From 31deafb48575f9dda60bbc8a028d88578fc81050 Mon Sep 17 00:00:00 2001 From: vemv Date: Sun, 26 Nov 2023 07:37:55 +0000 Subject: [PATCH] 4.0.0 --- .github/ISSUE_TEMPLATE/bug.yml | 4 +-- .github/ISSUE_TEMPLATE/issue.yml | 4 +-- .github/dogfooding_suppressions.xml | 8 +++++ .github/workflows/ci.yaml | 4 +++ CHANGELOG.md | 7 ++++ Makefile | 2 +- README.md | 15 ++++---- deps.edn | 6 ++-- project.clj | 36 +++++++++---------- .../nvd_clojure/default_config_content.edn | 6 +++- src/nvd/config.clj | 29 ++++++++++----- src/nvd/report.clj | 29 +++++++++------ 12 files changed, 99 insertions(+), 51 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml index e35f99b..877bdd6 100644 --- a/.github/ISSUE_TEMPLATE/bug.yml +++ b/.github/ISSUE_TEMPLATE/bug.yml @@ -48,8 +48,8 @@ body: label: Installation compliance description: options: - - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli-tool)). + - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#clojure-cli-tool)). required: true - - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck). + - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck). required: false diff --git a/.github/ISSUE_TEMPLATE/issue.yml b/.github/ISSUE_TEMPLATE/issue.yml index b5d4977..db7388e 100644 --- a/.github/ISSUE_TEMPLATE/issue.yml +++ b/.github/ISSUE_TEMPLATE/issue.yml @@ -32,8 +32,8 @@ body: label: Installation compliance description: options: - - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli-tool)). + - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#clojure-cli-tool)). required: true - - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck). + - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck). required: false diff --git a/.github/dogfooding_suppressions.xml b/.github/dogfooding_suppressions.xml index e4b902f..7d201b5 100644 --- a/.github/dogfooding_suppressions.xml +++ b/.github/dogfooding_suppressions.xml @@ -37,6 +37,14 @@ .*\bbcprov-jdk18on-1\.71\.jar CVE-2023-33201 + + .*\bbcprov-jdk18on-1\.71\.jar + CVE-2023-33202 + + + .*\bbcpg-jdk18on-1\.71\.jar + CVE-2023-33202 + ^pkg:maven/org\.codehaus\.plexus/plexus-.*$ cpe:/a:codehaus-plexus_project:codehaus-plexus diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 410113e..2cbe7c1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,6 +11,8 @@ on: jobs: test_suite: name: Linting and tests + env: + NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }} runs-on: ubuntu-latest strategy: matrix: @@ -39,6 +41,8 @@ jobs: continue-on-error: true integration: name: Integration test suite + env: + NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }} runs-on: ubuntu-latest strategy: matrix: diff --git a/CHANGELOG.md b/CHANGELOG.md index 3281aba..eef4a72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +## Changes from 4.0.0 to 4.0.0 + +* Update `dependency-check-core` to the 9.x series ([9.0.8](https://github.com/jeremylong/DependencyCheck/blob/v9.0.8/CHANGELOG.md)) + * This **requires** nvd-clojure users to request a NVD API key and configure it correctly. + * You can [obtain an API key](https://nvd.nist.gov/developers/request-an-api-key) in a few minutes - it's an automated process. + * Then, you can configure it in nvd-clojure by setting it in the `:nvd-api :key` path, or as a `NVD_API_TOKEN` environment variable. + ## Changes from 3.5.0 to 3.6.0 * Update `dependency-check-core`. diff --git a/Makefile b/Makefile index 0096d04..b877fcd 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # Example usage: # copy a one-off Clojars token to your clipboard -# GIT_TAG=v3.6.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy +# GIT_TAG=v4.0.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy deploy: check-env lein clean diff --git a/README.md b/README.md index 5fc9681..0415fbf 100644 --- a/README.md +++ b/README.md @@ -18,18 +18,18 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to ### Installation and basic usage -> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v3.6.0/FAQ.md#what-is-classpath-interference) +> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v4.0.0/FAQ.md#what-is-classpath-interference) #### Leiningen
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "3.6.0"]`. Said project can be located inside the targeted repo's Git repository. +Please create a separate project consisting of `[nvd-clojure/nvd-clojure "4.0.0"]`. Said project can be located inside the targeted repo's Git repository. ```clj (defproject nvd-helper "local" :description "nvd-clojure helper project" - :dependencies [[nvd-clojure "3.6.0"] + :dependencies [[nvd-clojure "4.0.0"] [org.clojure/clojure "1.11.1"]] :jvm-opts ["-Dclojure.main.report=stderr"]) ``` @@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "3.6.0"}`. Said project can be located inside the targeted repo's Git repository. +Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "4.0.0"}`. Said project can be located inside the targeted repo's Git repository. Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed. @@ -155,7 +155,7 @@ dependency relationships are: dependencies, and suggest upgraded versions, and can optionally be configured to update the project file. -(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.6.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation)) +(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v4.0.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation)) ## Configuration @@ -180,6 +180,9 @@ wiki. There are some specific settings below which are worthy of a few comments: +* `:nvd-api` - map of: + * :key - **MANDATORY** (unless you set an `NVD_API_TOKEN` environment variable) - must contain an API key that you can obtain in https://nvd.nist.gov/developers/request-an-api-key + * other keys: `:endpoint`, `:delay`, `:max-retry-count`, `:valid-for-hours`, `:datafeed` - advanced, please refer to the source code. * `:fail-threshold` default value `0`; checks the highest CVSS score across all dependencies, and fails if this threshold is breached. - As CVSS score ranges from `0..10`, the default value will cause a build to fail even for the lowest rated vulnerability. @@ -209,7 +212,7 @@ You can also set logging properties directly through Java system properties (the clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ... ``` -## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.6.0/FAQ.md) +## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v4.0.0/FAQ.md) ## Attribution diff --git a/deps.edn b/deps.edn index c486d52..545315a 100644 --- a/deps.edn +++ b/deps.edn @@ -2,9 +2,9 @@ :deps {org.clojure/clojure {:mvn/version "1.11.1"} org.clojure/java.classpath {:mvn/version "1.0.0"} clansi/clansi {:mvn/version "1.0.0"} - org.clojure/data.json {:mvn/version "2.4.0"} - org.slf4j/slf4j-simple {:mvn/version "2.0.9"} - org.owasp/dependency-check-core {:mvn/version "8.4.3"} + org.clojure/data.json {:mvn/version "2.5.0"} + org.slf4j/slf4j-simple {:mvn/version "2.0.10"} + org.owasp/dependency-check-core {:mvn/version "9.0.8"} rm-hull/table {:mvn/version "0.7.1"} trptcolin/versioneer {:mvn/version "0.2.0"}} :mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"} diff --git a/project.clj b/project.clj index 91c2b34..d520b1f 100644 --- a/project.clj +++ b/project.clj @@ -1,30 +1,30 @@ -(defproject nvd-clojure "3.6.0" +(defproject nvd-clojure "4.0.0" :description "National Vulnerability Database dependency checker" :url "https://github.com/rm-hull/nvd-clojure" :license {:name "The MIT License (MIT)" :url "https://opensource.org/licenses/MIT"} :dependencies [[org.clojure/clojure "1.11.1"] [clansi "1.0.0"] - [org.clojure/data.json "2.4.0"] - [org.slf4j/slf4j-simple "2.0.9"] - [org.owasp/dependency-check-core "8.4.3"] + [org.clojure/data.json "2.5.0"] + [org.slf4j/slf4j-simple "2.0.10"] + [org.owasp/dependency-check-core "9.0.8"] [rm-hull/table "0.7.1"] [trptcolin/versioneer "0.2.0"] ;; Explicitly depend on a certain Jackson, consistently. ;; (See also: https://github.com/jeremylong/DependencyCheck/issues/3441) - [com.fasterxml.jackson.core/jackson-databind "2.16.0"] - [com.fasterxml.jackson.core/jackson-annotations "2.16.0"] - [com.fasterxml.jackson.core/jackson-core "2.16.0"] - [com.fasterxml.jackson.module/jackson-module-afterburner "2.16.0"] - [org.apache.maven.resolver/maven-resolver-transport-http "1.9.16" #_"Fixes a CVE"] + [com.fasterxml.jackson.core/jackson-databind "2.16.1"] + [com.fasterxml.jackson.core/jackson-annotations "2.16.1"] + [com.fasterxml.jackson.core/jackson-core "2.16.1"] + [com.fasterxml.jackson.module/jackson-module-afterburner "2.16.1"] + [org.apache.maven.resolver/maven-resolver-transport-http "1.9.18" #_"Fixes a CVE"] [org.yaml/snakeyaml "2.2" #_"Fixes a CVE"] - [org.apache.maven/maven-core "3.9.5" #_"Fixes a CVE"] - [org.eclipse.jetty/jetty-client "12.0.3" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]] - [org.apache.maven.resolver/maven-resolver-spi "1.9.16" #_"Satisfies :pedantic?"] - [org.apache.maven.resolver/maven-resolver-api "1.9.16" #_"Satisfies :pedantic?"] - [org.apache.maven.resolver/maven-resolver-util "1.9.16" #_"Satisfies :pedantic?"] - [org.apache.maven.resolver/maven-resolver-impl "1.9.16" #_"Satisfies :pedantic?"] - [org.apache.maven/maven-resolver-provider "3.9.5" #_"Satisfies :pedantic?"] + [org.apache.maven/maven-core "3.9.6" #_"Fixes a CVE"] + [org.eclipse.jetty/jetty-client "12.0.5" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]] + [org.apache.maven.resolver/maven-resolver-spi "1.9.18" #_"Satisfies :pedantic?"] + [org.apache.maven.resolver/maven-resolver-api "1.9.18" #_"Satisfies :pedantic?"] + [org.apache.maven.resolver/maven-resolver-util "1.9.18" #_"Satisfies :pedantic?"] + [org.apache.maven.resolver/maven-resolver-impl "1.9.18" #_"Satisfies :pedantic?"] + [org.apache.maven/maven-resolver-provider "3.9.6" #_"Satisfies :pedantic?"] [org.codehaus.plexus/plexus-utils "4.0.0" #_"Satisfies :pedantic?"]] :managed-dependencies [[com.google.code.gson/gson "2.10.1"]] :scm {:url "git@github.com:rm-hull/nvd-clojure.git"} @@ -43,10 +43,10 @@ [jonase/eastwood "1.4.0"]] :eastwood {:add-linters [:boxed-math :performance]} - :dependencies [[clj-kondo "2023.10.20"] + :dependencies [[clj-kondo "2023.12.15"] [commons-collections "20040616"]]} :ci {:pedantic? :abort} - :clj-kondo {:dependencies [[clj-kondo "2023.10.20"]]} + :clj-kondo {:dependencies [[clj-kondo "2023.12.15"]]} :skip-self-check {:jvm-opts ["-Dnvd-clojure.internal.skip-self-check=true"]}} :deploy-repositories [["clojars" {:url "https://clojars.org/repo" :username :env/clojars_username diff --git a/resources/nvd_clojure/default_config_content.edn b/resources/nvd_clojure/default_config_content.edn index 0887e2b..11c252c 100644 --- a/resources/nvd_clojure/default_config_content.edn +++ b/resources/nvd_clojure/default_config_content.edn @@ -6,12 +6,16 @@ ;; Feel free to tweak it, version-control it and remove any comment. -;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#configuration-options +;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#configuration-options {;; You can use the `:suppression-file` in order to silence false positives. ;; This file will be automatically created, with whatever filename is specified here, if it didn't exist already. :suppression-file "nvd_suppressions.xml" + ;; MANDATORY - please set this (or a `NVD_API_TOKEN` environment variable, deleting this entry) + ;; according to an API key that you can obtain in https://nvd.nist.gov/developers/request-an-api-key + :nvd-api {:key nil} + #_:analyzer ;; Analyzer options, which are mostly advanced/internal #_{:ossindex-warn-only-on-remote-errors ;; Occasionally necessary for not making HTTP 500 errors from OSS Index (one of the multiple analyzers internally used) diff --git a/src/nvd/config.clj b/src/nvd/config.clj index cd57454..9e5d680 100644 --- a/src/nvd/config.clj +++ b/src/nvd/config.clj @@ -46,10 +46,15 @@ Settings$KEYS/DB_DRIVER_PATH [:database :driver-path] Settings$KEYS/DB_CONNECTION_STRING [:database :connection-string] Settings$KEYS/DB_USER [:database :user] - Settings$KEYS/DB_PASSWORD [:database :password]}) - -(def ^:private integer-mappings - {Settings$KEYS/CVE_CHECK_VALID_FOR_HOURS [:cve :valid-for-hours]}) + Settings$KEYS/DB_PASSWORD [:database :password] + Settings$KEYS/NVD_API_KEY [:nvd-api :key] + Settings$KEYS/NVD_API_ENDPOINT [:nvd-api :endpoint] + Settings$KEYS/NVD_API_DELAY [:nvd-api :delay] + Settings$KEYS/NVD_API_MAX_RETRY_COUNT [:nvd-api :max-retry-count] + Settings$KEYS/NVD_API_VALID_FOR_HOURS [:nvd-api :valid-for-hours] + Settings$KEYS/NVD_API_DATAFEED_URL [:nvd-api :datafeed :url] + Settings$KEYS/NVD_API_DATAFEED_USER [:nvd-api :datafeed :user] + Settings$KEYS/NVD_API_DATAFEED_PASSWORD [:nvd-api :datafeed :password]}) (def ^:private boolean-mappings {Settings$KEYS/ANALYZER_ARCHIVE_ENABLED [:analyzer :archive-enabled] @@ -100,7 +105,9 @@ {:exit-after-check true :delete-config? true :verbose-summary false - :nvd {:analyzer {:assembly-enabled false + :nvd {:nvd-api {:delay 5000 ;; Value based on https://github.com/jeremylong/DependencyCheck/commit/be5c4a4f39d + :max-retry-count 10} + :analyzer {:assembly-enabled false :archive-enabled true :autoconf-enabled false :bundle-audit-enabled false @@ -187,15 +194,21 @@ You can pass an empty string for an .edn file to be automatically created." (maybe-create-suppression-file! nvd-settings) - (doseq [[prop path] integer-mappings] - (.setIntIfNotNull settings prop (get-in nvd-settings path))) - (doseq [[prop path] boolean-mappings] (.setBooleanIfNotNull settings prop (get-in nvd-settings path))) (doseq [[prop path] string-mappings] (.setStringIfNotEmpty settings prop (str (get-in nvd-settings path)))) + (when (= ::not-found (get-in nvd-settings [:nvd-api :key] ::not-found)) + (let [api-key (System/getenv "NVD_API_TOKEN")] + + (when (or (not api-key) + (string/blank? api-key)) + (throw (ex-info "No NVD API key supplied as config settings or env var." {}))) + + (.setString settings Settings$KEYS/NVD_API_KEY api-key))) + (-> project (assoc-in [:nvd :data-directory] (.getDataDirectory settings)) (assoc :engine (Engine. settings) diff --git a/src/nvd/report.clj b/src/nvd/report.clj index 77614a6..854e6c9 100644 --- a/src/nvd/report.clj +++ b/src/nvd/report.clj @@ -22,16 +22,17 @@ (ns nvd.report (:require - [clojure.string :as s] - [clojure.java.io :as io] [clansi :refer [style]] + [clojure.java.io :as io] + [clojure.string :as s] + [nvd.log :as log] [table.core :refer [table]]) (:import - [java.util Arrays] - [org.owasp.dependencycheck Engine] - [org.owasp.dependencycheck.dependency Dependency Vulnerability] - [org.owasp.dependencycheck.exception ExceptionCollection] - [org.owasp.dependencycheck.reporting ReportGenerator])) + (java.util Arrays) + (org.owasp.dependencycheck Engine) + (org.owasp.dependencycheck.dependency Dependency Vulnerability) + (org.owasp.dependencycheck.exception ExceptionCollection) + (org.owasp.dependencycheck.reporting ReportGenerator))) (def default-output-dir "target/nvd") @@ -53,9 +54,17 @@ (let [cvss2 (.getCvssV2 vulnerability) cvss3 (.getCvssV3 vulnerability)] (cond - cvss2 (.getScore cvss2) - cvss3 (.getBaseScore cvss3) - :else 1))) + cvss2 (max (double (or (.getExploitabilityScore cvss2) + 0)) + (double (or (.getImpactScore cvss2) + 0))) + cvss3 (max (double (or (.getExploitabilityScore cvss3) + 0)) + (double (or (.getImpactScore cvss3) + 0))) + :else (do + (.warn log/logger (str "No CVSS found for: " (pr-str vulnerability))) + 1)))) (defn- severity [^long cvssScore] (cond