diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml index d95eacd..e35f99b 100644 --- a/.github/ISSUE_TEMPLATE/bug.yml +++ b/.github/ISSUE_TEMPLATE/bug.yml @@ -48,8 +48,8 @@ body: label: Installation compliance description: options: - - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.5.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.5.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.5.0#clojure-cli-tool)). + - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli-tool)). required: true - - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.5.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck). + - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck). required: false diff --git a/.github/ISSUE_TEMPLATE/issue.yml b/.github/ISSUE_TEMPLATE/issue.yml index e108855..b5d4977 100644 --- a/.github/ISSUE_TEMPLATE/issue.yml +++ b/.github/ISSUE_TEMPLATE/issue.yml @@ -32,8 +32,8 @@ body: label: Installation compliance description: options: - - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.5.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.5.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.5.0#clojure-cli-tool)). + - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#clojure-cli-tool)). required: true - - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.5.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck). + - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck). required: false diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b1f2d6..3281aba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## Changes from 3.5.0 to 3.6.0 + +* Update `dependency-check-core`. + ## Changes from 3.4.0 to 3.5.0 * Update `dependency-check-core`. diff --git a/Makefile b/Makefile index 47199c8..0096d04 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # Example usage: # copy a one-off Clojars token to your clipboard -# GIT_TAG=v3.3.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy +# GIT_TAG=v3.6.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy deploy: check-env lein clean diff --git a/README.md b/README.md index 142d616..d6871b8 100644 --- a/README.md +++ b/README.md @@ -18,18 +18,18 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to ### Installation and basic usage -> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v3.5.0/FAQ.md#what-is-classpath-interference) +> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v3.6.0/FAQ.md#what-is-classpath-interference) #### Leiningen
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "3.5.0"]`. Said project can be located inside the targeted repo's Git repository. +Please create a separate project consisting of `[nvd-clojure/nvd-clojure "3.6.0"]`. Said project can be located inside the targeted repo's Git repository. ```clj (defproject nvd-helper "local" :description "nvd-clojure helper project" - :dependencies [[nvd-clojure "3.5.0"] + :dependencies [[nvd-clojure "3.6.0"] [org.clojure/clojure "1.11.1"]] :jvm-opts ["-Dclojure.main.report=stderr"]) ``` @@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "3.5.0"}`. Said project can be located inside the targeted repo's Git repository. +Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "3.6.0"}`. Said project can be located inside the targeted repo's Git repository. Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed. @@ -155,7 +155,7 @@ dependency relationships are: dependencies, and suggest upgraded versions, and can optionally be configured to update the project file. -(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.5.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation)) +(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.6.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation)) ## Configuration @@ -209,7 +209,7 @@ You can also set logging properties directly through Java system properties (the clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ... ``` -## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.5.0/FAQ.md) +## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.6.0/FAQ.md) ## Attribution diff --git a/deps.edn b/deps.edn index 067ef1e..c486d52 100644 --- a/deps.edn +++ b/deps.edn @@ -4,7 +4,7 @@ clansi/clansi {:mvn/version "1.0.0"} org.clojure/data.json {:mvn/version "2.4.0"} org.slf4j/slf4j-simple {:mvn/version "2.0.9"} - org.owasp/dependency-check-core {:mvn/version "8.4.2"} + org.owasp/dependency-check-core {:mvn/version "8.4.3"} rm-hull/table {:mvn/version "0.7.1"} trptcolin/versioneer {:mvn/version "0.2.0"}} :mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"} diff --git a/project.clj b/project.clj index b938279..fc09a44 100644 --- a/project.clj +++ b/project.clj @@ -1,4 +1,4 @@ -(defproject nvd-clojure "3.5.0" +(defproject nvd-clojure "3.6.0" :description "National Vulnerability Database dependency checker" :url "https://github.com/rm-hull/nvd-clojure" :license {:name "The MIT License (MIT)" @@ -7,19 +7,19 @@ [clansi "1.0.0"] [org.clojure/data.json "2.4.0"] [org.slf4j/slf4j-simple "2.0.9"] - [org.owasp/dependency-check-core "8.4.2"] + [org.owasp/dependency-check-core "8.4.3"] [rm-hull/table "0.7.1"] [trptcolin/versioneer "0.2.0"] ;; Explicitly depend on a certain Jackson, consistently. ;; (See also: https://github.com/jeremylong/DependencyCheck/issues/3441) - [com.fasterxml.jackson.core/jackson-databind "2.15.3"] - [com.fasterxml.jackson.core/jackson-annotations "2.15.3"] - [com.fasterxml.jackson.core/jackson-core "2.15.3"] - [com.fasterxml.jackson.module/jackson-module-afterburner "2.15.3"] + [com.fasterxml.jackson.core/jackson-databind "2.16.0"] + [com.fasterxml.jackson.core/jackson-annotations "2.16.0"] + [com.fasterxml.jackson.core/jackson-core "2.16.0"] + [com.fasterxml.jackson.module/jackson-module-afterburner "2.16.0"] [org.apache.maven.resolver/maven-resolver-transport-http "1.9.16" #_"Fixes a CVE"] [org.yaml/snakeyaml "2.2" #_"Fixes a CVE"] [org.apache.maven/maven-core "3.9.5" #_"Fixes a CVE"] - [org.eclipse.jetty/jetty-client "12.0.2" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]] + [org.eclipse.jetty/jetty-client "12.0.3" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]] [org.apache.maven.resolver/maven-resolver-spi "1.9.16" #_"Satisfies :pedantic?"] [org.apache.maven.resolver/maven-resolver-api "1.9.16" #_"Satisfies :pedantic?"] [org.apache.maven.resolver/maven-resolver-util "1.9.16" #_"Satisfies :pedantic?"] diff --git a/resources/nvd_clojure/default_config_content.edn b/resources/nvd_clojure/default_config_content.edn index 7c2e3c2..0887e2b 100644 --- a/resources/nvd_clojure/default_config_content.edn +++ b/resources/nvd_clojure/default_config_content.edn @@ -6,7 +6,7 @@ ;; Feel free to tweak it, version-control it and remove any comment. -;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v3.5.0#configuration-options +;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v3.6.0#configuration-options {;; You can use the `:suppression-file` in order to silence false positives. ;; This file will be automatically created, with whatever filename is specified here, if it didn't exist already.