- Update
dependency-check-coreto the 9.x series (9.0.8)- This requires nvd-clojure users to request a NVD API key and configure it correctly.
- You can obtain an API key in a few minutes - it's an automated process.
- Then, you can configure it in nvd-clojure by setting it in the
:nvd-api :keypath, or as aNVD_API_TOKENenvironment variable.
- This requires nvd-clojure users to request a NVD API key and configure it correctly.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Parse classpaths in a cross-platform manner.
- Closes #158
- Introduce .edn configuration format.
- .json files will remain working as-is indefinitely.
- If you wish to migrate to the .edn format, doing so is easy - please see FAQ.
- If you specify the blank string as the config file to be used, a useful, sample .edn file will be generated.
- Automatically create a .xml suppression file when a
:suppression-fileis specified and no such file exists- In practice, this means that on the first run, if you specify the blank string as the config file to be used, two files will be created for you:
nvd-clojure.ednnvd_suppressions.xml
- After this automatic creation, you are free to tweak and version-control these files as desired.
- In practice, this means that on the first run, if you specify the blank string as the config file to be used, two files will be created for you:
- Update
dependency-check-core.
- Update
dependency-check-core. - Introduce new
[:analyzer :ossindex-warn-only-on-remote-errors]configuration option.- You can set this option to
truein order to not hard-fail if OSS Index fails with HTTP 500 errors.- This is at the risk of false negatives; but currently, while OSS Index keeps facing issues, might be the only feasible choice.
- You can set this option to
- Update
dependency-check-core.- Fixes #154
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- #123: Explicitly only analyze dependencies/artifacts that are relevant to JVM projects.
- i.e. the internal analyzers that are specialized in other ecosystems e.g. .NET, Ruby, Node.js, etc will not be run at all, improving performance and accuracy.
- The nvd-clojure implementation never allowed non-jar files to be analyzed, so in practice no behavior has possibly been changed.
- Update
dependency-check-core. - Misc cosmetic improvements for what is printed during execution.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Update
dependency-check-core.
- #113: Remove all unsafe APIs.
- Please refer to the README for the recommended installation/usage patterns.
- #117: Detect when
nvd-clojureis being used in a likely-incorrect way, and fail the program when that happens. - Remove deprecated tasks, related to DB management.
- Offer a new API oriented for Clojure CLI Tools users.
- Skip analyzing source directories (as opposed to .jar files), which are irrelevant (as analyzing sources is beyond the scope of
dependency-check-core) and can hinder Clojure CLI usage patterns.
- Update
dependency-check-core.
- Update
dependency-check-core.
- Implement
:throw-if-check-unsuccessful?option.- Fixes rm-hull#50
- Upgrade
dependency-check-coredependency.
From now on, the program will only show a summary table of packages that
are demarcated as having a CVSS score greater than zero (i.e any that are
rated OK, are now not shown by default). Any that are rated low or high severity
continue to be shown. To revert to pre-1.0 behavior, add :verbose-summary true
to your project configuration.