Migrate from nvd-clojure to clj-watson

remvee · remvee · commit 8d4f96f0fa85 · 2025-06-02T10:31:54.000+02:00
More robust and less false positives.
diff --git a/.github/workflows/dependency-vulnerabilities.yml b/.github/workflows/dependency-vulnerabilities.yml
@@ -12,7 +12,7 @@ on:
 
 jobs:
   "NVD-check":
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     steps:
 
@@ -32,15 +32,17 @@ jobs:
         # the most recent cache for nvd-clojure
         # and update that
         restore-keys: "nvd-clojure-"
-        
+
+    - uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '21'
+
     - name: Install clj runtime
       run: |
         .github/workflows/install-binaries.sh
         echo "${PWD}/bin" >> $GITHUB_PATH
 
-    - name: Install NVD clojure
-      run: .github/workflows/install-nvd-clojure-tool.sh
-
     - name: Check that NVD Secret is set
       env:
         NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
@@ -49,5 +51,6 @@ jobs:
 
     - name: Check clojure dependencies with NVD
       env:
-        NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
-      run: clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :config-filename '".nvd-config.json"' :classpath "\"$(clojure -Spath)\""
+        CLJ_WATSON_NVD_API_KEY: "${{ secrets.NVD_API_TOKEN }}"
+      run: |
+        clojure -M:clj-watson scan -p deps.edn -f -w .watson.properties
diff --git a/.github/workflows/install-nvd-clojure-tool.sh b/.github/workflows/install-nvd-clojure-tool.sh
diff --git a/.nvd-suppressions.xml b/.nvd-suppressions.xml
@@ -4,11 +4,4 @@
     SPDX-FileContributor: Joost Diepenmaat
 -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <!-- This is an automatically generated config file by nvd-clojure. -->
-  <!-- Feel free to tweak it, version-control it and remove any comment. -->
-  <!-- You can find suppression examples in https://jeremylong.github.io/DependencyCheck/general/suppression.html -->
-      <suppress>
-        <notes>This is a vulnerability in clojure before 1.9.0, which we are not using</notes>
-        <cve>CVE-2017-20189</cve>
-    </suppress>
 </suppressions>
diff --git a/.watson.properties b/.watson.properties
@@ -0,0 +1,4 @@
+# SPDX-FileCopyrightText: 2024, 2025 SURF B.V.
+# SPDX-License-Identifier: EPL-2.0 WITH Classpath-exception-2.0
+
+suppression.file=.nvd-suppressions.xml
diff --git a/deps.edn b/deps.edn
@@ -15,7 +15,14 @@
            nl.jomco/spider                {:mvn/version "0.2.1"}}
  :aliases {:test      {:extra-deps {lambdaisland/kaocha {:mvn/version "RELEASE"}}
                        :main-opts  ["-m" "kaocha.runner"]}
+
            :clj-kondo {:replace-deps {clj-kondo/clj-kondo {:mvn/version "RELEASE"}}
                        :main-opts    ["-m" "clj-kondo.main"]}
+
            :outdated  {:replace-deps {com.github.liquidz/antq {:mvn/version "RELEASE"}}
-                       :main-opts    ["-m" "antq.core"]}}}
+                       :main-opts    ["-m" "antq.core"]}
+
+           :clj-watson {:replace-deps
+                        {io.github.clj-holmes/clj-watson
+                         {:git/tag "v6.0.1" :git/sha "b520351"}}
+                        :main-opts ["-m" "clj-watson.cli"]}}}
