SQL-147 Add suppression for core.async nvd FP (#222)

* SQL-147 #in-progress add suppression for nvd gh action * SQL-147 update local nvd to use suppression file * SQL-147 latest nvd scan shas * SQL-147 move nvd stuff to .nvd dir and update references * SQL-147 use release tags for nvd
yetanalytics · Apr 25, 2022 · ab44971 · ab44971
1 parent d020338
commit ab44971
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 6 deletions.
diff --git a/.github/workflows/nvd.yml b/.github/workflows/nvd.yml
@@ -6,7 +6,8 @@ on:
 
 jobs:
   nvd_scan:
-    uses: yetanalytics/actions/.github/workflows/nvd-scan.yml@v0.0.2
+    uses: yetanalytics/actions/.github/workflows/nvd-scan.yml@v0.0.3
     with:
       nvd-clojure-version: '2.0.0'
       classpath-command: 'clojure -Spath -A:db-h2:db-sqlite:db-postgres'
+      nvd-config-filename: '.nvd/config.json'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -4,11 +4,12 @@ on: push
 
 jobs:
   nvd_scan:
-    uses: yetanalytics/actions/.github/workflows/nvd-scan.yml@v0.0.2
+    uses: yetanalytics/actions/.github/workflows/nvd-scan.yml@v0.0.3
     with:
       nvd-clojure-version: '2.0.0'
       classpath-command: 'clojure -Spath -A:db-h2:db-sqlite:db-postgres'
-
+      nvd-config-filename: '.nvd/config.json'
+
   lint:
     runs-on: ubuntu-latest
 

diff --git a/.nvd/config.json b/.nvd/config.json
@@ -0,0 +1,3 @@
+{
+  "nvd": {"suppression-file": ".nvd/suppression.xml"}
+}
diff --git a/.nvd/suppression.xml b/.nvd/suppression.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <suppress>
+      <notes><![CDATA[
+      file name: core.async-1.5.648.jar
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.clojure/core\.async@.*$</packageUrl>
+      <cpe>cpe:/a:async_project:async</cpe>
+   </suppress>
+
+</suppressions>
diff --git a/Makefile b/Makefile
@@ -76,7 +76,7 @@ bench-async:
 # Vulnerability check
 
 target/nvd:
-	clojure -Xnvd check :classpath '"'"$$(clojure -Spath -A:db-h2:db-sqlite:db-postgres)"'"'
+	clojure -Xnvd check :classpath '"'"$$(clojure -Spath -A:db-h2:db-sqlite:db-postgres)"'"' :config-filename '".nvd/config.json"'
 
 check-vuln: target/nvd
 

diff --git a/deps.edn b/deps.edn
@@ -118,9 +118,9 @@
   ;; Note the :extra-deps instead of :replace-deps
   :build-dev
   {:extra-deps  {com.github.seancorfield/depstar {:mvn/version "2.1.267"}}
-   :extra-paths ["src/build"]} 
+   :extra-paths ["src/build"]}
   :nvd
-  {:replace-deps {nvd-clojure/nvd-clojure {:mvn/version "2.0.0"}}
+  {:replace-deps {nvd-clojure/nvd-clojure {:mvn/version "2.5.0"}}
    :ns-default   nvd.task}
   :doc
   {:replace-deps {com.yetanalytics/markdoc {:git/url "https://github.com/yetanalytics/markdoc"