practicalli
Security: consider clj-watson?
Since you've deprecated :security/nvd due to classpath pollution issues, have you considered using https://github.com/clj-holmes/clj-watson/ instead?
Requested an API from NIST National Vulnerability Database, although the form did return a 503 error. If an email containing a link to set up an API key doesn't arrive by the end of the week I will request again.
Created an initial `:security/nvd-scan alias design
;; clj-holmes/clj-watson/
;; Request an API key from: https://nvd.nist.gov/developers/request-an-api-key
;; `CLJ_WATSON_NVD_API_KEY` set to API key value
:security/nvd-scan
{:replace-deps
{io.github.clj-holmes/clj-watson {:git/tag "v6.0.0" :git/sha "cb02879"}}
:main-opts ["-m" "clj-watson.cli" "scan"]}
If the only command is scan then I will incorporate that command into the alias, as was previously done with :format/cljstyle alias.
Incorporating a single command or the most commonly used is an effective way to simplify calling the alias.
Requested an API key again and this time the return page said success 🤞🏽
CLJ_WATSON_NVD_API_KEY environment variable was set to the value of the API Key via the .zshenv file in my user account.
Tested the :security/nvd-scan alias with the Practicalli Project Templates repository.
Running the designed alias was not picking up the CLJ_WATSON_NVD_API_KEY environment variable, even though a source ~/.zshenv command added the environment variable and echo $CLJ_WATSON_NVD_API_KEY returning the API key value.
Fails to find API Key
clojure -M:security/nvd-scan
Failing to pick up the CLJ_WATSON_NVD_API_KEY seems like an issue with the library (or something else is preventing the environment variable from being found)
WORKING ASSUMPTION: the
clojurecommand explicitly runs as thebashshell so environment variables fromzshdefined in.zshenvor.zshrcare not found. Add the environment variables to shell-aliases file and ensure they are sourced from both shells.
Defining the NIST API Key as part of the command successfully downloaded the database and scanned the library dependencies.
Successfully finds key
CLJ_WATSON_NVD_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx clojure -M:security/nvd-scan
The database takes a significant time (over 10 minutes so far) to download. Perhaps this is only the first time it was run and only updates are downloaded in subsequent runs.
The issue loading the environment variables seems to be specific to the clojure bash script. The safest way to make this generic is to define the environment variable and then assign it to itself as part of the command to run clojure
CLJ_WATSON_NVD_API_KEY=$CLJ_WATSON_NVD_API_KEY clojure -M:security/nvd-scan
Although this approach does not leak sensitive data into documenting the command use, its not a simple command.
Another approach would be to add the :jvm-opts config to the alias, although I am fairly sure shell a environment variable would not be expanded to its value.
There was an issue with zsh configuration on the machine used for testing the alias. After running setopt allexport in the terminal and sourcing the .zshenv file the environment variables are working.
The alias is working with Practicalli Project Templates. I will test with more repositories to ensure its all good and then push the change.