6.0.0

Major release with some important workflow changes!

This release focuses on making clj-watson more CI-friendly, so a lot of work has gone into how the command-line options work, how the properties that control the underlying DependencyCheck system work, and adding the ability to specify properties as environment variables so, for example, the NIST NVD API key can be provided as a "secret" to your CI system instead of being part of a property file or a command-line argument.

The default properties in clj-watson have been streamlined, and also aligned with the overrides that nvd-clojure applies to the core DependencyCheck settings.

You are strongly encouraged to use a NIST NVD API key! By default, clj-watson will refuse to run if a key is not provided, although you can use a new command-line option to force it to run without a key (not recommended, of course).

The default location of the local database has changed from /tmp/db/ to DependencyCheck's default within your local Maven ~/.m2 cache! This is more CI-friendly (the Maven directory is usually cached in CI already), but this means the first time you run clj-watson 6.0.0, it will download the entire NIST NVD locally which will take a few minutes. After that, it will only download updates, unless you clear out your local Maven cache.

Massive shoutout to Lee Read for the huge amount of work he has contributed to this release -- and he has been an absolute joy to work with as an open-source contributor! Thank you!

Details:

• Fix: show score and severity in dependency-check findings #58
• Bump deps #75
• Improve command line experience #77
• Deprecate --dependency-check-properties command line option #107
• Encourage use of NVD API key #67
• Explicitly close the dependency-check engine when we are done with it #86
• Respect dependency-check odc.autoupdate property #88
• Replace deprecated clj-time dep with JDK8 java.time interop #83
• Allow properties to be specified via environment variables #104 to make it easier to use clj-watson in CI/CD pipelines.
• Streamline dependency-check.properties file #103 so that it only includes properties which need to be different from the defaults in the core DependencyCheck configuration.
  • This changes the default location of the local database used for analysis from /tmp/db to a directory within your local Maven cache (DependencyCheck's default location), which makes clj-watson more CI-friendly since ~/.m2 is typically cached in CI. The first time you run clj-watson 6.0.0, it will download the entire NIST NVD database!
• Improve feedback during scan
  • Stop suppressing all logging #68
  • Suppress noisy INFO level logging from Apache Commons JCS #69
  • Suppress specific irrelevant ERROR level logging from Apache Commons JCS #78

5.1.3

What's Changed

• Update Dependency Check core library to 10.0.3 by @seancorfield in #61
• Update CHANGELOG.md for v5.1.3 by @seancorfield in #62

Full Changelog: v5.1.2...v5.1.3

5.1.1

What's Changed

• overhaul readme by @seancorfield in #50
• fix #47 by printing property information by @seancorfield in #51
• fix #48 by updating dependencies by @seancorfield in #52
• fix #49 by improving tool invocation by @seancorfield in #53

Full Changelog: v5.0.1...v5.1.1

5.0.1

Bug fix: #43 -- clj-watson.properties was not correctly found.

5.0.0

Update clj-watson to use DependencyCheck 9.0.x and the new NIST NVD API (instead of the old, deprecated data feeds).

v4.1.3

What's Changed

• Update org.owasp/dependency-check-core to 7.4.4 by @wtfleming in #31

New Contributors

• @wtfleming made their first contribution in #31

Full Changelog: v4.1.2...v4.1.3

v4.1.2

Full Changelog: v4.1.1...v4.1.2

v4.1.1

What's Changed

• bump dependencies by @mthbernardes in #29

Full Changelog: v4.1.0...v4.1.1

v4.1.0

What's Changed

• Allow List by CVEs by @markomafs in #26

New Contributors

• @markomafs made their first contribution in #26

Full Changelog: v4.0.1...v4.1.0

v4.0.1

What's Changed

• fix output error by @mthbernardes in #24

Full Changelog: v4.0.0...v4.0.1