{"id":51368899,"url":"https://github.com/clj-holmes/clj-watson","last_synced_at":"2026-07-03T04:05:03.721Z","repository":{"id":42367668,"uuid":"441379059","full_name":"clj-holmes/clj-watson","owner":"clj-holmes","description":"A Clojure tool that checks for vulnerable dependencies","archived":false,"fork":false,"pushed_at":"2026-05-02T23:48:13.000Z","size":269,"stargazers_count":98,"open_issues_count":16,"forks_count":11,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-05-03T00:33:27.217Z","etag":null,"topics":["clojure","dependency","sca","security"],"latest_commit_sha":null,"homepage":"","language":"Clojure","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"epl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/clj-holmes.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-12-24T05:53:12.000Z","updated_at":"2026-04-28T17:33:10.000Z","dependencies_parsed_at":"2023-12-17T08:26:51.723Z","dependency_job_id":"41c3af47-d777-4834-8a9c-8f7a341e4690","html_url":"https://github.com/clj-holmes/clj-watson","commit_stats":null,"previous_names":[],"tags_count":30,"template":false,"template_full_name":null,"purl":"pkg:github/clj-holmes/clj-watson","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clj-holmes%2Fclj-watson","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clj-holmes%2Fclj-watson/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clj-holmes%2Fclj-watson/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clj-holmes%2Fclj-watson/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/clj-holmes","download_url":"https://codeload.github.com/clj-holmes/clj-watson/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/clj-holmes%2Fclj-watson/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35071475,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-03T02:00:05.635Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clojure","dependency","sca","security"],"created_at":"2026-07-03T04:05:03.445Z","updated_at":"2026-07-03T04:05:03.643Z","avatar_url":"https://github.com/clj-holmes.png","language":"Clojure","funding_links":[],"categories":[],"sub_categories":[],"readme":"# `clj-watson`\n\nA Clojure tool that checks for vulnerable dependencies\n\n`clj-watson` is a software composition analysis (SCA) tool that:\n1. scans dependencies specified in a Clojure `deps.edn` file\n2. looks for vulnerable direct and transitive dependencies\n3. builds a report with all the information needed to help you understand how the vulnerabilities manifest in your software\n\nAs of 6.1.0, `clj-watson` can also check dependencies via an explicitly specified\nclasspath, which is useful for contexts where `deps.edn` is not available or not the\nprimary source of dependencies, e.g., Leiningen projects.\n\n`clj-watson` can suggest a remediation for the vulnerabilities found,\nand can check against both the\n[NIST National Vulnerability Database (NVD)](https://nvd.nist.gov/)\n(by default) and the\n[GitHub Advisory Database](https://github.com/advisories)\n(experimental).\n\n\u003e [!IMPORTANT]\n\u003e We strongly encourage you to always use the latest version of `clj-watson`.\n\u003e Older versions might not pick up current vulnerabilities, and might even outright fail due to their usage of now obsolete strategies.\n\n## Quick Start\n\n1. `clj-watson` can be added as an alias, either on a per-project basis in your\nproject's `deps.edn` file, or in your user `deps.edn` file\n(either `~/.clojure/deps.edn` or `~/.config/clojure/deps.edn`):\n\n    ```clojure\n      ;; under :aliases\n      :clj-watson {:replace-deps\n                   {io.github.clj-holmes/clj-watson\n                    {:git/tag \"v6.1.0\" :git/sha \"be98e4d\"}}\n                   :main-opts [\"-m\" \"clj-watson.cli\"]}\n    ```\n\nYou can also add a dependency on `org.owasp/dependency-check-core` if you want to use a newer version (recommended -- but it\nintroduces a maintenance burden on you to keep it updated!). The current version, as of May 3rd, 2026 is `{:mvn/version \"12.2.2\"}`.\n\n2. [Setup your NVD API key](#nist-nvd-api).\n\n3. Optionally [configure OSS Index / Sonatype Guide](#oss-index-configuration) which is now disabled if an API token is not configured.\n\n4. Run clj-watson like so:\n\n      ```bash\n      clojure -M:clj-watson scan -p deps.edn\n      ```\n\nThe first time `clj-watson` runs, it downloads the entire vulnerability database.\nThis can take several minutes. Subsequent runs will be much faster.\n\n\u003e [!NOTE]\n\u003e The database is stored under in your local Maven cache, under dependency-check-utils `~/.m2/repository/org/owasp/dependency-check-utils/12.2.2/data/11.0/`.\n\u003e If you delete this directory, the database will be automatically re-downloaded.\n\n`clj-watson` can also be installed as a Clojure CLI tool:\n\n```bash\nclojure -Ttools install-latest :lib io.github.clj-holmes/clj-watson :as clj-watson\n```\n\nAfter [setting up your NVD API key](#nist-nvd-api), you can run `clj-watson` like so:\n\n```bash\nclojure -Tclj-watson scan :deps-edn-path deps.edn\n```\n\nThe -T tool option keywords match both the long-form and alias [-M CLI options](#cli-options).\nSo this also works:\n\n```bash\nclojure -Tclj-watson scan :p deps.edn\n```\n\n\u003e [!NOTE]\n\u003e For -T tool usage, `:aliases` (or `:a`) is specified as a vector of keywords (or symbols), e.g., `:a '[:foo :bar]'`, whereas it is specified multiple times for -M usage, `-a foo -a bar`.\n\u003e Run:\n\u003e - `clojure -M:clj-watson scan --help` for -M usage help\n\u003e - `clojure -Tclj-watson scan :help true` for -T tool usage help\n\nAs of 6.1.0, `clj-watson` can also check dependencies via an explicitly specified\nclasspath:\n\n```bash\nclojure -Tclj-watson scan :classpath '\"'$(lein classpath)'\"'\n```\n\n\u003e [!NOTE]\n\u003e The `:classpath` value needs to be a single string, so the example above uses shell quoting to ensure that the output of `lein classpath` is passed as a single string.\n\n## Vulnerability Database Strategies\n\n`clj-watson` supports two strategies for vulnerabilities scans:\n- [DependencyCheck](#dependencycheck)\n- [GitHub Advisory Database [experimental]](#github-advisory-database-experimental)\n\n## DependencyCheck\n\n[DependencyCheck](https://github.com/dependency-check/DependencyCheck) is the most\nwidely used method among Clojure/Java SCA tools. It:\n1. Downloads a database of known vulnerabilities from [NIST NVD](https://nvd.nist.gov/), storing it locally (inside your local Maven cache, under `~/.m2/repository/org/owasp/dependency-check-utils/12.2.2/data/11.0/`).\n3. Scans JARs from dependencies specified in your `deps.edn`\n4. Composes a [Common Platform Enumeration (CPE)](https://nvd.nist.gov/products/cpe) based on your dependencies\n5. Returns any matching vulnerabilities\n\n`clj-watson` then reports these findings to you, optionally with [potential remediations](#remediation-suggestions).\n\n### NIST NVD API\n\n\u003e [!IMPORTANT]\n\u003e The [NIST NVD data feeds discourage access without API keys by heavily throttling anonymous requests](https://nvd.nist.gov/general/news/API-Key-Announcement).\n\u003e So, request one and use it.\n\nIt is easy to [request an API key](https://github.com/dependency-check/DependencyCheck/tree/main?tab=readme-ov-file#nvd-api-key-highly-recommended).\n\nYou can specify your key via:\n\n1. The `nvd.api.key` Java system property on the command line\n2. Or, the `CLJ_WATSON_NVD_API_KEY` environment variable\n3. Or, an `nvd.api.key` entry in your `clj-watson.properties` file\n\n\u003e [!CAUTION]\n\u003e Keeping your nvd api key secret is your responsibility.\n\u003e This is not a hugely sensitive secret, but you don't want others to use your key.\n\u003e You do not want to check it into any version control system.\n\n### OSS Index Configuration\n\n[DependencyCheck can also consult the OSS Index](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html).\n\n\u003e [!NOTE]\n\u003e When the OSS Index started requiring authentication, DependencyCheck switched to automatically disabling its usage when credentials are not configured.\n\u003e You can re-enable it, if you so wish, by specifying your Sonatype Guide API token.\n\nAs of April 2026, Sonatype OSS Index [migrated to Sonatype Guide](https://help.sonatype.com/en/oss-index-migration-steps.html),\nwhich means you need to:\n1. login to your Sonatype Guide account (or create a new one) at [https://guide.sonatype.com/](https://guide.sonatype.com/)\n2. create a new API token (which will start with `sonatype_pat_`)\n3. update your credentials so the password is that new token, instead of your old OSS Index password\n\nTo enable the OSS Index, you'll need your [Sonatype Guide API token](https://guide.sonatype.com/user/register):\n1. specify the `analyzer.ossindex.password` Java system property on the command line\n2. Or, specify the `CLJ_WATSON_ANALYZER_OSSINDEX_PASSWORD` environment variable\n3. Or, add the `analayzer.ossindex.password` entry in your `clj-watson.properties` file\n\n\u003e [!CAUTION]\n\u003e Keeping your Sonatype Guide API token secret is your responsibility.\n\u003e You do not want to check them into any version control system.\n\n\u003e [!TIP]\n\u003e If you want to explicitly disable OSS Index analysis and quiet the warning from DependencyCheck about missing credentials, specify:\n\u003e 1. `analyzer.ossindex.enabled=false` as a Java system property on the command line\n\u003e 2. or `CLJ_WATSON_ANALYZER_OSSINDEX_ENABLED=false` environment variable\n\u003e 3. or `analyzer.ossindex.enabled=false` in your `clj-watson.properties` file\n\n### Specifying DependencyCheck Options\nIn all examples below, replace `\u003cyour ...\u003e` with your actual values.\n\nYou can mix and match, precedence, from highest to lowest, is:\n\n1. **Java System Properties** as specified on command line.\n\n   Example: `-J-Dnvd.api.key=\u003cyour nvd nist api key here\u003e`\n2. **Environment Variables**\nEnvironment variables are often the most straightforward and most secure way to provide sensitive information like API keys and credentials in CI systems.\n\n   Example: `CLJ_WATSON_NVD_API_KEY=\u003cyour nvd nist api key here\u003e`\n\n   `clj-watson` converts environment variables starting with `CLJ_WATSON_` to DependencyCheck system properties. For example `CLJ_WATSON_NVD_API_KEY` converts to the `nvd.api.key` system property.\nSpecify two underscores for system properties with an underscore, for example `data.file_name` is expressed as `CLJ_WATSON_DATA_FILE__NAME`.\n3. **Properties File**  as specified in the `clj-watson.properties` file.\n\n   Example: `oss.index.enabled=false`\n\n   `clj-watson` first loads its default internal `dependency-check.properties` and applies overrides from your `clj-watson.properties` file. The `clj-watson.properties` file is specified explicitly via `--clj-watson-properties` on the [command line](#cli-options), or discovered automatically on your classpath.\n\n#### Using Java System Property on the Command Line\n\nExample -M usage:\n```shell\nclojure -J-Dnvd.api.key=\u003cyour nvd nist api key here\u003e \\\n  -M:clj-watson scan -p deps.edn\n```\n\nOr via a classpath:\n```shell\nclojure -J-Dnvd.api.key=\u003cyour nvd nist api key here\u003e \\\n  -M:clj-watson scan --classpath $(lein classpath)\n```\n\n\n\u003cdetails\u003e\n  \u003csummary\u003eWith OSS Index enabled:\u003c/summary\u003e\n\n```shell\nclojure -J-Dnvd.api.key=\u003cyour nvd nist api key here\u003e \\\n        -J-Danalyzer.ossindex.password=\u003cyour sonatype guide api token here\u003e \\\n  -M:clj-watson scan -p deps.edn\n```\n\u003c/details\u003e\n\nExample -T tool usage:\n```shell\nclojure -J-Dnvd.api.key=\u003cyour nvd nist api key here\u003e \\\n  -Tclj-watson scan :p deps.edn\n```\n\n\u003cdetails\u003e\n  \u003csummary\u003eWith OSS Index enabled:\u003c/summary\u003e\n\n```shell\nclojure -J-Dnvd.api.key=\u003cyour nvd nist api key here\u003e \\\n        -J-Danalyzer.ossindex.password=\u003cyour sonatype guide api token here\u003e \\\n  -Tclj-watson scan :p deps.edn\n```\n\u003c/details\u003e\n\n\u003e [!CAUTION]\n\u003e You can specify system properties under `:jvm-opts` in your `deps.edn` under your `:clj-watson` alias, but be careful not to commit secrets to version control.\n\n#### Using Environment Variables\n\nExample -M usage:\n```shell\nCLJ_WATSON_NVD_API_KEY=\u003cyour nvd nist api key here\u003e \\\n  clojure -M:clj-watson scan -p deps.edn\n```\n\n\u003cdetails\u003e\n  \u003csummary\u003eWith OSS Index enabled:\u003c/summary\u003e\n\n```shell\nCLJ_WATSON_NVD_API_KEY=\u003cyour nvd nist api key here\u003e \\\n  CLJ_WATSON_ANALYZER_OSSINDEX_PASSWORD=\u003cyour sonatype guide api token here\u003e \\\n  clojure -M:clj-watson scan -p deps.edn\n```\n\u003c/details\u003e\n\nExample -T tool usage:\n```shell\nCLJ_WATSON_NVD_API_KEY=\u003cyour nvd nist api key here\u003e \\\n  clojure -Tclj-watson scan :p deps.edn\n```\n\n\u003cdetails\u003e\n  \u003csummary\u003eWith OSS Index enabled:\u003c/summary\u003e\n\n```shell\nCLJ_WATSON_NVD_API_KEY=\u003cyour nvd nist api key here\u003e \\\n  CLJ_WATSON_ANALYZER_OSSINDEX_PASSWORD=\u003cyour sonatype guide api token here\u003e \\\n  clojure -Tclj-watson scan :p deps.edn\n```\n\u003c/details\u003e\n\n\u003e [!NOTE]\n\u003e In Bash, you can also export your environment variables prior to running your command, for example:\n\u003e ```shell\n\u003e export CLJ_WATSON_NVD_API_KEY=\u003cyour nvd nist api key here\u003e\n\u003e export CLJ_WATSON_ANALYZER_OSSINDEX_PASSWORD=\u003cyour sonatype guide api token here\u003e\n\u003e clojure -M:clj-watson scan -p deps.edn\n\u003e ```\n\n#### Using the `clj-watson.properties` File\n\nSpecify your options in your `clj-watson.properties` file:\n\n```\n# clj-watson.properties file\nnvd.api.key=\u003cyour nvd nist api key here\u003e\n```\n\nOr, with OSS Index enabled:\n```\n# clj-watson.properties file\nnvd.api.key=\u003cyour nvd nist api key here\u003e\nanalyzer.ossindex.password=\u003cyour sonatype guide api token here\u003e\n```\n\n`clj-watson` will pick up the `clj-watson.properties` file automatically if it is on the classpath, or you can specify it on the command line via the `-w` / `--clj-watson-properties` option:\n\nExample -M usage:\n\n```shell\nclojure -M:clj-watson scan -p deps.edn --clj-watson-properties ./clj-watson.properties\n```\n\nExample -T usage:\n\n```shell\nclojure -Tclj-watson scan :p deps.edn :clj-watson-properties ./clj-watson.properties\n```\n\n\u003e [!CAUTION]\n\u003e Be careful not to commit any secrets to version control.\n\n## GitHub Advisory Database [experimental]\n\nThis approach doesn't need to download a database since it uses the\n[GitHub Advisory Database](https://github.com/advisories) via its\n[GraphQL API](https://docs.github.com/en/graphql/reference/objects#securityvulnerability),\nand matches are made via package names.\n\nIn order to use this approach, it is necessary to generate a\n[GitHub Personal Access Token (PAT)](https://docs.github.com/en/graphql/guides/forming-calls-with-graphql#authenticating-with-graphql)\nto access the GraphQL API, or if you use GitHub Actions it is possible to use\ntheir GitHub token.\n\nAn important thing to be aware of is that the API has a limit of 5,000\nrequests per hour/per PAT.\n\nIf you create a PAT or use the GitHub Action token, you can set it as an\nenvironment variable named `GITHUB_TOKEN` and `clj-watson` will be able to use it.\n\n#### Allow Listing Known CVE's\n\nSometimes, the transitive dependency tree is not under your control and it is\nnot always possible to override vulnerable dependencies.\nYou can allow a CVE for a limited period by adding a `clj-watson-config.edn`\nconfiguration file to your classpath with the following structure:\n\n```clojure\n{:allow-list {:cves [{:cve-label \"CVE-0000\"\n                      :expires \"2000-01-01\"}\n                     {:cve-label \"CVE-00000\"\n                      :expires \"2000-01-01\"}]}}\n```\n\n\u003e Note: this is for the GitHub Advisory Database strategy only.\n\n## Remediation suggestions\n\n**The big difference between `clj-watson` and other tools!**\n\nSince fixing the vulnerabilities found manually can be a truly frustrating\nprocess, `clj-watson` provides a way to suggest a remediation.\n\nIt performs lookups for the whole dependency tree, checking if the latest\nversion of a parent dependency uses the secure version of the child dependency\nuntil it reaches the direct dependency.\n\nGiven the following dependency tree,\n\n```clojure\n[dependency-a \"v1\"]\n  [dependency-b \"v1\"]\n    [dependency-c \"v1\"]\n```\n\nwhere `dependency-c` is vulnerable and fixing it would require a bump from `v1`\nto `v2`, `clj-watson` will try to find a version of `dependency-a` that uses\na version of `dependency-b` that uses `dependency-c` at version `v2`, and then\n`clj-watson` will propose updating `dependency-a`.\n\n```clojure\n{dependency-a {:mvn/version \"v4\"}}\n```\n\nIf `clj-watson` does not find a version of `dependency-b` or `dependency-a` that\nsatisfies this condition, it will propose an exclusion instead:\n\n```clojure\n{dependency-a {:exclusions [dependency-b]}\n dependency-b {:mvn/version \"v3\"}}\n```\n\nIn order to get the automated remediation suggestions, specify\nthe `--suggest-fix` or `-s` option when running `clj-watson`.\n\n## Installation Notes\n\n\u003e [!IMPORTANT]\n\u003e You'll need to [setup your NVD API key](#nist-nvd-api).\n\nSee [Quick Start](#quick-start) for an overview.\n\n### Tools Usage\n\n`clj-watson` can be installed as a Clojure CLI tool, as shown under [Quick Start](#quick-start).  While\nthis is the easiest way to install the latest version and keep it up-to-date\n(using `clojure -Ttools install-latest`), it also means using the key/value\nEDN-style options for the CLI tool, which can, at first, seem a bit unwieldy.\nExample equivalent usages:\n\n```bash\nclojure -Tclj-watson scan '{:fail-on-result true :deps-edn-path \"deps.edn\" :suggest-fix true :aliases [\"*\"]}'\n# or:\nclojure -Tclj-watson scan :fail-on-result true :deps-edn-path deps.edn :suggest-fix true :aliases '[*]'\n```\n\nIf you aren't familiar with -T tools, you might be surprised that exceptions are thrown for what seem like non-exceptional things.\nFor example a typo on the command line will show what you'd expect (explanation of error and usage help) but also show output that looks like this:\n\n```\nExecution error (ExceptionInfo) at clj-watson.entrypoint/scan$fn (entrypoint.clj:75).\nusage error\n\nFull report at:\n/tmp/clojure-16796860161725335561.edn\n```\n\nThis is the nature of -T tools, which are designed to be potentially chained, and therefore throw instead of exiting, and therefore exhibit this behaviour.\n\n### Invoking with -Sdeps\n\nAn alternative invocation is via `-Sdeps`:\n\n```bash\nclojure -Sdeps '{:deps {io.github.clj-holmes/clj-watson {:git/tag \"v6.1.0\" :git/sha \"be98e4d\"}}}' \\\n  -M -m clj-watson.cli scan -p deps.edn\n```\n\n## CLI Options\n\nYou can get a full list of the available options by running:\n\n```bash\nclojure -M:clj-watson scan --help\n```\n\nThis produces:\n\n```\nclj-watson\n\nARG USAGE:\n scan [options..]\n\nOPTIONS:\n  -p, --deps-edn-path \u003cfile\u003e                                 Path of deps.edn file to scan.\n                                                             This option is mutually exclusive with --classpath\n      --classpath \u003cclasspath\u003e                                The classpath to scan.\n                                                             This option is mutually exclusive with --deps-edn-path\n  -o, --output \u003cjson|edn|stdout|stdout-simple|sarif\u003e         Output type for vulnerability findings [stdout]\n  -a, --aliases                                              Include deps.edn aliases in analysis, specify '*' for all.\n                                                             For multiple, repeat arg, ex: -a alias1 -a alias2\n                                                             This option is not compatible with --classpath\n  -t, --database-strategy \u003cdependency-check|github-advisory\u003e Vulnerability database strategy [dependency-check]\n  -s, --suggest-fix                                          Include dependency remediation suggestions in vulnerability findings. [false]\n                                                             This option is not compatible with --classpath\n  -f, --fail-on-result                                       When enabled, exit with non-zero on any vulnerability findings\n                                                             Useful for CI/CD [false]\n  -c, --cvss-fail-threshold \u003cscore\u003e                          Exit with non-zero when any vulnerability's CVSS base score is \u003e= threshold\n                                                             CVSS scores range from 0.0 (least severe) to 10.0 (most severe)\n                                                             We interpret a score of 0.0 as suspicious\n                                                             Missing or suspicious CVSS base scores are conservatively derived\n                                                             Useful for CI/CD\n  -h, --help                                                 Show usage help\n\nOPTIONS valid when database-strategy is dependency-check:\n  -w, --clj-watson-properties \u003cfile\u003e                         Path of an additional, optional properties file\n                                                             Overrides values in dependency-check.properties\n                                                             If not specified classpath is searched for clj-watson.properties\n      --run-without-nvd-api-key                              Run without an nvd.api.key configured.\n                                                             It will be slow and we cannot recommend it.\n                                                             See docs for configuration. [false]\n```\n\n\u003e [!TIP]\n\u003e If you are running `clj-watson` as a tool run:\n\u003e ```bash\n\u003e clojure -Tclj-watson scan :help true\n\u003e ```\n\n## Execution\n\nThe minimum needed to run `clj-watson` is to provide the path to a `deps.edn`\nfile, but it is recommended that you also provide the `-s` option so\n`clj-watson` will try to suggest remediations for any vulnerabilities found.\n\n\u003e [!IMPORTANT]\n\u003e You must first [setup your NVD API key](#nist-nvd-api).\n\n```bash\nclojure -M:clj-watson scan -p deps.edn -s\n```\n```\n...\n\nDependency Information\n-----------------------------------------------------\nNAME: dependency-e\nVERSION: 1\n\nDEPENDENCY FOUND IN:\n\n[dependency-a]\n        [dependency-b]\n\n[dependency-a]\n        [dependency-c]\n                [dependency-d]\n\nFIX SUGGESTION: {dependency-a {:mvn/version \"3\"}}\n\nVulnerabilities\n-----------------------------------------------------\n\nSEVERITY: Information not available.\nIDENTIFIERS: CVE-2022-1000000\nCVSS: 7.5 (version 3.1)\nPATCHED VERSION: 1.55\n\nSEVERITY: Information not available.\nIDENTIFIERS: CVE-2022-2000000\nCVSS: 5.3\nPATCHED VERSION: 1.55\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n```\n\n## CVSS Scores \u0026 Severities\n\nA Common Vulnerability Scoring System (CVSS) score is a number from `0.0` to `10.0` that conveys the severity of a vulnerability.\nThere are multiple different scores available, but `clj-watson` will always only report and use the base score.\n\nOver the years, CVSS has been revised a number of times.\nAs of this writing, you can expect to see versions `2.0`, `3.0`, `3.1`, and `4.0`.\nSometimes, a single vulnerability will specify scores from multiple CVSS versions.\nTo err on the side of caution, `clj-watson` will always use and report the highest base score.\n\nIf you are curious about other scores, you can always bring up the CVE on the NVD NIST website, for an arbitrary example: https://nvd.nist.gov/vuln/detail/CVE-2022-21724.\n\nA severity is `low`, `medium`, `high`, or `critical`, and is based on the CVSS score.\nSee the [NVD NIST website description for details](https://nvd.nist.gov/vuln-metrics/cvss).\n\n\u003e [!TIP]\n\u003e The experimental `github-advisory` strategy has some differences:\n\u003e - In addition to `medium` can return a severity of `moderate` which is equivalent to `medium`.\n`clj-watson` will always convert `moderate` to `medium` for `github-advisory`.\n\u003e - It only populates scores from a single CVSS version.\n\u003e - It does not always populate the CVSS score, or populates it with `0.0`.\n\n## Failing on Findings\n\nBy default, `clj-watson` exits with `0`.\n\nYou can opt to have `clj-watson` exit with a non-zero value when it detects vulnerabilities, which can be useful when running from a continuous integration (CI) server or service.\n\nSpecify `--fail-on-result` (or `-f`) to exit with non-zero when any vulnerabilities are detected.\n\nExample usages:\n\n```\nclojure -M:clj-watson scan --deps-edn-path deps.edn --fail-on-result\nclojure -Tclj-watson scan :deps-edn-path deps.edn :fail-on-result true\n```\n\nFor finer control use `--cvss-fail-threshold` (or `-c`) to specify a CVSS score at which to fail.\nWhen any detected vulnerability has a score equal to or above the threshold, `clj-watson` will summarize vulnerabilities that have met the threshold and exit with non-zero.\n\nExample usages:\n```\nclojure -M:clj-watson scan --deps-edn-path deps.edn --cvss-fail-threshold 5.8\nclojure -Tclj-watson scan :deps-edn-path deps.edn :cvss-fail-threshold 5.8\n```\n\nExample summary:\n\n```\nCVSS fail score threshold of 5.8 met for:\n\n  Dependency                                     Version Identifiers      CVSS Score\n  org.apache.httpcomponents/httpclient           4.1.2   CVE-2014-3577    5.8 (version 2.0)\n  com.fasterxml.jackson.core/jackson-annotations 2.4.0   CVE-2018-1000873 6.5 (version 3.1)\n  com.fasterxml.jackson.core/jackson-core        2.4.2   CVE-2018-1000873 6.5 (version 3.1)\n  org.jsoup/jsoup                                1.6.1   CVE-2021-37714   7.5 (version 3.1)\n  com.fasterxml.jackson.core/jackson-databind    2.4.2   CVE-2020-9548    9.8 (version 3.1)\n  org.clojure/clojure                            1.8.0   CVE-2017-20189   9.8 (version 3.1)\n  org.codehaus.plexus/plexus-utils               3.0     CVE-2017-1000487 9.8 (version 3.1)\n```\n\nWhen the score is missing or suspicious-looking, `clj-watson` will conservatively derive a score and indicate how it has done so (see `httpclient` below):\n\n```\nCVSS fail score threshold of 5.8 met for:\n\n  Dependency                                  Version Identifiers                          CVSS Score\n  org.jsoup/jsoup                             1.6.1   GHSA-m72m-mhq2-9p6c CVE-2021-37714   7.5 (version 3.1)\n  com.fasterxml.jackson.core/jackson-databind 2.4.2   GHSA-qxxx-2pp7-5hmx CVE-2017-7525    9.8 (version 3.1)\n  com.mchange/c3p0                            0.9.5.2 GHSA-q485-j897-qc27 CVE-2018-20433   9.8 (version 3.0)\n  org.clojure/clojure                         1.8.0   GHSA-jgxc-8mwq-9xqw CVE-2017-20189   9.8 (version 3.1)\n  org.codehaus.plexus/plexus-utils            3.0     GHSA-8vhq-qq4p-grq3 CVE-2017-1000487 9.8 (version 3.1)\n  org.apache.httpcomponents/httpclient        4.1.2   GHSA-2x83-r56g-cv47 CVE-2012-6153    10.0 (score 0.0 suspicious - derived from High severity)\n```\n\n## Output \u0026 Logging\n\n`clj-watson` uses [SLFJ4](https://www.slf4j.org/) and [Logback](https://logback.qos.ch) to collect and filter meaningful log output from its dependencies.\nThis output goes to `stderr`.\n\nIt writes settings and vulnerability findings to `stdout`.\n\n## Who uses it\n\n- [180 Seguros](https://180s.com.br)\n- [org.clojure/tools.deps](https://github.com/clojure/tools.deps)\n- [World Singles Networks](https://worldsinglesnetworks.com/)\n- [clj-yaml](https://github.com/clj-commons/clj-yaml)\n- [pomegranate](https://github.com/clj-commons/pomegranate)\n\nAre you using clj-watson? Let us know and we'll add your project here!\n\n## Development\n\n### nREPL\n\n```bash\nclojure -M:nREPL -m nrepl.cmdline\n```\n\n### Test\n\n```bash\nclojure -M:test\n```\n\n### Lint\n\nWe use [clojure-lsp from the command line](https://clojure-lsp.io/api/cli/) to lint:\n```bash\nclojure -M:clojure-lsp format\nclojure -M:clojure-lsp clean-ns\nclojure -M:clojure-lsp diagnostics\n```\n\n### Security\n\nWe use [clj-holmes](https://github.com/clj-holmes/clj-holmes) to check for potentially vulnerable patterns in clj-watson source code:\n```bash\nclj-holmes scan -p .\n```\n\n## License and Copyright\n\nCopyright © 2021-2024 Matheus Bernardes\n\nDistributed under the Eclipse Public License version 2.0.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclj-holmes%2Fclj-watson","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fclj-holmes%2Fclj-watson","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fclj-holmes%2Fclj-watson/lists"}