Merge pull request #6 from clj-holmes/support-alises-deps

support aliases dependencies

README.md

@@ -1,27 +1,40 @@
 # clj-watson
 Clojure's software composition analysis (SCA).
 
-# Available options
+# Usage
+It's possible to install clj-watson as clojure tool and invoke it. 
+```bash
+$ clojure -Ttools install io.github.clj-holmes/clj-watson '{:git/tag "v2.0.1"}'
+$ clojure -Tclj-watson clj-watson.entrypoint/-main '{:output "stdout" :dependency-check-properties nil :fail-on-result true :deps-edn-path "deps.edn" :suggest-fix true :aliases ["*"]}'
+```
+or it can be called directly.
+```bash
+$ clojure -Sdeps '{:deps {io.github.clj-holmes/clj-watson {:git/tag "v2.0.1"}}}' -M -m clj-watson.cli scan -p deps.edn
 ```
+# Usage
+```bash
+$ clojure -Sdeps '{:deps {io.github.clj-holmes/clj-watson {:git/tag "v2.0.1"}}}' -M -m clj-watson.cli scan -\? 
 NAME:
-clj-watson scan - Performs a scan on a deps.edn file
+ clj-watson scan - Performs a scan on a deps.edn file
 
 USAGE:
-clj-watson scan [command options] [arguments...]
+ clj-watson scan [command options] [arguments...]
 
 OPTIONS:
--p, --deps-edn-path S*                       path of deps.edn to scan.
--d, --dependency-check-properties S          path of a dependency-check properties file.
--o, --output edn|json|stdout         stdout  Output type.
--s, --[no-]suggest-fix                       Suggest a new deps.edn file fixing all vulnerabilities found.
--f, --[no-]fail-on-result                    Enable or disable fail if results were found (useful for CI/CD).
--?, --help
+   -p, --deps-edn-path S*                       path of deps.edn to scan.
+   -d, --dependency-check-properties S          path of a dependency-check properties file. If not provided uses resources/dependency-check.properties.
+   -o, --output edn|json|stdout         stdout  Output type.
+   -a, --aliases S                              Specify a alias that will have the dependencies analysed alongside with the project deps.It's possible to provide multiple aliases. If a * is provided all the aliases are going to be analysed.
+   -s, --[no-]suggest-fix                       Suggest a new deps.edn file fixing all vulnerabilities found.
+   -f, --[no-]fail-on-result                    Enable or disable fail if results were found (useful for CI/CD).
+   -?, --help
 ```
+
 # Execution
 clj-watson scans a clojure deps project using [dependency-check](https://github.com/jeremylong/DependencyCheck) seeking for vulnerable direct/transitive dependencies and add all the dependency tree information to help understading how the vulnerability manifest.
 
 ```bash
-$ java -jar target/clj-watson.jar scan -p path/to/deps.edn -d path/to/dependency-check.properties -s
+$ clojure -Sdeps '{:deps {io.github.clj-holmes/clj-watson {:git/tag"v2.0.1"}}}' -M -m clj-watson.cli scan -p deps.edn -s
 Downloading/Updating database.
 Download/Update completed.
 Dependency Information

deps.edn

@@ -4,6 +4,7 @@
              org.clojure/data.json                                   {:mvn/version "2.4.0"}
              cli-matic/cli-matic                                     {:mvn/version "0.4.3"}
              version-clj/version-clj                                 {:mvn/version "2.0.2"}
+             org.slf4j/slf4j-nop                                     {:mvn/version "2.0.0-alpha6"}
              io.github.clojure/tools.build                           {:git/tag    "v0.7.5"
                                                                       :git/sha    "34727f7"
                                                                       :exclusions [org.apache.maven.resolver/maven-resolver-transport-http]}

resources/vulnerable-deps.edn

@@ -1,4 +1,4 @@
-{:deps {clj-http/clj-http           {:mvn/version "3.9.1"}
-        org.clojure/clojure         {:mvn/version "1.11.0-alpha1"}
+{:deps {org.clojure/clojure         {:mvn/version "1.11.0-alpha1"}
         com.auth0/java-jwt          {:mvn/version "3.5.0"}
-        image-resizer/image-resizer {:mvn/version "0.1.10"}}}
+        image-resizer/image-resizer {:mvn/version "0.1.10"}}
+ :aliases {:banana {:extra-deps {clj-http/clj-http {:mvn/version "3.9.1"}}}}}

src/clj_watson/cli.clj

@@ -17,11 +17,15 @@
                              {:option  "dependency-check-properties" :short "d"
                               :type    :string
                               :default nil
-                              :as      "path of a dependency-check properties file."}
+                              :as      "path of a dependency-check properties file. If not provided uses resources/dependency-check.properties."}
                              {:option  "output" :short "o"
                               :type    #{"stdout" "json" "edn"}
                               :default "stdout"
                               :as      "Output type."}
+                             {:option "aliases" :short "a"
+                              :type :string
+                              :multiple true
+                              :as "Specify a alias that will have the dependencies analysed alongside with the project deps.It's possible to provide multiple aliases. If a * is provided all the aliases are going to be analysed."}
                              {:option "suggest-fix" :short "s"
                               :type    :with-flag
                               :default false

src/clj_watson/controller/dependency_check.clj

@@ -2,9 +2,10 @@
   (:require
    [clj-watson.diplomat.dependency-check :as diplomat.dependency-check]
    [clj-watson.diplomat.deps :as diplomat.deps]
-   [clj-watson.logic.utils :as logic.utils])
+   [clj-watson.logic.utils :as logic.utils]
+   [clojure.java.io :as io])
   (:import
-   (java.io File)
+   (java.io File ByteArrayInputStream)
    (java.util Arrays)
    (org.owasp.dependencycheck Engine)
    (org.owasp.dependencycheck.utils Settings)))
@@ -20,22 +21,23 @@
 
 (defn ^:private create-settings [^String properties-file-path]
   (let [settings (Settings.)]
-    (when properties-file-path
-      (->> properties-file-path File. (.mergeProperties settings)))
+    (if properties-file-path
+      (->> properties-file-path File. (.mergeProperties settings))
+      (->> "dependency-check.properties" io/resource slurp .getBytes ByteArrayInputStream. (.mergeProperties settings)))
     settings))
 
 (defn ^:private build-engine [^String properties-file-path]
   (let [settings (create-settings properties-file-path)]
     (Engine. settings)))
 
-(defn ^:private prepare-environment [deps-edn-path dependency-check-properties]
-  (let [{:keys [dependencies project-deps]} (diplomat.deps/read-and-resolve deps-edn-path)
+(defn ^:private prepare-environment [deps-edn-path dependency-check-properties aliases]
+  (let [{:keys [dependencies project-deps]} (diplomat.deps/read-and-resolve deps-edn-path aliases)
         engine (build-engine dependency-check-properties)]
     (diplomat.dependency-check/update-download-database engine)
     {:project/dependencies dependencies :project/deps project-deps :dependency-check/engine engine}))
 
-(defn scan-dependencies [deps-edn-path properties-file-path]
-  (let [environment (prepare-environment deps-edn-path properties-file-path)
+(defn scan-dependencies [deps-edn-path properties-file-path aliases]
+  (let [environment (prepare-environment deps-edn-path properties-file-path aliases)
         engine (scan-jars environment)
         dependency-check-dependencies (->> engine .getDependencies Arrays/asList)]
     (-> environment

src/clj_watson/diplomat/deps.clj

@@ -8,10 +8,19 @@
   {"central" {:url "https://repo1.maven.org/maven2/"}
    "clojars" {:url "https://repo.clojars.org/"}})
 
-(defn read-and-resolve [^String deps-path]
-  (let [project-deps (-> deps-path File. deps/slurp-deps (update :mvn/repos merge default-repositories))]
+(defn build-aliases [deps aliases]
+  (cond
+    (-> aliases set (contains? "*")) (-> deps :aliases keys)
+    (coll? aliases) (map keyword aliases)
+    :else []))
+
+(defn read-and-resolve [^String deps-path aliases]
+  (let [project-deps (-> deps-path File. deps/slurp-deps (update :mvn/repos merge default-repositories))
+        aliases (build-aliases project-deps aliases)
+        aliases-resolver {:resolve-args (deps/combine-aliases project-deps aliases)
+                          :classpath-args (deps/combine-aliases project-deps aliases)}]
     {:project-deps project-deps
-     :dependencies (-> project-deps (deps/resolve-deps {}))}))
+     :dependencies (-> project-deps (deps/calc-basis aliases-resolver) :libs)}))
 
 (comment
-  (read-and-resolve "deps.edn"))
+  (read-and-resolve "deps.edn" nil))

src/clj_watson/entrypoint.clj

@@ -5,8 +5,8 @@
    [clj-watson.controller.vulnerability :as controller.vulnerability]
    [clj-watson.diplomat.remediate :as diplomat.remediate]))
 
-(defn scan [{:keys [deps-edn-path dependency-check-properties suggest-fix]}]
-  (let [environment (controller.dependency-check/scan-dependencies deps-edn-path dependency-check-properties)
+(defn scan [{:keys [deps-edn-path dependency-check-properties suggest-fix aliases]}]
+  (let [environment (controller.dependency-check/scan-dependencies deps-edn-path dependency-check-properties aliases)
         vulnerabilities (controller.vulnerability/extract-from-dependencies environment)]
     (if suggest-fix
       (diplomat.remediate/vulnerabilities-fix-suggestions vulnerabilities deps-edn-path)