clojure icon indicating copy to clipboard operation
clojure copied to clipboard
verified publisher icon practicalli

Security of Clojure libraries

Open practicalli-johnny opened this issue 4 years ago • 0 comments

Create a section on understanding how security concerns are addressed on the Clojure world

To review:

  • https://github.com/nubank/clj-owasp
  • https://github.com/bpringe/auth-template
  • https://purelyfunctional.tv/article/clojure-web-security/
  • https://jemurai.com/2019/11/27/clojure-signal/
  • https://clojureverse.org/t/a-template-for-web-apps-with-user-auth-using-owasp-best-practices-and-pedestal/6104
  • https://owasp.org/www-chapter-vancouver/assets/presentations/2020-05_Exploiting_and_Preventing_Deserialization_Vulnerabilities.pdf

Tools

  • https://github.com/BareSquare/deps-nvd
  • https://github.com/bpringe/auth-template
  • https://dependencytrack.org/ - CI tool

"software bill of materials" can be generated for Clojure projects - See for example https://cyclonedx.org/tool-center/.

GitHub / Leiningen specific tool https://go.atomist.com/catalog/skills/atomist/owasp-dependency-check-skill?stability=unstable OWASP dependency track scanner for leiningen projects on GitHub. It's free to use, enable it by installing a GitHub app in your org. After that, it creates GitHub CheckRuns with the results of the scan (only on Pushes to leiningen repos of course).

Add this as an alias to practicalli/clojure-deps-edn

https://github.com/rm-hull/lein-nvd#clojure-cli

practicalli-johnny avatar Jul 03 '21 07:07 practicalli-johnny