{"id":15540265,"url":"https://github.com/rm-hull/nvd-clojure","last_synced_at":"2025-12-12T01:28:54.732Z","repository":{"id":37103993,"uuid":"64433039","full_name":"rm-hull/nvd-clojure","owner":"rm-hull","description":"National Vulnerability Database dependency checker for Clojure projects","archived":false,"fork":false,"pushed_at":"2025-03-27T07:39:21.000Z","size":480270,"stargazers_count":281,"open_issues_count":7,"forks_count":40,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-04-05T19:06:49.256Z","etag":null,"topics":["clojure","cve-scanning","lein-plugin","vulnerability-detection"],"latest_commit_sha":null,"homepage":"","language":"Clojure","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rm-hull.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-07-28T22:47:18.000Z","updated_at":"2025-03-26T16:26:50.000Z","dependencies_parsed_at":"2023-02-18T08:30:57.314Z","dependency_job_id":"75d150fd-2053-424c-ac97-b456538a3916","html_url":"https://github.com/rm-hull/nvd-clojure","commit_stats":{"total_commits":344,"total_committers":21,"mean_commits":16.38095238095238,"dds":"0.38372093023255816","last_synced_commit":"31deafb48575f9dda60bbc8a028d88578fc81050"},"previous_names":["rm-hull/lein-nvd"],"tags_count":60,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rm-hull%2Fnvd-clojure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rm-hull%2Fnvd-clojure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rm-hull%2Fnvd-clojure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rm-hull%2Fnvd-clojure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rm-hull","download_url":"https://codeload.github.com/rm-hull/nvd-clojure/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248631658,"owners_count":21136554,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clojure","cve-scanning","lein-plugin","vulnerability-detection"],"created_at":"2024-10-02T12:13:23.728Z","updated_at":"2025-12-12T01:28:54.699Z","avatar_url":"https://github.com/rm-hull.png","language":"Clojure","funding_links":[],"categories":["Clojure"],"sub_categories":[],"readme":"# nvd-clojure\n\n\u003e _Formerly known as_ `lein-nvd`\n\n[![Downloads](https://versions.deps.co/rm-hull/nvd-clojure/downloads.svg)](https://versions.deps.co/rm-hull/nvd-clojure)\n[![Clojars Project](https://img.shields.io/clojars/v/nvd-clojure.svg)](https://clojars.org/nvd-clojure)\n\n[National Vulnerability Database](https://nvd.nist.gov/) dependency checker tool.\n\nFor a given project, all the .jar files from its classpath\nwill be checked for known security vulnerabilities. `nvd-clojure` passes them to a library called [DependencyCheck](https://github.com/jeremylong/DependencyCheck) which does the vulnerability analysis. Quoting the README from that library:\n\n\u003e DependencyCheck is a utility that attempts to detect publicly disclosed\n\u003e vulnerabilities contained within project dependencies. It does this by\n\u003e determining if there is a Common Platform Enumeration (CPE) identifier for\n\u003e a given dependency. If found, it will generate a report linking to the\n\u003e associated CVE entries.\n\n### Installation and basic usage\n\n\u003e _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.0.0/FAQ.md#what-is-classpath-interference)\n\n#### Leiningen\n\n\u003cdetails\u003e\n\nPlease create a separate project consisting of `[nvd-clojure/nvd-clojure \"5.0.0\"]`. Said project can be located inside the targeted repo's Git repository.\n\n```clj\n(defproject nvd-helper \"local\"\n  :description \"nvd-clojure helper project\"\n  :dependencies [[nvd-clojure \"5.0.0\"]\n                 [org.clojure/clojure \"1.12.0\"]]\n  :jvm-opts [\"-Dclojure.main.report=stderr\"])\n```\n\nPlease do not add nvd-clojure as a dependency or plugin in the project.clj of the project to be analysed.\n\nThen you can run, within this helper project:\n\n```\nlein with-profile -user run -m nvd.task.check \"nvd-clojure.edn\" \"$(cd \u003cYOUR_PROJECT\u003e; lein with-profile -user,-dev classpath)\"\n```\n\nThe first argument denotes a .edn file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/main/.github/nvd-config.edn), [doc](#configuration-options)). You can pass an empty string `\"\"` to mean \"please use the default filename\" (which is `nvd-clojure.edn`). If this file didn't exist, it will be automatically created for you, with some useful contents and comments.\n\nThe `classpath` Leiningen command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, plugins, etc.\n\nIf you are using a multi-modules solution (e.g. `lein-monolith`), you should ensure that each module is included in this classpath; else they will not be analysed.\n\n\u003c/details\u003e\n\n#### Clojure CLI\n\n\u003cdetails\u003e\n\nPlease create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version \"5.0.0\"}`. Said project can be located inside the targeted repo's Git repository.\n\nPlease do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.\n\n\u003e You can accomplish something similar with user-level aliases, or with the `:replace-deps` option, at your own risk.\n\nThen you can run, within this helper project:\n\n```\nclojure -J-Dclojure.main.report=stderr -M -m nvd.task.check \"nvd-clojure.edn\" \"$(cd \u003cYOUR_PROJECT\u003e; clojure -Spath -A:any:aliases)\"\n```\n\nThe first argument denotes a .edn file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/main/.github/nvd-config.edn), [doc](#configuration-options)). You can pass an empty string `\"\"` to mean \"please use the default filename\" (which is `nvd-clojure.edn`). If this file didn't exist, it will be automatically created for you, with some useful contents and comments.\n\nThe `-Spath` command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, etc.\n\nIf you are using a multi-modules solution (e.g. [Polylith](https://github.com/polyfy/polylith)), you should ensure that each module is included in this classpath; else they will not be analysed.\n\n\u003c/details\u003e\n\n#### Clojure CLI Tool\n\n\u003cdetails\u003e\n\nIf you have CLI version 1.10.3.933 or later, you can also install `nvd-clojure` as a \"tool\":\n\n```bash\nclojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version \"RELEASE\"}' :as nvd\n```\n\nThen you can run:\n\n```bash\nclojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \\\"\"$(clojure -Spath -A:any:aliases)\\\"\" :config-filename \\\"\"nvd-config.edn\\\"\"\n```\n\nThe `:config-filename` argument denotes an .edn file with extra options ([example](https://github.com/rm-hull/nvd-clojure/blob/main/.github/nvd-config.edn), [doc](#configuration-options)).\nIf this file didn't exist, it will be automatically created for you, with some useful contents and comments.\n\nThe `-Spath` command should reflect a production-like classpath as closely as possible: it should not include dev/test tooling, etc.\n\nIf you are using a multi-modules solution (e.g. [Polylith](https://github.com/polyfy/polylith)), you should ensure that each module is included in this classpath; else they will not be analysed.\n\n\u003c/details\u003e\n\n## Usage overview\n\nRun the program as indicated in the previous section. The first time it runs, it will download (and\ncache) various databases from https://nvd.nist.gov. Subsequent runs will\nperiodically check and update the local database, but the initial run could\ntherefore be quite slow - of the order of ten minutes or more, so give it time.\n\nOn completion, a summary table is output to the console, and a suite of reports\nwill be produced in the project's `./target/nvd/` directory. If vulnerabilities\nare detected, then the check process will exit abnormally, thereby\ncausing any CI build environment to error. (This behaviour can be overriden by\nsetting a `:fail-threshold` in the project [configuration](#configuration-options)).\n\n### Example\n\nThere is an [example project](https://github.com/rm-hull/nvd-clojure/blob/main/example/project.clj)\nwhich has dependencies with known vulnerabilities\n([CVE-2016-3720](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3720),\n[CVE-2015-5262](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262),\n[CVE-2014-3577](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577)).\n\nThis can be demonstrated by running the following:\n\n```bash\nclojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \\\"\"$(cd example; lein with-profile -user classpath)\\\"\"\n```\n\nThis will download the NVD database, and then cross-check the classpath\ndependencies against known vulnerabilities. The following summary report will\nbe displayed on the console:\n\n![summary-report](https://raw.githubusercontent.com/rm-hull/nvd-clojure/main/example/img/summary-report.png)\n\nNote that as there were some vulnerabilities detected, the process was aborted,\nwith error code `-1` hence the reported `subprocess failed` message.\n\nMore detailed reports (both HTML \u0026 XML) are written into the\n`./example/target/nvd/` directory as follows:\n\n---\n![detail-report](https://raw.githubusercontent.com/rm-hull/nvd-clojure/main/example/img/detail-report.png)\n\n## Upgrading dependencies\n\nYou may use the built-in dependency tree reporters to find out what the\ndependency relationships are:\n\n    $ lein deps :tree # for Leiningen\n    $ clojure -Stree # for deps.edn\n\n...make sure to use aliases/profiles in such a way that reflects the production classpath.\n\n[antq](https://github.com/liquidz/antq) will traverse your project\ndependencies, and suggest upgraded versions, and can optionally be configured\nto update the project file.\n\n(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.0.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))\n\n## Configuration\n\nThe default settings for `nvd-clojure` are usually sufficient for most projects, but\ncan be customized with an .edn config file ([example](https://github.com/rm-hull/nvd-clojure/blob/main/.github/nvd-config.edn)).\nThe filename denoting that file is the first argument to be passed to nvd-clojure when invoking it as a `main` (`-m`) program.\n\nWhen invoking it via Clojure Tools, it must be passed as a `:config-filename` option, e.g.\n\n```bash\nclojure -Tnvd nvd.task/check :classpath \\\"\"$(clojure -Spath)\\\"\" :config-filename \\\"\"nvd-config.edn\\\"\"\n```\n\nNote the escaped double quotes around the filename, to ensure that Clojure reads the command line argument as a string, not a symbol.\n\n## Configuration options\n\nThere are many DependencyCheck settings (for example to connect via a proxy, or\nto specify an alternative to the H2 database). The exact settings can be seen\nin the [config.clj](https://github.com/rm-hull/nvd-clojure/blob/main/src/nvd/config.clj) source file and cross-referenced to the DependencyCheck\nwiki.\n\nThere are some specific settings below which are worthy of a few comments:\n\n* `:nvd-api` - map of:\n  * :key - **MANDATORY** (unless you set an `NVD_API_TOKEN` environment variable) - must contain an API key that you can obtain in https://nvd.nist.gov/developers/request-an-api-key\n  * other keys: `:endpoint`, `:delay`, `:max-retry-count`, `:valid-for-hours`, `:datafeed` - advanced, please refer to the source code.\n* `:fail-threshold` default value `0`; checks the highest CVSS score across all dependencies, and fails if this threshold is breached.\n  - As CVSS score ranges from `0..10`, the default value will cause a build to fail even for the lowest rated\n  vulnerability.\n  - Set to `11` if you never want the build to fail.\n* `:data-directory` default value is the data dir of `DependencyCheck`, e.g. `~/.m2/repository/org/owasp/dependency-check-utils/3.2.1/data/`\n  - It shouldn't normally be necessary to change this\n* `:suppression-file` default unset\n  - Allows for CVEs to be permanently or temporarily suppressed.\n  - See [DependencyCheck documentation](https://jeremylong.github.io/DependencyCheck/general/suppression.html) for the XML file format.\n  - If a nvd-clojure.edn file was automatically generated for you, then this file will also be automatically generated (and enabled) for you.\n* `:verbose-summary` default false\n  - When set to true, the summary table includes a severity determination for all dependencies.\n  - When set to false, the summary table includes only packages that have either low or high severity determination.\n* `:output-dir` default value `target/nvd/`: the directory to save reports into\n* `:throw-if-check-unsuccessful` - makes the program exit by throwing an exception instead of by invoking `System/exit`.\n  - This can ease certain usages.\n\n## Logging\n\nYou can override the default logging behaviour by providing a `simplelogger.properties` file on the nvd-clojure classpath. \nNote that this is not the classpath of your project. See `resources/simplelogger.properties` for the default\nconfig.\n\nYou can also set logging properties directly through Java system properties (the `-D` flags), for example:\n\n```\nclojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ...\n```\n\n## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.0.0/FAQ.md)\n\n## Attribution\n\n`nvd-clojure` uses Jeremy Long's [DependencyCheck](https://github.com/jeremylong/DependencyCheck)\nlibrary to do the heavy lifting.\n\n## References\n\n* https://nvd.nist.gov/\n* https://www.owasp.org/index.php/OWASP_Dependency_Check\n* https://github.com/jeremylong/DependencyCheck\n* https://github.com/liquidz/antq\n\n## License\n\nThe MIT License (MIT)\n\nCopyright (c) 2016-23 Richard Hull\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frm-hull%2Fnvd-clojure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frm-hull%2Fnvd-clojure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frm-hull%2Fnvd-clojure/lists"}