Comments (4)
Hey @seancorfield here are nvd-clojure gives the package name and CVEs. clj-watson produce more information regarding the vulnerable package like the dependency tree, the cvss of each vulnerability and the most important a suggested fix to each vulnerability.
from clj-watson.
Sounds like good information for your README, so others don't have to ask the same question.
Your README doesn't explain how to install clj-watson. Can it be used via git deps and -X
or -T
?
from clj-watson.
I tried a few invocations that failed with mysterious exceptions and reverted to -M -m
which "worked" but produced no output:
(! 645)-> clojure -Sdeps '{:deps {io.github.clj-holmes/clj-watson {:git/sha "a1b37f23b04e8b95313a1ba6bfe4f0379607da3b"}}}' -M -m clj-watson.cli scan -p deps.edn
Downloading/Updating database.
Download/Update completed.
Since nvd-clojure finds CVEs in some of our dependencies, I'm guessing clj-watson doesn't check what dependencies are in aliases (and there's no way to tell it what aliases should be in effect)?
I'll take this to Slack and see if we can hammer it out interactively. I'm not sure whether our use case (monorepo, Polylith style) is supported by clj-watson and I can't tell from your README what is actually supposed to work.
from clj-watson.
Since the discussion has migrated to clojurians slack I'll close this issue.
from clj-watson.
Related Issues (20)
- comparing version in a really wrong way. HOT 1
- Sorted report
- Native SARIF output support HOT 20
- Project- and version-based false positives when shadow-cljs is a dependency HOT 5
- support sarif output for dependency-check scan strategy HOT 1
- CVE identifiers are missing in 3.0.2 output HOT 9
- core.async false positive HOT 3
- Can't run clj-watson as a -M alias HOT 2
- Bug in 4.1.1? HOT 4
- Unable to update watson database, version exceeds column limit HOT 1
- Persistent 503 errors? HOT 6
- Switch from depstar to tools.build HOT 2
- Provide an additive properties file HOT 2
- Bug in 5.0.0: clj-watson.properties file not found on classpath
- Error scanning after latest update HOT 6
- Add logging/printing to show additional properties
- Update DependencyCheck to latest version HOT 1
- Clean up command-line tool invocation HOT 1
- Document how to suppress false positives HOT 1
- Breaks on datahike dep HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clj-watson.