Liking cljdoc? Tell your friends :D

nvd-clojure

Formerly known as lein-nvd

Build Status Coverage Status Dependencies Status Downloads Clojars Project Maintenance

National Vulnerability Database dependency-checker library (and plugin for Leiningen).

When run in your project, all the JARs on the classpath will be checked for known security vulnerabilities. nvd-clojure extracts project dependencies and passes them to a library called Dependency-Check which does the vulnerability analysis. Quoting the README for that library:

Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

Installation

Please see also: Avoiding classpath interference

Clojure CLI

To install in a given project, you can add nvd-clojure/nvd-clojure {:mvn/version "1.9.0"} to your deps.edn.

If you have CLI version 1.10.3.933 or later, you can also install nvd-clojure as a "tool":

clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' :as nvd

and then you can run the tool like this:

clojure -Tnvd nvd.task/check :classpath '"'$(clojure -Spath -A:any:aliases)'"'

under :aliases in ~/.clojure/deps.edn, or add it to :aliases in the project local deps.edn, to look something like this:

:aliases {:nvd {:extra-deps {nvd-clojure/nvd-clojure {:mvn/version "1.9.0"}}
                :main-opts ["-m" "nvd.task.check"]}}

Leiningen

To install globally, add [lein-nvd "1.9.0"] into the :plugins vector of your :user profile in ~/.lein/profiles.clj, or on a per-project basis, add to the profiles section of your project.clj.

Usage

Run lein nvd check or clj -M:nvd (if you've chosen the alias :nvd, like above) in your project. The first time the plugin runs,it will download (and cache) various databases from https://nvd.nist.gov. Subsequent runs will periodically check and update the local database, but the initial run could therefore be quite slow - of the order of ten minutes or more, so give it time.

On completion, a summary table is output to the console, and a suite of reports will be produced in the project's ./target/nvd/ directory. If vulnerabilities are detected, then the check process will exit abnormally, thereby causing any CI build environment to error. (This behaviour can be overriden by setting a :fail-threshold in the project configuration).

Example

There is an example project which has dependencies with known vulnerabilities (CVE-2016-3720, CVE-2015-5262, CVE-2014-3577). This can be demonstrated by running the following:

$ cd example
$ lein nvd check

This will download the NVD database, and then cross-check the classpath dependencies against known vulnerabilities. The following summary report will be displayed on the console:

summary-report

Note that as there were some vulnerabilities detected, the process was aborted, with error code -1 hence the reported subprocess failed message.

More detailed reports (both HTML & XML) are written into the ./example/target/nvd/ directory as follows:


detail-report

Upgrading dependencies

You may use the built-in dependency tree reporters to find out what the dependency relationships are:

$ lein deps :tree # for Leiningen
$ clojure -Stree # for deps.edn

...make sure to use aliases/profiles in such a way that reflects the production classpath.

antq will traverse your project dependencies, and suggest upgraded versions, and can optionally be configured to update the project file.

Other commands

Running the following command shows what sub-commands are available:

$ lein help nvd

  Scans project dependencies, attempting to detect publicly disclosed
  vulnerabilities contained within dependent JAR files. It does this by
  determining if there is a Common Platform Enumeration (CPE) identifier
  for a given dependency. On completion, a summary table is displayed on
  the console (showing the status for each dependency), and detailed report
  linking to the associated CVE entries.

  This task should be invoked with one of three commands:

      check  - will optionally download the latest database update files,
               and then run the analyze and report stages. Typically, if
               the database has been updated recently, then the update
               stage will be skipped.

      purge  - will remove the local database files. Subsequently running
               the 'check' command will force downloading the files again,
               which could take a long time.

      update - will attempt to download the latest database updates, and
               incorporate them into the local store. Usually not necessary,
               as this is incorporated into the 'check' command.

  Any text after the command are treated as arguments and are passed directly
  directly to the command for further processing.

Arguments: ([command & args])

While purge and update are available, it is not normally required to use them, and purging will cause a subsequent check or update to download the whole database again.

Configuration options

The default settings for nvd-clojure are usually sufficient for most projects, but can be customized by adding an :nvd { ... } section in your project.clj.

These options can also be expressed as the keys in a .json config file (example). The filename denoting that file is the first argument to be passed to nvd-clojure when invoking it as a main (-m) program. The keys must reside inside a "nvd": {...} entry, not at the top-level.

There are many dependency-check settings (for example to connect via a proxy, or to specify an alternative to the H2 database). The exact settings can be seen in the config.clj source file and cross-referenced to the dependency-check wiki.

There are some specific settings below which are worthy of a few comments:

  • :fail-threshold default value 0; checks the highest CVSS score across all dependencies, and fails if this threshold is breached.
    • As CVSS score ranges from 0..10, the default value will cause a build to fail even for the lowest rated vulnerability.
    • Set to 11 if you never want the build to fail.
  • :data-directory default value is the data dir of DependencyCheck, e.g. ~/.m2/repository/org/owasp/dependency-check-utils/3.2.1/data/
    • It shouldn't normally be necessary to change this
  • :suppression-file default unset
  • :verbose-summary default false
    • When set to true, the summary table includes a severity determination for all dependencies.
    • When set to false, the summary table includes only packages that have either low or high severity determination.
  • :output-dir default value target/nvd/: the directory to save reports into
  • :throw-if-check-unsuccessful? - makes the program exit by throwing an exception instead of by invoking System/exit.
    • This can ease certain usages.

Avoiding classpath interference

nvd-clojure has some Java dependencies, which in turn can have CVEs themselves, or in any case interfere with your project's dependency tree, that would be computed in absence of nvd-clojure.

For this reason, you might want to invoke nvd.task.check's main function by passing a classpath string as an argument.

Said classpath string should try reflecting a production's classpath as accurately as possible: it should not include dev/test tooling, plugins (like nvd-clojure or any other), etc.

Lein example

lein run -m nvd.task.check "" "$(lein with-profile -user,-dev classpath)"

deps.edn example

clojure -m nvd.task.check "" "$(clojure -Spath)"

...in both cases, an empty string is passed as the first argument, for backwards compatibility reasons. You can also pass a filename instead, denoting a .json file with extra options (example).

For extra isolation, it is recommended that you invoke nvd.task.check from outside your project - e.g. from an empty project, a git clone of this very repo, or from $HOME (assuming you have nvd-clojure as a dependency in your user-wide Lein profile).

Building locally

Build and install the core module, then do the same for the plugin:

$ lein test
$ lein install
$ cd plugin
$ lein test
$ lein install
$ cd ../example
$ lein nvd check

A sample report is available for testing in the example sub-directory.

Attribution

nvd-clojure uses Jeremy Long's Dependency-Check library to do the heavy lifting.

References

License

The MIT License (MIT)

Copyright (c) 2016-21 Richard Hull

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Can you improve this documentation? These fine people already did:
Richard Hull, vemv, Александар Симић, Sean Corfield, github-actions[bot], Matt McGill, Christopher Martin & Tianxiang Xiong
Edit on GitHub

cljdoc is a website building & hosting documentation for Clojure/Script libraries

× close