzer.nuspec.enabled=false +analyzer.openssl.enabled=false analyzer.pip.enabled=false analyzer.pipfile.enabled=false analyzer.pnpm.audit.enabled=false @@ -34,3 +36,4 @@ analyzer.retirejs.filternonvulnerable=false analyzer.ruby.gemspec.enabled=false analyzer.swift.package.manager.enabled=false analyzer.swift.package.resolved.enabled=false +analyzer.yarn.audit.enabled=false From 0eeacac4727377ce81d598ba78f37fe7e9655828 Mon Sep 17 00:00:00 2001 From: Sean Corfield Date: Mon, 19 Aug 2024 16:22:09 -0700 Subject: [PATCH 4/4] add missing env var support to change log Signed-off-by: Sean Corfield --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d947a61..3461c80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Explicitly close the dependency-check engine when we are done with it [#86](https://github.com/clj-holmes/clj-watson/issues/86) * Respect dependency-check `odc.autoupdate` property [#88](https://github.com/clj-holmes/clj-watson/issues/88) * Replace deprecated clj-time dep with JDK8 java.time interop [#83](https://github.com/clj-holmes/clj-watson/issues/83) + * Allow properties to be specified via environment variables [#104](https://github.com/clj-holmes/clj-watson/issues/104) to make it easier to use `clj-watson` in CI/CD pipelines. * Streamline `dependency-check.properties` file [#103](https://github.com/clj-holmes/clj-watson/issues/103) so that it only includes properties which need to be different from the defaults in the core DependencyCheck configuration. * This changes the default location of the local database used for analysis from `/tmp/db` to a directory within your local Maven cache (DependencyCheck's default location), which makes `clj-watson` more CI-friendly since `~/.m2` is typically cached in CI. **The first time you run `clj-watson` 6.0.0, it will download the entire NIST NVD database!** * Improve feedback during scan