Git Product home page Git Product logo

nvd-clojure-gh-action's Introduction

Clojure NVD Dependency Check Action

A simple GitHub action to run nvd-clojure and report an issue when there are vulnerabilities reported.

Warning

This action will create issues on the repository it is activated on. If the repository is public then the issue posted will be public, and it will look like this:

CVEs Found in owner/repo: [CRITICAL, HIGH, MEDIUM, LOW] #1

Ensure that you want this before activating this action on a public repository.

Usage

Add a .github/workflows/main.yml to your project:

name: Clojure NVD Dependency Checking

on:
  workflow_dispatch:
  schedule:
    - cron: "0 1 * * 1-5"

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
      - name: Checkout Latest Commit
        uses: actions/[email protected]

      - name: NVD Clojure
        uses: Swirrl/nvd-clojure-gh-action@master
        with:
          ## Below is the only required argument; if your
          ## project only depends on public maven/clojars 
          ## dependencies, this is probably all you need.
          github_token: ${{ secrets.github_token }}

          ## If the clojure project you wish to scan is not 
          ## in the projects root directory you can configure 
          ## the location with this variable.
          # directories: sub-project-dir
          
          ## Uncomment below and setup secrets if you have
          ## need to resolve any `tools.deps` `git/deps` from
          ## private git repositories.
          # ssh_private_key: ${{ secrets.ssh_private_key }}
          
          ## Uncomment and setup secrets below if you have 
          ## any maven dependencies in AWS/S3-wagon buckets
          # aws_access_key_id: ${{ secrets.aws_access_key_id }}
          # aws_secret_access_key: ${{ secrets.aws_secret_access_key }}

Supported Arguments

  • directories: Space separated sub-directories to check. Defaults to the root of the repository.
  • github_token: The only required argument. Can either be the default token, as seen above, or a personal access token with write access to the repository.
  • ssh_private_key: Used to access private repositories over git/SSH, use the private key of the private repo's "Deploy Key".
  • aws_access_key_id: Used to access S3 bucket maven repos.
  • aws_secret_access_key: Used to access S3 bucket maven repos.

Suppressing CVEs

Due to how dependency-check identifies libraries false positives may occur (i.e. a CPE was identified that is incorrect).

Add a file in the Clojure project directory named nvd-clojure-suppress.xml to specify CVE suppressions.

See the DependencyCheck docs, and the example project for details.

Licensing

Copyright © 2022 Swirrl IT Ltd

Distributed under the Eclipse Public License either version 1.0 or (at your option) any later version.

nvd-clojure-gh-action's People

Contributors

andrewmcveigh avatar lkitching avatar rickmoynihan avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

5l1v3r1

nvd-clojure-gh-action's Issues

CVEs Found in nvd-clojure-gh-action/example: [CRITICAL, HIGH, MEDIUM, LOW]

Content Hash: eaeea70930fed346a0212f48dddc00e0

commons-compress-1.9.jar

commons-io-2.6.jar

jetty-server-9.4.28.v20200408.jar

server.http.jetty-0.2.1.jar

CVEs Found in nvd-clojure-gh-action/example: [CRITICAL, HIGH, MEDIUM, LOW]

Content Hash: 62dc59297160c6dd9c986604a6d99e2f

commons-compress-1.9.jar

commons-io-2.6.jar

jackson-annotations-2.9.0.jar

jackson-core-2.9.7.jar

jackson-databind-2.9.7.jar

jetty-io-9.2.21.v20170120.jar

jetty-server-9.2.21.v20170120.jar

server.http.jetty-0.2.0.jar

Add option to close or upsert previous PRs

It's a little annoying that nvd-clojure-gh-action always creates a new PR; even if a subsequent one superceeds it.

It would be nice to have an option such that it closes previous PRs; as it's quite easy with just a little neglect to end up with dozens of PRs to clean up manually:

Screenshot 2022-07-29 at 11 34 40

NullPointerException thrown for vulnerabilities without a :cvssv3 key

If the json report contains vulnerabilities without a :cvssv3 key, the initialiser for the issue-markdown var throws a NullPointerException when trying to sort by scores.

{:clojure.main/message
 "Execution error (NullPointerException) at java.util.TimSort/countRunAndMakeAscending (TimSort.java:355).\nCannot invoke \"Object.getClass()\" because \"x\" is null\n",
 :clojure.main/triage
 {:clojure.error/class java.lang.NullPointerException,
  :clojure.error/line 355,
  :clojure.error/cause
  "Cannot invoke \"Object.getClass()\" because \"x\" is null",
  :clojure.error/symbol java.util.TimSort/countRunAndMakeAscending,
  :clojure.error/source "TimSort.java",
  :clojure.error/phase :execution},
 :clojure.main/trace
 {:via
  [{:type clojure.lang.Compiler$CompilerException,
    :message "Syntax error macroexpanding at (dev.clj:32:8).",
    :data
    {:clojure.error/phase :execution,
     :clojure.error/line 32,
     :clojure.error/column 8,
     :clojure.error/source "dev.clj"},
    :at [clojure.lang.Compiler$InvokeExpr eval "Compiler.java" 3711]}
   {:type java.lang.NullPointerException,
    :message
    "Cannot invoke \"Object.getClass()\" because \"x\" is null",
    :at [clojure.lang.Numbers ops "Numbers.java" 1068]}],
  :trace
  [[clojure.lang.Numbers ops "Numbers.java" 1068]
   [clojure.lang.Numbers gt "Numbers.java" 259]
   [clojure.core$_GT_ invokeStatic "core.clj" 1079]
   [clojure.core$_GT_ invoke "core.clj" 1072]
   [clojure.lang.AFunction compare "AFunction.java" 51]
   [clojure.core$sort_by$fn__5994 invoke "core.clj" 3119]
   [clojure.lang.AFunction compare "AFunction.java" 51]
   [java.util.TimSort countRunAndMakeAscending "TimSort.java" 355]
   [java.util.TimSort sort "TimSort.java" 220]
   [java.util.Arrays sort "Arrays.java" 1233]
   [clojure.core$sort invokeStatic "core.clj" 3103]
   [clojure.core$sort_by invokeStatic "core.clj" 3107]
   [clojure.core$sort_by invoke "core.clj" 3107]
   [dev$fn__821 invokeStatic "dev.clj" 28]
   [dev$fn__821 invoke "dev.clj" 25]
   [clojure.core$map$fn__5884 invoke "core.clj" 2757]
   [clojure.lang.LazySeq sval "LazySeq.java" 42]
   [clojure.lang.LazySeq seq "LazySeq.java" 51]
   [clojure.lang.ChunkedCons chunkedNext "ChunkedCons.java" 59]
   [clojure.lang.ChunkedCons next "ChunkedCons.java" 43]
   [clojure.lang.LazySeq next "LazySeq.java" 83]
   [clojure.lang.RT next "RT.java" 713]
   [clojure.core$next__5403 invokeStatic "core.clj" 64]
   [clojure.string$join invokeStatic "string.clj" 180]
   [clojure.string$join invoke "string.clj" 180]
   [clojure.lang.AFn applyToHelper "AFn.java" 156]
   [clojure.lang.AFn applyTo "AFn.java" 144]
   [clojure.lang.Compiler$InvokeExpr eval "Compiler.java" 3706]
   [clojure.lang.Compiler$DefExpr eval "Compiler.java" 457]
   [clojure.lang.Compiler eval "Compiler.java" 7186]
   [clojure.lang.Compiler load "Compiler.java" 7640]
   [clojure.lang.RT loadResourceScript "RT.java" 381]
   [clojure.lang.RT loadResourceScript "RT.java" 372]
   [clojure.lang.RT load "RT.java" 459]
   [clojure.lang.RT load "RT.java" 424]
   [clojure.core$load$fn__6856 invoke "core.clj" 6115]
   [clojure.core$load invokeStatic "core.clj" 6114]
   [clojure.core$load doInvoke "core.clj" 6098]
   [clojure.lang.RestFn invoke "RestFn.java" 408]
   [clojure.core$load_one invokeStatic "core.clj" 5897]
   [clojure.core$load_one invoke "core.clj" 5892]
   [clojure.core$load_lib$fn__6796 invoke "core.clj" 5937]
   [clojure.core$load_lib invokeStatic "core.clj" 5936]
   [clojure.core$load_lib doInvoke "core.clj" 5917]
   [clojure.lang.RestFn applyTo "RestFn.java" 142]
   [clojure.core$apply invokeStatic "core.clj" 669]
   [clojure.core$load_libs invokeStatic "core.clj" 5974]
   [clojure.core$load_libs doInvoke "core.clj" 5958]
   [clojure.lang.RestFn applyTo "RestFn.java" 137]
   [clojure.core$apply invokeStatic "core.clj" 669]
   [clojure.core$require invokeStatic "core.clj" 5996]
   [clojure.main$main_opt invokeStatic "main.clj" 514]
   [clojure.main$main_opt invoke "main.clj" 510]
   [clojure.main$main invokeStatic "main.clj" 664]
   [clojure.main$main doInvoke "main.clj" 616]
   [clojure.lang.RestFn applyTo "RestFn.java" 137]
   [clojure.lang.Var applyTo "Var.java" 705]
   [clojure.main main "main.java" 40]],
  :cause "Cannot invoke \"Object.getClass()\" because \"x\" is null",
  :phase :execution}}

CVEs Found in nvd-clojure-gh-action/example: [CRITICAL, HIGH, MEDIUM, LOW]

Content Hash: eaeea70930fed346a0212f48dddc00e0

commons-compress-1.9.jar

commons-io-2.6.jar

jetty-server-9.4.28.v20200408.jar

server.http.jetty-0.2.1.jar

CVEs Found in nvd-clojure-gh-action/example: [CRITICAL, HIGH, MEDIUM, LOW]

Content Hash: eaeea70930fed346a0212f48dddc00e0

commons-compress-1.9.jar

commons-io-2.6.jar

jetty-server-9.4.28.v20200408.jar

server.http.jetty-0.2.1.jar

CVEs Found in nvd-clojure-gh-action/example: [CRITICAL, HIGH, MEDIUM, LOW]

Content Hash: eaeea70930fed346a0212f48dddc00e1

commons-compress-1.9.jar

commons-io-2.6.jar

jetty-server-9.4.28.v20200408.jar

server.http.jetty-0.2.1.jar

CVEs Found in nvd-clojure-gh-action/example: [CRITICAL, HIGH, MEDIUM, LOW]

Content Hash: 937a7003700f1f14709abf7c6e6d8ed5

commons-compress-1.9.jar

commons-io-2.6.jar

jackson-annotations-2.9.0.jar

jackson-core-2.9.7.jar

jackson-databind-2.9.7.jar

jetty-server-9.2.21.v20170120.jar

jetty-util-9.2.21.v20170120.jar

server.http.jetty-0.2.0.jar

CVEs Found in nvd-clojure-gh-action/example: [CRITICAL, HIGH, MEDIUM, LOW]

Content Hash: 62dc59297160c6dd9c986604a6d99e2f

commons-compress-1.9.jar

commons-io-2.6.jar

jackson-annotations-2.9.0.jar

jackson-core-2.9.7.jar

jackson-databind-2.9.7.jar

jetty-io-9.2.21.v20170120.jar

jetty-server-9.2.21.v20170120.jar

server.http.jetty-0.2.0.jar

CVEs Found in nvd-clojure-gh-action/example: [CRITICAL, HIGH, MEDIUM, LOW]

Content Hash: fff2172c77e6996e181778899530b2f4

commons-compress-1.9.jar

commons-io-2.6.jar

jackson-databind-2.12.3.jar

jetty-server-9.4.28.v20200408.jar

server.http.jetty-0.2.1.jar

CVEs Found in nvd-clojure-gh-action/example: [CRITICAL, HIGH, MEDIUM, LOW]

Content Hash: 62dc59297160c6dd9c986604a6d99e2f

commons-compress-1.9.jar

commons-io-2.6.jar

jackson-annotations-2.9.0.jar

jackson-core-2.9.7.jar

jackson-databind-2.9.7.jar

jetty-io-9.2.21.v20170120.jar

jetty-server-9.2.21.v20170120.jar

server.http.jetty-0.2.0.jar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.