Merge pull request #82 from yetanalytics/update-nvd-clojure

Update nvd-clojure and fix Jackson CVEs

.github/workflows/ci.yml

@@ -35,9 +35,9 @@ jobs:
         run: make test
 
   nvd_scan:
-    uses: yetanalytics/actions/.github/workflows/[email protected].3
+    uses: yetanalytics/actions/.github/workflows/[email protected].4
     with:
-      nvd-clojure-version: '2.0.0'
+      nvd-clojure-version: '2.9.0'
       classpath-command: 'clojure -Spath -A:cli'
       nvd-config-filename: '.nvd/config.json'
 

.github/workflows/nvd_sched.yml

@@ -6,9 +6,9 @@ on:
 
 jobs:
   nvd_scan:
-    uses: yetanalytics/actions/.github/workflows/[email protected].3
+    uses: yetanalytics/actions/.github/workflows/[email protected].4
     with:
-      nvd-clojure-version: '2.0.0'
+      nvd-clojure-version: '2.9.0'
       classpath-command: 'clojure -Spath -A:cli'
       nvd-config-filename: '.nvd/config.json'
 

deps.edn

@@ -15,21 +15,7 @@
          :exclusions [org.clojure/clojurescript]}
         org.clojure/data.json {:mvn/version "2.4.0"}
         com.cognitect/transit-clj {:mvn/version "1.0.324"}
-        ;; Include Jackson to avoid CVE
-        cheshire/cheshire
-        {:mvn/version "5.10.2"
-         :exclusions [com.fasterxml.jackson.core/jackson-core
-                      com.fasterxml.jackson.dataformat/jackson-dataformat-smile
-                      com.fasterxml.jackson.dataformat/jackson-dataformat-cbor
-                      com.fasterxml.jackson.core/jackson-databind]}
-        com.fasterxml.jackson.core/jackson-core
-        {:mvn/version "2.13.2"}
-        com.fasterxml.jackson.dataformat/jackson-dataformat-smile
-        {:mvn/version "2.13.2"}
-        com.fasterxml.jackson.dataformat/jackson-dataformat-cbor
-        {:mvn/version "2.13.2"}
-        com.fasterxml.jackson.core/jackson-databind
-        {:mvn/version "2.13.2.1"}}
+        cheshire/cheshire {:mvn/version "5.11.0"}}
  :aliases
  {:cli {:extra-paths ["src/cli"]
         :extra-deps {org.clojure/tools.cli {:mvn/version "1.0.206"}