### JSON Configuration Example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Example of a complete nvd-clojure configuration file in JSON format. This provides an alternative to EDN for configuration. ```json { "suppressionFile": "nvd_suppressions.xml", "failThreshold": 7, "verboseSummary": false, "nvdApi": { "key": "your-api-key-here", "delay": 5000, "maxRetryCount": 10 }, "analyzer": { "assemblyEnabled": false, "jarEnabled": true } } ``` -------------------------------- ### Minimal Configuration Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md A minimal configuration example. It is recommended to use the NVD_API_TOKEN environment variable for the API key. ```clojure {:nvd-api {:key "your-api-key"}} ``` -------------------------------- ### Proxy Configuration Example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Example of configuring network proxy settings for nvd-clojure. This includes server, port, and authentication details. ```clojure {:proxy {:server "proxy.example.com" :port "8080" :user "proxyuser" :password "proxypass"}} ``` -------------------------------- ### Local Development Helper Project Setup Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Configure a local helper project's deps.edn to include nvd-clojure and Clojure. This setup is recommended for running analyses. ```clojure {:deps {nvd-clojure/nvd-clojure {:mvn/version "5.3.0"} org.clojure/clojure {:mvn/version "1.12.4"}} :tools/usage {:ns-default nvd.task}} ``` -------------------------------- ### EDN Configuration Example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Example of a complete nvd-clojure configuration file in EDN format. This format is recommended for its conciseness and expressiveness. ```clojure {:suppression-file "nvd_suppressions.xml" :fail-threshold 7 :verbose-summary false :nvd-api {:key "your-api-key-here" :delay 5000 :max-retry-count 10} :analyzer {:assembly-enabled false :jar-enabled true}} ``` -------------------------------- ### Project Map Usage Example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/types.md Demonstrates how the Project Map is populated with configuration and passed through the analysis pipeline using a `with-config` macro. ```clojure (nvd.config/with-config [project "config.edn"] (-> project scan-and-analyze generate-report print-summary fail-build?)) ``` -------------------------------- ### Configuration merging example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Shows how user-defined configuration is deep-merged with default settings, allowing specific overrides while retaining other defaults. ```clojure ; Config file: only override specific settings {:fail-threshold 8 :analyzer {:jar-enabled true}} ; Merged with defaults: other settings from default-settings remain ``` -------------------------------- ### Minimal Configuration with Environment Variable Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Configuration example omitting the API key to use the NVD_API_TOKEN environment variable. Set the environment variable before running. ```clojure {} ``` -------------------------------- ### Custom Code Logging Example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-log.md Shows how to integrate the nvd.log logger within custom Clojure functions for debugging and informational purposes. Includes examples for info, debug, warn, and error levels within a try-catch block. ```clojure (require '[nvd.log :as log]) (defn custom-analyzer [dependencies] (.info log/logger "Starting custom analysis") (try (doseq [dep dependencies] (.debug log/logger (str "Processing: " dep))) (when errors (.warn log/logger "Encountered issues during analysis")) results (catch Exception e (.error log/logger (str "Analysis failed: " (.getMessage e))) (throw e)))) ``` -------------------------------- ### Install NVD Clojure as a Tool Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-task.md Installs the nvd-clojure library as a Clojure CLI Tool with a specified version. This enables the use of the '-T' flag for invoking tools. ```bash clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "5.3.0"}' :as nvd ``` -------------------------------- ### Vulnerability Map Entry Example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/types.md Represents a single dependency and its associated CVE status. Used in summary outputs. ```clojure {:dependency "log4j-core-2.14.0.jar" :status " [1;31mCVE-2021-44228 [0m"} ``` ```clojure {:dependency "commons-io-2.6.jar" :status " [1;32mOK [0m"} ``` ```clojure {:dependency "slf4j-api-1.7.30.jar" :status " [1;33mCVE-2022-1234 [0m, [1;31mCVE-2022-5678 [0m"} ``` -------------------------------- ### Configure Logging via Properties File Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-log.md Example of a simplelogger.properties file to configure logging levels for specific namespaces. Place this file on the nvd-clojure classpath. ```properties org.slf4j.simpleLogger.log.nvd=debug org.slf4j.simpleLogger.log.org.owasp.dependencycheck=info org.slf4j.simpleLogger.defaultLogLevel=warn ``` -------------------------------- ### Classpath filtering example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Demonstrates how nvd-clojure filters the classpath to include only JAR and package files for analysis. ```clojure ; Input: "/path/to/lib.jar:/home/user/src:nonexistent.jar:/path/to/package-lock.json" ; Output: ["/path/to/lib.jar" "/path/to/package-lock.json"] ``` -------------------------------- ### Setting Environment Variables for Configuration Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/errors.md Provides examples of setting environment variables for NVD API key and OSS Index credentials. This method allows running the tool without hardcoding sensitive information in configuration files. ```bash # NVD API key export NVD_API_TOKEN="your-api-key-here" # OSS Index credentials (optional but recommended) export ANALYZER_OSSINDEX_USER="your-username" export ANALYZER_OSSINDEX_PASSWORD="your-password" # Run without needing them in config file clojure -Tnvd nvd.task/check :classpath "..." ``` -------------------------------- ### Full Debug Output for Troubleshooting Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-log.md Capture detailed output for troubleshooting by setting the log level to 'debug'. The first example redirects stderr to a file using 'tee', while the second includes timestamps for more granular analysis. ```bash # Redirect stderr to capture full output clojure -J-Dorg.slf4j.simpleLogger.defaultLogLevel=debug \ -J-Dclojure.main.report=stderr \ -Tnvd nvd.task/check \ :classpath "$(clojure -Spath)" \ :config-filename "config.edn" 2>&1 | tee nvd-debug.log ``` ```bash # Or with timestamps clojure -J-Dorg.slf4j.simpleLogger.defaultLogLevel=debug \ -J-Dorg.slf4j.simpleLogger.showDateTime=true \ -J-Dorg.slf4j.simpleLogger.dateTimeFormat=yyyy-MM-dd\ HH:mm:ss:SSS \ -Tnvd nvd.task/check :classpath "$(clojure -Spath)" ``` -------------------------------- ### Missing NVD API Key Example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/errors.md Demonstrates scenarios where the NVD API key is missing from the configuration file or environment variables, leading to an error. This occurs when neither :nvd-api :key in the config nor NVD_API_TOKEN env var is set. ```clojure ; Config file without :key (populate-settings! "config-no-key.edn") ; Throws: No NVD API key supplied... ; With env var unset (populate-settings! "config-no-key.edn") ; NVD_API_TOKEN not set ; Throws: No NVD API key supplied... ``` -------------------------------- ### Enable Debug Mode Logging Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-log.md Example command to enable detailed debug logging and show timestamps for troubleshooting. This helps in analyzing the flow of analysis and API interactions. ```bash clojure -J-Dorg.slf4j.simpleLogger.defaultLogLevel=debug \ -J-Dorg.slf4j.simpleLogger.showDateTime=true \ -J-Dclojure.main.report=stderr \ -Tnvd nvd.task/check :classpath "..." ``` -------------------------------- ### Suppression File Example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Example of an XML suppression file used to exclude specific CVEs from scan results. This file is created if it doesn't exist and can be edited to manage suppressions. ```xml pkg:npm/lodash/4\.17\.20.* CVE-2021-23337 ``` -------------------------------- ### Handle No Valid Classpath Entries Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/errors.md This example shows how to trigger the 'No Valid Classpath Entries' error. This occurs when the provided classpath string contains only directories or non-existent files. Ensure the classpath includes actual JAR files. ```clojure (-main "" "nonexistent.jar:src/:test/") ; Throws: No entries in given classpath qualify for analysis (-main "" "src/:test/:resources/") ; Throws: No entries in given classpath qualify for analysis (all directories) ``` -------------------------------- ### absolute-path Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-task-check.md Converts a file path, including one starting with '~' for the home directory, into a fully qualified absolute path. ```APIDOC ## absolute-path ### Description Converts a file path with `~` home directory shorthand to an absolute path by replacing `~` with the system's user home directory. ### Function Signature ```clojure (absolute-path file) ``` ### Parameters #### Path Parameters - **file** (String) - Required - A file path that may start with `~` for home directory ### Returns `String` — The absolute file path with `~` replaced by the system's user home directory ### Example ```clojure (absolute-path "~/projects/myapp.jar") ; => "/home/user/projects/myapp.jar" (absolute-path "/absolute/path/to/file.jar") ; => "/absolute/path/to/file.jar" ``` ``` -------------------------------- ### Clojure CLI Tool Usage Command Source: https://github.com/rm-hull/nvd-clojure/blob/main/README.md Run the nvd-clojure check task using the installed CLI tool. Ensure the classpath is production-like and specify the config filename. ```bash clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \"$(clojure -Spath -A:any:aliases)\" :config-filename \"nvd-config.edn\" ``` -------------------------------- ### Handle Invalid Config File Extension Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/errors.md This example triggers the 'Invalid Config File Extension' error by attempting to use config files with unsupported extensions like .yaml or .properties. Only .edn and .json are supported. ```clojure (populate-settings! "config.yaml") ; Throws: Only .edn and .json config file extensions are supported (populate-settings! "config.properties") ; Throws: Only .edn and .json config file extensions are supported ``` -------------------------------- ### H2 In-Memory Database Configuration Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Example of configuring nvd-clojure to use an H2 in-memory database. This is useful for temporary or testing environments. ```clojure {:database {:driver-name "org.h2.Driver" :connection-string "jdbc:h2:mem:nvd"}} ``` -------------------------------- ### Set Logging Properties via Java System Properties Source: https://github.com/rm-hull/nvd-clojure/blob/main/README.md Override default logging behavior by setting Java system properties. This example demonstrates setting the log level for a specific package and configuring the main report output. ```bash clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ... ``` -------------------------------- ### Build Failure on Vulnerability Threshold Example Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/errors.md Illustrates how the build fails when the highest CVSS score of detected vulnerabilities exceeds the configured fail threshold. The process exits with code -1 to signal failure to CI/CD systems. ```clojure ; With fail-threshold: 0 (default) ; Found CVE with CVSS 5.0 ; Result: System/exit(-1) ; With fail-threshold: 7 ; Found CVE with CVSS 6.5 ; Result: System/exit(0) - does not fail ; With fail-threshold: 11 (never fail) ; Found vulnerabilities with CVSS 9.8 ; Result: System/exit(0) - always succeeds ``` -------------------------------- ### Checking Error Type in Clojure Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/errors.md Demonstrates how to differentiate between specific exception types or messages within a catch block. This example checks the beginning of the exception message to identify different error conditions. ```clojure (try (populate-settings! "config.edn") (catch Exception e (case (subs (ex-message e) 0 5) "No NV" (println "Missing API key") "Onl" (println "Invalid file extension") (println "Unknown error")))) ``` -------------------------------- ### Leiningen Classpath Command Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Use 'lein with-profile -user classpath' to get the user classpath, excluding development and test profiles. This can help diagnose classpath issues. ```bash lein with-profile -user classpath # Excludes dev/test ``` -------------------------------- ### NVD API Datafeed Configuration Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Example of configuring the NVD API to use a datafeed URL instead of direct API calls. This requires specifying the URL, username, and password for the datafeed source. ```clojure {:nvd-api {:datafeed {:url "https://example.com/nvd-data" :user "username" :password "password"}}} ``` -------------------------------- ### populate-settings! Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md Loads configuration from a file, merges it with defaults, and initializes the DependencyCheck Engine with the settings. It handles parsing EDN or JSON files and validates necessary credentials. ```APIDOC ## populate-settings! ### Description Loads configuration from file, merges with defaults, and initializes DependencyCheck Engine with settings. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Parameters - **config-filename** (String) - Required - Path to `.edn` or `.json` configuration file ### Returns `Map` - Project map with keys including: `:engine`, `:title`, `:start-time`, `:config-file`, `:nvd` (configuration), `:delete-config?` ### Throws - `ExceptionInfo` - When config file extension is not `.edn` or `.json` - `ExceptionInfo` - When NVD API key is neither in config nor available via `NVD_API_TOKEN` env var ### Description Full initialization pipeline: 1. Parses config file based on extension (`.edn` or `.json`) 2. Creates default EDN file if filename is `nvd-clojure.edn` and it doesn't exist 3. Deep-merges user config with `default-settings` 4. Creates suppression file if configured but missing 5. Applies all boolean and string mappings to DependencyCheck Settings object 6. Validates NVD API key (from config or `NVD_API_TOKEN` env var) 7. Validates OSS Index credentials if configured (from config or env vars) 8. Initializes Engine with configured settings 9. Computes data directory path ### Environment Variables Used: - `NVD_API_TOKEN` — NVD API key (mandatory if not in config) - `ANALYZER_OSSINDEX_USER` — Sonatype OSS Index username - `ANALYZER_OSSINDEX_PASSWORD` — Sonatype OSS Index password ### Example ```clojure (populate-settings! "nvd-config.edn") ; => {:engine , :title "myapp 1.0.0", :nvd {...}, ...} (populate-settings! "test/resources/opts.json") ; Reads JSON config, merges with defaults, initializes Engine ``` ``` -------------------------------- ### with-config Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md Macro that manages configuration initialization and cleanup as a resource. It calls `populate-settings!`, executes the body, and always calls `cleanup` in a finally block to prevent resource leaks. ```APIDOC ## Macro with-config ### Description Manages configuration initialization and cleanup as a resource. ### Parameters #### Path Parameters - **binding** (Symbol) - Required - Symbol to bind to initialized project map - **config-file** (String) - Required - Path to config file - **body** (Expression) - Required - Code to execute with config loaded ### Returns Result of the body expression ### Throws Propagates any exceptions from body, but ensures cleanup always runs ### Example ```clojure (with-config [project "nvd-config.edn"] (println "Checking" (:title project)) (do-analysis project)) (with-config [p "config.json"] (scan-and-analyze p)) ``` ``` -------------------------------- ### Get JVM Version Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-task-check.md Retrieves the major and minor version of the currently running Java Virtual Machine. ```clojure (jvm-version) ; => 21.0 ``` -------------------------------- ### Initialize DependencyCheck Engine Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md Loads configuration from a specified file (EDN or JSON), merges it with defaults, and initializes the DependencyCheck Engine. Requires NVD API token and optionally OSS Index credentials. ```clojure (populate-settings! "nvd-config.edn") ; => {:engine , :title "myapp 1.0.0", :nvd {...}, ...} (populate-settings! "test/resources/opts.json") ; Reads JSON config, merges with defaults, initializes Engine ``` -------------------------------- ### Check Dependencies with Configuration File Source: https://github.com/rm-hull/nvd-clojure/blob/main/README.md Use this command to check dependencies while specifying a custom configuration file. Ensure the filename is properly escaped as a string argument. ```bash clojure -Tnvd nvd.task/check :classpath " ``` -------------------------------- ### Leiningen Project Dependency Source: https://github.com/rm-hull/nvd-clojure/blob/main/README.md Define the nvd-clojure dependency in a helper project's project.clj file. This setup is for analyzing other projects. ```clojure (defproject nvd-helper "local" :description "nvd-clojure helper project" :dependencies [[nvd-clojure "5.3.0"] [org.clojure/clojure "1.12.3"]] :jvm-opts ["-Dclojure.main.report=stderr"]) ``` -------------------------------- ### Production Configuration with OSS Index Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md A production-ready configuration including suppression file, fail threshold, output directory, NVD API key, and OSS Index credentials. ```clojure {:suppression-file "nvd_suppressions.xml" :fail-threshold 7.0 :verbose-summary false :output-dir "target/security-reports" :nvd-api {:key "your-api-key"} :analyzer {:ossindex-user "sonatype-user" :ossindex-password "sonatype-password"}} ``` -------------------------------- ### Configure Logging via Java System Properties Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-log.md Demonstrates setting logging levels using JVM -D flags when launching a Clojure application. This allows for runtime configuration without modifying property files. ```bash clojure -J-Dorg.slf4j.simpleLogger.defaultLogLevel=debug \ -J-Dorg.slf4j.simpleLogger.log.nvd=debug \ -Tnvd nvd.task/check :classpath "..." ``` -------------------------------- ### Configure NVD Task Namespace Default Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-task.md Defines the default namespace for the NVD tool when installed as a Clojure CLI Tool. This allows for shorter invocation syntax. ```clojure :tools/usage {:ns-default nvd.task} ``` -------------------------------- ### maybe-create-edn-file! Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md Conditionally creates a default EDN configuration file if the provided filename is the standard 'nvd-clojure.edn' and the file does not already exist or is blank. ```APIDOC ## maybe-create-edn-file! ### Description Conditionally creates a default EDN configuration file if it's the standard name and doesn't exist. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Parameters - **config-filename** (String) - Required - Configuration filename ### Returns `nil` ### Description Creates file only when: - `config-filename` equals `"nvd-clojure.edn"` (the default) - AND the file either doesn't exist or is blank Does not create or overwrite files with other names, protecting user config files. ### Example ```clojure (maybe-create-edn-file! "nvd-clojure.edn") ; Creates nvd-clojure.edn with default content if missing (maybe-create-edn-file! "my-config.edn") ; Does nothing - non-default filename ``` ``` -------------------------------- ### Manage Configuration with Resource Safety Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md A macro that safely manages configuration initialization and cleanup. It populates settings, executes a body of code with the configuration, and ensures cleanup runs in a finally block, preventing resource leaks. ```clojure (with-config [project "nvd-config.edn"] (println "Checking" (:title project))) ; Output: Checking myapp 1.0.0 ; Returns result of do-analysis ; Always cleans up Engine (with-config [p "config.json"] (scan-and-analyze p)) ; Properly closes Engine and settings even if exception thrown ``` -------------------------------- ### Basic Logger Usage Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-log.md Demonstrates how to use the exported logger instance to output messages at different severity levels (info, warn, error, debug). Ensure the logger is required before use. ```clojure (require '[nvd.log :as log]) (.info log/logger "Informational message") (.warn log/logger "Warning message") (.error log/logger "Error message") (.debug log/logger "Debug message") ``` -------------------------------- ### Check Project Dependencies for Vulnerabilities Source: https://github.com/rm-hull/nvd-clojure/blob/main/README.md Run this command to check your project's classpath dependencies against the NVD database for known vulnerabilities. The first run may take a significant amount of time to download the database. ```bash clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath " ``` -------------------------------- ### -main Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-task-check.md CLI entry point for running nvd-clojure checks. It validates the classpath, parses it for analysis, prevents self-analysis, and invokes the main implementation. ```APIDOC ## -main ### Description CLI entry point for running nvd-clojure checks. Validates that classpath-string is provided, parses classpath into analyzable files, prevents nvd-clojure from analyzing itself, and invokes `impl` with configuration. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Parameters - **config-filename** (`String`) - Optional - Default: `""` - Path to config file; empty string uses default `nvd-clojure.edn` - **classpath-string** (`String`) - Required - Full classpath string with entries separated by platform path separator ### Request Example ```clojure (-main "nvd-config.edn" "/lib/dep1.jar:/lib/dep2.jar:/lib/dep3.jar") (-main "" "$(clojure -Spath)") ``` ### Response #### Success Response (200) `nil` - Calls `System/exit` or throws exception. #### Response Example `nil` ### Throws - **ExceptionInfo**: When classpath-string is blank/missing, no valid entries qualify for analysis, or self-check detects nvd-clojure in the classpath. ``` -------------------------------- ### default-settings Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md A complete default configuration map with all analyzer options pre-configured. ```APIDOC ## Constant default-settings ### Description Complete default configuration map with all analyzer options pre-configured. ### Type `Map` ### Contents | Key | Type | Value | Description | |-----|------|-------|-------------| | `:exit-after-check` | `Boolean` | `true` | Exit process after vulnerability check | | `:delete-config?` | `Boolean` | `true` | Delete JSON config files after use | | `:verbose-summary` | `Boolean` | `false` | Include all dependencies in summary | | `:nvd` | `Map` | — | DependencyCheck configuration | | `:nvd-api` | `Map` | — | NVD API settings with delay and retry count | | `:analyzer` | `Map` | — | Individual analyzer enable/disable flags | ### Analyzer Defaults All disabled except: `archive-enabled`, `central-enabled`, `jar-enabled`, `nexus-enabled` ``` -------------------------------- ### Run nvd-clojure from Command Line Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/README.md This command-line invocation runs nvd-clojure as a main module, specifying a configuration file and the project's classpath. ```bash clojure -m nvd.task.check "config.edn" "$(clojure -Spath)" ``` -------------------------------- ### Run Local Development Analysis Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Execute the nvd-clojure check from a local helper project's root directory. This command uses the configured classpath. ```bash cd nvd-helper && \ clojure -Tnvd nvd.task/check :classpath "$(cd ..; clojure -Spath)" ``` -------------------------------- ### Basic nvd-clojure usage with config file Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Performs a vulnerability check using a specified configuration file and the project's classpath. ```bash clojure -Tnvd nvd.task/check :classpath "$(clojure -Spath)" :config-filename "nvd-config.edn" ``` -------------------------------- ### NVD Clojure Execution Flow Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/README.md Illustrates the primary execution flow of the nvd-clojure tool, from entry point to conditional exit. ```text ┌─────────────────────────────────────┐ │ nvd.task/check or -main │ Entry point └──────────────────┬──────────────────┘ │ ┌─────────▼─────────┐ │ populate-settings! │ Load config, init Engine └─────────┬─────────┘ │ ┌──────────────▼──────────────┐ │ parse-classpath │ Filter & resolve paths └──────────────┬──────────────┘ │ ┌──────────────▼──────────────┐ │ scan-and-analyze │ DependencyCheck analysis └──────────────┬──────────────┘ │ ┌──────────────▼──────────────┐ │ generate-report │ Write HTML/XML/JSON └──────────────┬──────────────┘ │ ┌──────────────▼──────────────┐ │ print-summary │ Console output └──────────────┬──────────────┘ │ ┌──────────────▼──────────────┐ │ fail-build? │ Check threshold └──────────────┬──────────────┘ │ ┌──────────────▼──────────────┐ │ conditional-exit │ Exit or throw └──────────────────────────────┘ ``` -------------------------------- ### Create Suppression File if Missing Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md Creates a default XML suppression file if the `:suppression-file` key is present in the settings and the file does not exist. Parent directories are created as needed. Does not overwrite existing files. ```clojure (maybe-create-suppression-file! nvd-settings) ``` ```clojure (maybe-create-suppression-file! {:suppression-file "nvd_suppressions.xml"}) ; Creates nvd_suppressions.xml with default content (maybe-create-suppression-file! {:suppression-file "path/to/suppressions.xml"}) ; Creates path/to/ directories if needed, then suppression file (maybe-create-suppression-file! {}) ; Does nothing - no suppression-file configured ``` -------------------------------- ### CLI Entry Point Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-task-check.md The main CLI entry point for running nvd-clojure checks. It validates the classpath, parses entries, and prevents self-analysis. Use this to invoke the tool from the command line. ```clojure (-main "nvd-config.edn" "/lib/dep1.jar:/lib/dep2.jar:/lib/dep3.jar") ``` ```clojure (; Using empty string for default config -main "" "$(clojure -Spath)") ``` ```clojure (; Throws if classpath is blank -main "config.edn" "") ``` ```clojure (; Throws if classpath has no valid entries -main "config.edn" "nonexistent.jar:src/") ``` -------------------------------- ### Leiningen Command for Dependency Check Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Run the nvd.task.check from a Leiningen project. Navigate to the helper directory and execute the command, providing the configuration file and dynamically generated classpath. ```bash cd nvd-helper && \ lein run -m nvd.task.check "config.edn" "$(cd ../myproject; lein classpath)" ``` -------------------------------- ### Run nvd-clojure with Clojure CLI Tools Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/README.md This is the recommended way to run nvd-clojure using the Clojure CLI tools. It specifies the nvd.task/check alias and provides the project's classpath. ```bash clojure -Tnvd nvd.task/check :classpath "$(clojure -Spath)" ``` -------------------------------- ### Multi-Language Project Configuration Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Configuration for a multi-language project, enabling analyzers for Java/Clojure, JavaScript, Python, Go, and Ruby. Includes NVD API key and suppression file. ```clojure {:nvd-api {:key "your-api-key"} :analyzer {:jar-enabled true ; Java/Clojure :node-package-enabled true ; JavaScript :npm-cpe-enabled true :python-package-enabled true ; Python :pip-enabled true :golang-mod-enabled true ; Go :ruby-gemspec-enabled true} ; Ruby :suppression-file "suppressions.xml"} ``` -------------------------------- ### Build failure threshold configuration Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Illustrates different settings for the `:fail-threshold` configuration option, which determines when a build should fail based on vulnerability scores. ```clojure ;; Default: fail if any vuln found (score > 0) :fail-threshold 0 ;; Fail only on high/critical vulns :fail-threshold 7 ;; Never fail (all CVSS scores are 0-10) :fail-threshold 11 ;; Fail if any vuln found, including unscored (score >= 0) :fail-threshold -1 ``` -------------------------------- ### Minimal nvd-clojure configuration with API key Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Defines the minimum configuration for nvd-clojure, specifying the NVD API key. ```clojure {:nvd-api {:key "your-api-key-here"}} ``` -------------------------------- ### Using with-config for Auto-Cleanup in Clojure Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/errors.md Illustrates the use of the `with-config` macro to ensure resource cleanup, such as closing the engine, even when exceptions occur during the analysis process. This prevents resource leaks. ```clojure (try (with-config [project "config.edn"] (analyze project)) (catch Exception e (println "Analysis failed:" (ex-message e)))) ; Engine is always closed, even after exception ``` -------------------------------- ### Log User-Provided Configuration Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-log.md Logs the merged user configuration map after loading the configuration file. This is an informational message useful for verifying loaded settings. ```clojure User-provided config: {your-config-map} ``` -------------------------------- ### Conditionally Create Default EDN Config Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md Creates the default 'nvd-clojure.edn' configuration file with default content if it does not exist. Does not affect files with different names. ```clojure (maybe-create-edn-file! "nvd-clojure.edn") ; Creates nvd-clojure.edn with default content if missing (maybe-create-edn-file! "my-config.edn") ; Does nothing - non-default filename ``` -------------------------------- ### Project File Organization Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/MANIFEST.md Illustrates the directory structure and the purpose of key Markdown files within the nvd-clojure project. ```markdown /workspace/home/output/ ├── README.md (Navigation guide) ├── INDEX.md (Complete overview) ├── configuration.md (Config reference) ├── types.md (Type definitions) ├── errors.md (Error reference) ├── MANIFEST.md (This file) └── api-reference/ ├── nvd-task-check.md (Check execution) ├── nvd-config.md (Configuration) ├── nvd-report.md (Report generation) ├── nvd-task.md (CLI integration) └── nvd-log.md (Logging) ``` -------------------------------- ### Corporate Proxy Configuration Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Configure proxy settings for accessing external services like NVD or OSS Index. Ensure to replace placeholders with your actual credentials and server details. ```clojure {:nvd-api {:key "your-api-key"} :proxy {:server "proxy.corp.com" :port "3128" :user "domain\\username" :password "password"} :analyzer {:ossindex-user "user" :ossindex-password "pass"}} ``` -------------------------------- ### Basic nvd-clojure usage with environment variable for API key Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Performs a vulnerability check using an NVD API key provided via an environment variable. ```bash export NVD_API_TOKEN="your-api-key-here" clojure -Tnvd nvd.task/check :classpath "$(clojure -Spath)" ``` -------------------------------- ### Leiningen Usage Command Source: https://github.com/rm-hull/nvd-clojure/blob/main/README.md Run the nvd-clojure check task using Leiningen. Ensure the classpath argument reflects a production-like environment. ```bash lein with-profile -user run -m nvd.task.check "nvd-clojure.edn" "$(cd ; lein with-profile -user,-dev classpath)" ``` -------------------------------- ### Default Output Directory Constant Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-report.md Defines the standard output directory for generated reports. ```clojure (def default-output-dir "target/nvd") ``` -------------------------------- ### Clojure CLI Tool for Dependency Check Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Use the Clojure CLI tool to run the nvd.task/check task. Specify the classpath and a configuration file. ```bash clojure -Tnvd nvd.task/check \ :classpath "$(clojure -Spath -A:any:aliases)" \ :config-filename "nvd-config.edn" ``` -------------------------------- ### app-name Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md Constructs an application name from project metadata for use in reports. It follows Maven conventions for naming and defaults to 'stdin' if no name is provided. ```APIDOC ## app-name ### Description Constructs an application name from project metadata for use in reports. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Parameters - **project** (Map) - Required - Project map with optional `:name` and `:group` keys ### Returns `String` - Either the name alone, the group/name combination, or "stdin" if neither is provided. ### Description Follows Maven convention: if `:group` and `:name` are the same or group is missing, returns just the name. Otherwise returns "group/name" format. Defaults to "stdin" if no name is provided. ### Example ```clojure (app-name {:name "mylib" :version "1.0"}) ; => "mylib" (app-name {:name "mylib" :group "mylib" :version "1.0"}) ; => "mylib" (app-name {:name "mylib" :group "com.example" :version "1.0"}) ; => "com.example/mylib" (app-name {:version "1.0"}) ; => "stdin" ``` ``` -------------------------------- ### Catching ExceptionInfo in Clojure Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/errors.md Shows how to catch general exceptions in Clojure using a try-catch block. It demonstrates accessing the exception message and data associated with the error. ```clojure (require '[nvd.task.check :refer [-main]]) (try (-main "config.edn" classpath-string) (catch Exception e (let [data (ex-data e)] (println "Error:" (ex-message e)) (println "Data:" data)))) ``` -------------------------------- ### EDN Configuration Structure Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/types.md Defines the structure for configuration settings in EDN format. Used for various project settings like output directories and API configurations. ```clojure { :suppression-file String ; Path to suppression XML :fail-threshold Long ; CVSS threshold :verbose-summary Boolean ; Include all deps in output :output-dir String ; Report directory :output-format String ; Report format :nvd-api Map ; API configuration :analyzer Map ; Analyzer settings :proxy Map ; Proxy configuration :database Map ; Database configuration } ``` -------------------------------- ### High Sensitivity Configuration Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Configuration for high sensitivity, failing on any vulnerability and enabling verbose summaries. Includes NVD API and OSS Index settings. ```clojure {:fail-threshold -1 ; Fail on any vulnerability :verbose-summary true :suppression-file "suppressions.xml" :nvd-api {:key "your-api-key" :max-retry-count 20} :analyzer {:ossindex-user "user" :ossindex-password "pass" :ossindex-warn-only-on-remote-errors false}} ``` -------------------------------- ### print-summary Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-report.md Prints a vulnerability summary table and statistics to the console, including vulnerability counts, severity, and report locations. ```APIDOC ## print-summary ### Description Prints a vulnerability summary table and statistics to the console, including vulnerability counts, severity, and report locations. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Parameters - **project** (`Map`) - Required - Project map with `:engine` and configuration. ### Returns `Map` — The project map unchanged. ### Description Outputs formatted summary including: 1. Vulnerability table (when `:verbose-summary` is true or vulnerabilities found) 2. Total vulnerability count and highest severity classification 3. Output directory path with color formatting 4. HTML report location (if file exists) 5. Disclaimer notice Color coding: - Green: No vulnerabilities - Cyan: Low severity - Yellow: Medium severity - Red: High severity ### Request Example ```clojure (print-summary project) ; Prints: ; ; | dependency | status | ; |------------------|-------------------| ; | log4j-1.2.jar | CVE-2021-44228 | ; | commons-io.jar | OK | ; ; 5 vulnerabilities detected. Severity: HIGH ; Detailed reports saved in: /path/to/target/nvd ; HTML report : /path/to/target/nvd/dependency-check-report.html ; ; *** THIS REPORT IS WITHOUT WARRANTY *** ``` ### Response #### Success Response (200) - **project** (`Map`) - The project map unchanged. #### Response Example ```clojure ; Project map unchanged project ``` ``` -------------------------------- ### nvd-clojure Project File Structure Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/00_START_HERE.md This snippet displays the directory structure of the nvd-clojure project, illustrating the organization of its documentation and source files. ```text ├── 00_START_HERE.md ← You are here ├── README.md ← Overview & navigation ├── INDEX.md ← Complete reference ├── configuration.md ← Configuration guide ├── types.md ← Type definitions ├── errors.md ← Error reference ├── MANIFEST.md ← Documentation inventory ├── ANALYSIS_REPORT.txt ← Analysis methodology └── api-reference/ ├── nvd-task-check.md ← CLI entry points ├── nvd-config.md ← Configuration module ├── nvd-report.md ← Report generation ├── nvd-task.md ← Tool integration └── nvd-log.md ← Logging ``` -------------------------------- ### JSON Configuration Structure Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/types.md Defines the structure for configuration settings in JSON format with camel case keys. Used for various project settings like output directories and API configurations. ```json { "suppressionFile": "nvd_suppressions.xml", "failThreshold": 7, "verboseSummary": false, "outputDir": "target/nvd", "outputFormat": "ALL", "nvdApi": { "key": "...", "delay": 5000 }, "analyzer": { "jarEnabled": true, "centralEnabled": true }, "proxy": { "server": "...", "port": "..." }, "database": { "driverName": "..." } } ``` -------------------------------- ### Enable Python Analysis Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/configuration.md Enable Python package, distribution, and pip analyzers. This configuration activates checks for Python projects. ```clojure {:analyzer {:python-package-enabled true :python-distribution-enabled true :pip-enabled true :pipfile-enabled true}} ``` -------------------------------- ### Handle Missing Classpath Argument Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/errors.md This snippet demonstrates how to trigger the 'Missing Classpath Argument' error by passing empty or nil classpath strings. Ensure a non-empty classpath string is provided to avoid this error. ```clojure (-main "config.edn" "") ; Throws ExceptionInfo: "nvd-clojure requires a classpath value..." (-main "config.edn" nil) ; Throws ExceptionInfo: "nvd-clojure requires a classpath value..." (-main "config.edn" " ") ; Throws ExceptionInfo: "nvd-clojure requires a classpath value..." ``` -------------------------------- ### Classpath Separator Regex Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-task-check.md A platform-aware regular expression for splitting classpath strings. This is used internally to parse classpath entries. ```clojure (def classpath-separator-re (re-pattern (Pattern/quote File/pathSeparator))) ``` -------------------------------- ### Resource management with with-config macro Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Ensures the DependencyCheck Engine is properly closed after use, even if exceptions occur during analysis. ```clojure (with-config [project "config.edn"] (analyze project)) ;; Engine always closed, even if exception thrown ``` -------------------------------- ### GitHub Actions Integration for Dependency Check Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/INDEX.md Integrate nvd-clojure dependency checking into GitHub Actions. Set the NVD API token and run the check command. ```yaml - name: Check dependencies for vulnerabilities run: | export NVD_API_TOKEN=${{ secrets.NVD_API_TOKEN }} clojure -Tnvd nvd.task/check :classpath "$(clojure -Spath)" ``` -------------------------------- ### maybe-create-suppression-file! Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md Creates a default XML suppression file if configured but missing. It creates parent directories as needed and writes default XML suppression content without overwriting existing files. ```APIDOC ## Function maybe-create-suppression-file! ### Description Creates a default XML suppression file if configured but missing. ### Parameters #### Path Parameters - **nvd-settings** (Map) - Required - Map with optional `:suppression-file` key containing filename path ### Returns `nil` ### Example ```clojure (maybe-create-suppression-file! {:suppression-file "nvd_suppressions.xml"}) (maybe-create-suppression-file! {:suppression-file "path/to/suppressions.xml"}) (maybe-create-suppression-file! {}) ``` ``` -------------------------------- ### default-config-content Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-config.md Delayed loading of default EDN configuration template content from resources. ```APIDOC ## Constant default-config-content ### Description Delayed loading of default EDN configuration template content from resources. ### Type `Delay[String]` ``` -------------------------------- ### Convert to Absolute Path Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-task-check.md Converts a file path, potentially using '~' for the home directory, into an absolute path. ```clojure (absolute-path "~/projects/myapp.jar") ; => "/home/user/projects/myapp.jar" (absolute-path "/absolute/path/to/file.jar") ; => "/absolute/path/to/file.jar" ``` -------------------------------- ### jvm-version Source: https://github.com/rm-hull/nvd-clojure/blob/main/_autodocs/api-reference/nvd-task-check.md Retrieves the major and minor version of the currently running Java Virtual Machine. ```APIDOC ## jvm-version ### Description Retrieves the currently running JVM's major and minor version. ### Function Signature ```clojure (jvm-version) ``` ### Parameters None ### Returns `Double` — The major.minor version of the JVM (e.g., `11.0`, `17.0`, `21.0`) ### Example ```clojure (jvm-version) ; => 21.0 ``` ```