https://github.com/clj-holmes/clj-holmes
A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.
https://github.com/clj-holmes/clj-holmes
clojure sast security
Last synced: 7 days ago
JSON representation
A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language.
- Host: GitHub
- URL: https://github.com/clj-holmes/clj-holmes
- Owner: clj-holmes
- License: mit
- Created: 2021-09-25T16:56:14.000Z (almost 5 years ago)
- Default Branch: main
- Last Pushed: 2023-07-11T18:31:59.000Z (almost 3 years ago)
- Last Synced: 2024-05-02T01:54:12.711Z (about 2 years ago)
- Topics: clojure, sast, security
- Language: Clojure
- Homepage:
- Size: 155 KB
- Stars: 102
- Watchers: 2
- Forks: 11
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
- awesome-rainmana - clj-holmes/clj-holmes - A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language. (Clojure)
README
# clj-holmes
A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple [pattern language](https://github.com/clj-holmes/shape-shifter). Although finding vulnerabilities is its main purpose, `clj-holmes` can also be used to find any kind of code pattern.
# Installation
Download the release for your OS (mac or linux), copy it to a directory in your `$PATH` and add executable permission to the binary.
## Linux example
```
curl -L https://github.com/clj-holmes/clj-holmes/releases/latest/download/clj-holmes-ubuntu-latest -o /tmp/clj-holmes
sudo install -m 755 /tmp/clj-holmes /usr/local/bin/clj-holmes
rm /tmp/clj-holmes
```
# Rules
All public rules can be found [here](https://github.com/clj-holmes/clj-holmes-rules). It is also possible to maintain your own set of rules.
`clj-holmes` currently supports the following rules sources:
## GitHub
The [GitHub](https://github.com/clj-holmes/clj-holmes/blob/main/src/clj_holmes/rules/wagon/github.clj) wagon supports public and private repositories. In order to fetch rules from a private repository the environment `GITHUB_TOKEN` variable needs to be set.
To fetch a rule set `clj-holmes` expects a GitHub repository URL following the specification below:
`git://username/project-name#branch-name`
## Fetching Rules
```
NAME:
clj-holmes fetch-rules - Fetch rules from an external server
USAGE:
clj-holmes fetch-rules [command options] [arguments...]
OPTIONS:
-r, --repository S git://clj-holmes/clj-holmes-rules#main Repository to download rules
-o, --output-directory S /tmp/clj-holmes-rules/ Directory to save rules
-?, --help
```
In order to execute a scan it is necessary to fetch the rules first. This can be achieve with the following command.
`clj-holmes fetch-rules`
It's also possible to provide another source for a rule set by adding the `-r` or `--repository` parameter followed by the GitHub repository URL.
`clj-holmes fetch-rules -r git://clj-holmes/clj-holmes-private-rules#main`
# Scanning a Project
```
NAME:
clj-holmes scan - Performs a scan for a path
USAGE:
clj-holmes scan [command options] [arguments...]
OPTIONS:
-p, --scan-path S* Path to scan
-d, --rules-directory S /tmp/clj-holmes-rules/ Directory to read rules
-o, --output-file S clj_holmes_scan_results.txt Output file
-t, --output-type json|sarif|stdout stdout Output type
-T, --rule-tags S Only use rules with specified tags to perform the scan
-S, --rule-severity S Only use rules with specified severity to perform the scan
-P, --rule-precision S Only use rules with specified precision to perform the scan
-i, --ignored-paths S Regex for paths and files that shouldn't be scanned
-f, --[no-]fail-on-result Enable or disable fail if results were found (useful for CI/CD)
-v, --[no-]verbose Enable or disable scan process feedback.
-?, --help
```
After fetching the rules, it is possible to execute a scan by providing the `-p` or `--scan-path` parameter followed by the path of the Clojure project to be scanned.
`clj-holmes scan -p /tmp/clojure-project`
# Who uses it
- [180˚ Seguros](https://www.180s.com.br/)
- [Nubank](https://nubank.com.br/)
# Build
Steps necessary to build `clj-holmes`.
### Dependencies
- [graalvm](https://www.graalvm.org/java/quickstart/)
- [lein](https://leiningen.org/)
### Install native image
`gu install native-image`
### Download project dependencies
`lein deps`
### Clean target directory
`lein clean`
### Generate clj-holmes uberjar
`lein uberjar`
## Generate clj-holmes native binary
`lein native -H:Name=clj-holmes`