Skip to content

6.0.0

Latest
Latest
Compare
Choose a tag to compare
@seancorfield seancorfield released this 20 Aug 17:28
· 7 commits to main since this release
v6.0.0
cb02879
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Major release with some important workflow changes!

This release focuses on making clj-watson more CI-friendly, so a lot of work has gone into how the command-line options work, how the properties that control the underlying DependencyCheck system work, and adding the ability to specify properties as environment variables so, for example, the NIST NVD API key can be provided as a "secret" to your CI system instead of being part of a property file or a command-line argument.

The default properties in clj-watson have been streamlined, and also aligned with the overrides that nvd-clojure applies to the core DependencyCheck settings.

You are strongly encouraged to use a NIST NVD API key! By default, clj-watson will refuse to run if a key is not provided, although you can use a new command-line option to force it to run without a key (not recommended, of course).

The default location of the local database has changed from /tmp/db/ to DependencyCheck's default within your local Maven ~/.m2 cache! This is more CI-friendly (the Maven directory is usually cached in CI already), but this means the first time you run clj-watson 6.0.0, it will download the entire NIST NVD locally which will take a few minutes. After that, it will only download updates, unless you clear out your local Maven cache.

Massive shoutout to Lee Read for the huge amount of work he has contributed to this release -- and he has been an absolute joy to work with as an open-source contributor! Thank you!

Details:

  • Fix: show score and severity in dependency-check findings #58
  • Bump deps #75
  • Improve command line experience #77
  • Deprecate --dependency-check-properties command line option #107
  • Encourage use of NVD API key #67
  • Explicitly close the dependency-check engine when we are done with it #86
  • Respect dependency-check odc.autoupdate property #88
  • Replace deprecated clj-time dep with JDK8 java.time interop #83
  • Allow properties to be specified via environment variables #104 to make it easier to use clj-watson in CI/CD pipelines.
  • Streamline dependency-check.properties file #103 so that it only includes properties which need to be different from the defaults in the core DependencyCheck configuration.
    • This changes the default location of the local database used for analysis from /tmp/db to a directory within your local Maven cache (DependencyCheck's default location), which makes clj-watson more CI-friendly since ~/.m2 is typically cached in CI. The first time you run clj-watson 6.0.0, it will download the entire NIST NVD database!
  • Improve feedback during scan
    • Stop suppressing all logging #68
    • Suppress noisy INFO level logging from Apache Commons JCS #69
    • Suppress specific irrelevant ERROR level logging from Apache Commons JCS #78
Assets 2
Loading