Merge pull request #10 from solita/add-nvd-check

Add NVD check
solita · Jun 11, 2024 · cd5cd2f · cd5cd2f
2 parents e6963e9 + 4443112
commit cd5cd2f
Show file tree

Hide file tree

Showing 7 changed files with 89 additions and 4 deletions.
diff --git a/.github/workflows/nvd.yml b/.github/workflows/nvd.yml
@@ -0,0 +1,51 @@
+name: nvd-clojure
+
+on:
+  # Run every Monday at 2:00.
+  # The repository might not have much activity for long periods of time, so good to run the nvd on schedule as well
+  # Run on pull requests and on master as well to encourage fixing vulnerabilities before merging
+  schedule:
+    - cron: '0 2 * * 1'
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  nvd:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+      - name: Install clojure tools
+        uses: DeLaGuardo/[email protected]
+        with:
+          lein: 2.9.1
+      - name: Restore Maven cache # Caching NVD database can speed up the build a lot
+        uses: actions/cache/restore@v4
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/project.clj') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+      - name: Run nvd
+        working-directory: nvd
+        env:
+          NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
+        run: lein with-profile -user run -m nvd.task.check "nvd-clojure.edn" "$(cd .. && lein with-profile -user,-dev classpath)"
+      - name: Save Maven cache # cache@v4 has save-always, but it's broken. Save manually until it's fixed
+        if: always()
+        uses: actions/cache/save@v4
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/project.clj') }}
+      - name: Publish Test Report
+        uses: mikepenz/action-junit-report@v4
+        if: success() || failure()
+        with:
+          report_paths: 'nvd/target/nvd/dependency-check-junit.xml'
+          check_name: 'Vulnerability report'
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,5 @@ node_modules
 .clj-kondo
 .lsp
 .shadow-cljs
+.idea
+puumerkki.iml
diff --git a/README.md b/README.md
@@ -1,4 +1,5 @@
 # Puumerkki
+![NVD status](https://github.com/solita/puumerkki/actions/workflows/nvd.yml/badge.svg)
 
 A library for communicating with DVV certificate card reader software
 

diff --git a/nvd/nvd-clojure.edn b/nvd/nvd-clojure.edn
@@ -0,0 +1,20 @@
+;; This is an automatically generated config file by nvd-clojure.
+
+;; It is only generated if you specify either the blank string "" or "nvd-clojure.edn"
+;; as the config filename in your CLI invocation,
+;; and nvd-clojure.edn didn't exist already.
+
+;; Feel free to tweak it, version-control it and remove any comment.
+
+;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v4.0.0#configuration-options
+
+{;; You can use the `:suppression-file` in order to silence false positives.
+ ;; This file will be automatically created, with whatever filename is specified here, if it didn't exist already.
+ :suppression-file "nvd_suppressions.xml"
+
+ #_:analyzer ;; Analyzer options, which are mostly advanced/internal
+ #_{:ossindex-warn-only-on-remote-errors
+    ;; Occasionally necessary for not making HTTP 500 errors from OSS Index (one of the multiple analyzers internally used)
+    ;; a reason for execution to fail.
+    ;; Please only enable this carefully since it can mean false negatives.
+    true}}
diff --git a/nvd/nvd_suppressions.xml b/nvd/nvd_suppressions.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <!-- This is an automatically generated config file by nvd-clojure. -->
+  <!-- Feel free to tweak it, version-control it and remove any comment. -->
+  <!-- You can find suppression examples in https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
+</suppressions>
diff --git a/nvd/project.clj b/nvd/project.clj
@@ -0,0 +1,5 @@
+(defproject nvd-helper "local"
+            :description "nvd-clojure helper project"
+            :dependencies [[nvd-clojure "4.0.0"]
+                           [org.clojure/clojure "1.11.1"]]
+            :jvm-opts ["-Dclojure.main.report=stderr"])
diff --git a/project.clj b/project.clj
@@ -4,10 +4,10 @@
   :dependencies [[org.clojure/clojure "1.11.3"]
                  [pandect "0.6.1"] ;; SHA
                  ;[org.apache.pdfbox/pdfbox "1.8.16"] ;; no longer supported due to api changes required for 2.x
-                 [org.apache.pdfbox/pdfbox "2.0.19"]
-                 [org.bouncycastle/bcprov-jdk15on "1.65"]
-                 [org.bouncycastle/bcmail-jdk15on "1.65"]
-                 [commons-io "2.5"]
+                 [org.apache.pdfbox/pdfbox "2.0.31"]
+                 [org.bouncycastle/bcprov-jdk18on "1.78.1"]
+                 [org.bouncycastle/bcmail-jdk18on "1.78.1"]
+                 [commons-io "2.16.1"]
                  [commons-codec "1.8"]]
 
   :source-paths ["src/clj" "src/cljc"]