Skip to content
/ clj-nvd Public

Scan your deps.edn dependencies for known vulnerabilities

License

Notifications You must be signed in to change notification settings

miikka/clj-nvd

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

clj-nvd

Check your deps.edn dependencies against known security vulnerabilities in National Vulnerability Database. In other words, like lein-nvd but for deps.edn.

clj-nvd uses lein-nvd as a library. To learn how the checking works, check out lein-nvd's README.

Installation

clj-nvd has not been released yet, so you'll have to use a git dependency.

clojure -Sdeps '{:deps {clj-nvd/clj-nvd {:git/url "https://github.com/miikka/clj-nvd.git" :sha "f2ec98699e057a379baf170cb49cf7ad76874a70"}}}' -m clj-nvd.core check

Alternatively, add clj-nvd as a git dependency to your deps.edn:

{:aliases
 {:clj-nvd {:extra-deps {clj-nvd/clj-nvd {:git/url "https://github.com/miikka/clj-nvd.git"
                                          :sha "f2ec98699e057a379baf170cb49cf7ad76874a70"}}
            :main-opts ["-m" "clj-nvd.core"]}}}
clojure -A:clj-nvd check

Usage

clj-nvd supports the same commands as lein-nvd: check, update, and purge. To specify the :extra-deps aliases to check, use -A:

clojure -A:clj-nvd check -A backend:frontend

More detailed reports are created in the directory target/nvd.

Configuration

The configuration is loaded from the file clj-nvd.edn. See configuration options in lein-nvd's documentation.

Attribution

clj-nvd is just small wrapper on lein-nvd by Richard Hull, which in turns relies on DependencyCheck by Jeremy Long. To understand how to use tools.deps.alpha, I looked at the source code of Pack and Depot.

License

Copyright © Metosin Oy and contributors.

Distributed under the Eclipse Public License 2.0.

About

Scan your deps.edn dependencies for known vulnerabilities

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published