Prep for 5.2.0 release

.github/integration_test.sh

@@ -32,197 +32,204 @@ if ! clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}'
   exit 1
 fi
 
-# 1.- Exercise `main` program (EDN)
+# 1.- Exercise check via lein
 
 cd "$PROJECT_DIR/example" || exit 1
 
-example_classpath="$(lein with-profile -user,-dev,-test classpath)"
+lein_example_classpath="$(lein with-profile -user,-dev,-test classpath)"
 
 # cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`:
 cd "$PROJECT_DIR" || exit 1
 
-if lein with-profile -user,-dev,+ci run -m nvd.task.check "$CONFIG_FILE" "$example_classpath" > example-lein-output; then
-  echo "Should have failed with non-zero code!"
+# 1.1 - lein w/EDN config
+step_name=">>> [Step 1.1 - lein & EDN]"
+
+echo "$step_name starting..."
+
+if lein with-profile -user,-dev,+ci run -m nvd.task.check "$CONFIG_FILE" "$lein_example_classpath" > test-output; then
+  echo "$step_name Should have failed with non-zero code!"
   exit 1
 fi
 
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities! (Step 1 - EDN)"
+if ! grep --silent "$SUCCESS_REGEX" test-output; then
+  echo "$step_name Should have found vulnerabilities!"
   exit 1
 fi
 
-if grep --silent "$A_CUSTOM_CHANGE" example-lein-output; then
-  echo "$CONFIG_FILE and $CONFIG_FILE_USING_DEFAULT_FILENAME should have different contents!"
+if grep --silent "$A_CUSTOM_CHANGE" test-output; then
+  echo "$step_name $CONFIG_FILE and $CONFIG_FILE_USING_DEFAULT_FILENAME should have different contents!"
   exit 1
 fi
 
 if grep --silent "$A_CUSTOM_CHANGE" "$CONFIG_FILE"; then
-  echo "$CONFIG_FILE and $CONFIG_FILE_USING_DEFAULT_FILENAME should have different contents!"
+  echo "$step_name $CONFIG_FILE and $CONFIG_FILE_USING_DEFAULT_FILENAME should have different contents!"
   exit 1
 fi
 
-# 1.- Exercise `main` program (EDN; implicitly using the default filename by specifying the empty string)
+# 1.2 - Exercise `main` program (EDN; implicitly using the default filename by specifying the empty string)
 
-cd "$PROJECT_DIR/example" || exit 1
+step_name=">>> [Step 1.2 lein & EDN - default filename]"
 
-example_classpath="$(lein with-profile -user,-dev,-test classpath)"
+echo "$step_name starting..."
 
-# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`:
-cd "$PROJECT_DIR" || exit 1
-
-if lein with-profile -user,-dev,+ci run -m nvd.task.check "" "$example_classpath" > example-lein-output 2>&1; then
-  echo "Should have failed with non-zero code!"
+if lein with-profile -user,-dev,+ci run -m nvd.task.check "" "$lein_example_classpath" > test-output 2>&1; then
+  echo "$step_name Should have failed with non-zero code!"
   exit 1
 fi
 
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities! (Step 1 - EDN - default filename)"
+if ! grep --silent "$SUCCESS_REGEX" test-output; then
+  echo "$step_name Should have found vulnerabilities!"
   exit 1
 fi
 
-if ! grep --silent "$A_CUSTOM_CHANGE" example-lein-output; then
-  echo "Passing an empty string as the config name should result in the config having the default filename being used!"
+if ! grep --silent "$A_CUSTOM_CHANGE" test-output; then
+  echo "$step_name Passing an empty string as the config name should result in the config having the default filename being used!"
   exit 1
 fi
 
 if ! grep --silent "$A_CUSTOM_CHANGE" "$CONFIG_FILE_USING_DEFAULT_FILENAME"; then
-  echo "Passing an empty string as the config name should not result in the config file being overriden!"
+  echo "$step_name Passing an empty string as the config name should not result in the config file being overriden!"
   exit 1
 fi
 
-# 1.- Exercise `main` program (EDN) with a datafeed
-
-cd "$PROJECT_DIR/example" || exit 1
-
-example_classpath="$(lein with-profile -user,-dev,-test classpath)"
+# 1.3 - Exercise `main` program (EDN) with a datafeed
+step_name=">>> [Step 1.3 lein & EDN - w/datafeed]"
 
-# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`:
-cd "$PROJECT_DIR" || exit 1
+echo "$step_name starting..."
 
-if lein with-profile -user,-dev,+ci run -m nvd.task.check "$DATAFEED_CONFIG_FILE" "$example_classpath" > example-lein-output; then
-  echo "Should have failed with non-zero code!"
+if lein with-profile -user,-dev,+ci run -m nvd.task.check "$DATAFEED_CONFIG_FILE" "$lein_example_classpath" > test-output; then
+  echo "$step_name Should have failed with non-zero code!"
   exit 1
 fi
 
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities! (Step 1 - EDN)"
+if ! grep --silent "$SUCCESS_REGEX" test-output; then
+  echo "$step_name Should have found vulnerabilities!"
   exit 1
 fi
 
-# 1.- Exercise `main` program (JSON)
+# 1.4 - Exercise `main` program (JSON)
 
-cd "$PROJECT_DIR/example" || exit 1
+step_name=">>> [Step 1.4 lein & JSON]"
 
-example_classpath="$(lein with-profile -user,-dev,-test classpath)"
+echo "$step_name starting..."
 
-# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`:
-cd "$PROJECT_DIR" || exit 1
-
-if lein with-profile -user,-dev,+ci run -m nvd.task.check "$JSON_CONFIG_FILE" "$example_classpath" > example-lein-output; then
-  echo "Should have failed with non-zero code!"
+if lein with-profile -user,-dev,+ci run -m nvd.task.check "$JSON_CONFIG_FILE" "$lein_example_classpath" > test-output; then
+  echo "$step_name Should have failed with non-zero code!"
   exit 1
 fi
 
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities! (Step 1 - JSON)"
+if ! grep --silent "$SUCCESS_REGEX" test-output; then
+  echo "$step_name Should have found vulnerabilities!"
   exit 1
 fi
 
-# 2.- Exercise `tools.deps` integration (EDN)
+# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`:
+cd "$PROJECT_DIR" || exit 1
+
+# 2.- Exercise `tools.deps` integration
 
 cd "$PROJECT_DIR/example" || exit 1
 
-example_classpath="$(clojure -Spath)"
+clojure_example_classpath="$(clojure -Spath)"
 
 # cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`:
 cd "$PROJECT_DIR" || exit 1
 
-if clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "$CONFIG_FILE" "$example_classpath" > example-lein-output; then
-  echo "Should have failed with non-zero code!"
+# 2.1 Exercise `tools.deps` integration (EDN)
+step_name=">>> [Step 2.1 deps & EDN]"
+
+echo "$step_name starting..."
+
+if clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "$CONFIG_FILE" "$clojure_example_classpath" > test-output; then
+  echo "$step_name Should have failed with non-zero code!"
   exit 1
 fi
 
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities! (Step 2 - EDN)"
+if ! grep --silent "$SUCCESS_REGEX" test-output; then
+  echo "$step_name Should have found vulnerabilities!"
   exit 1
 fi
 
-# 2.- Exercise `tools.deps` integration (JSON)
+# 2.2 - Exercise `tools.deps` integration (JSON)
+step_name=">>> [Step 2.2 deps & JSON]"
 
-cd "$PROJECT_DIR/example" || exit 1
+echo "$step_name starting..."
 
-example_classpath="$(clojure -Spath)"
-
-# cd to the root dir, so that one runs `defproject nvd-clojure` which is the most clean and realistic way to run `main`:
-cd "$PROJECT_DIR" || exit 1
-
-if clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "$JSON_CONFIG_FILE" "$example_classpath" > example-lein-output; then
-  echo "Should have failed with non-zero code!"
+if clojure -J-Dclojure.main.report=stderr -M -m nvd.task.check "$JSON_CONFIG_FILE" "$clojure_example_classpath" > test-output; then
+  echo "$step_name Should have failed with non-zero code!"
   exit 1
 fi
 
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities! (Step 2 - JSON)"
+if ! grep --silent "$SUCCESS_REGEX" test-output; then
+  echo "$step_name Should have found vulnerabilities!"
   exit 1
 fi
 
-# 3.- Exercise Clojure CLI Tools integration (EDN)
+# 3. - Exercise Clojure CLI Tools integration
 
 cd "$PROJECT_DIR/example" || exit 1
 
-example_classpath="$(clojure -Spath)"
+clojure_example_classpath="$(clojure -Spath)"
 
 # cd to $HOME, to demonstrate that the Tool does not depend on a deps.edn file:
 cd || exit 1
 
-if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$example_classpath\"" :config-filename \""$TOOLS_CONFIG_FILE\"" > example-lein-output; then
-  echo "Should have failed with non-zero code!"
+# 3.1 - Exercise Clojure CLI Tools integration (EDN)
+step_name=">>> [Step 3.1 clojure tool & EDN]"
+
+echo "$step_name starting..."
+
+if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$clojure_example_classpath\"" :config-filename \""$TOOLS_CONFIG_FILE\"" > test-output; then
+  echo "$step_name Should have failed with non-zero code!"
   exit 1
 fi
 
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities! (Step 3 - EDN)"
+if ! grep --silent "$SUCCESS_REGEX" test-output; then
+  echo "$step_name Should have found vulnerabilities!"
   exit 1
 fi
 
-# 3.- Exercise Clojure CLI Tools integration (JSON)
+# 3.2 - Exercise Clojure CLI Tools integration (JSON)
 
-cd "$PROJECT_DIR/example" || exit 1
-
-example_classpath="$(clojure -Spath)"
+step_name=">>> [Step 3.2 clojure tool & JSON]"
 
-# cd to $HOME, to demonstrate that the Tool does not depend on a deps.edn file:
-cd || exit 1
+echo "$step_name starting..."
 
-if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$example_classpath\"" :config-filename \""$JSON_TOOLS_CONFIG_FILE\"" > example-lein-output; then
-  echo "Should have failed with non-zero code!"
+if clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$clojure_example_classpath\"" :config-filename \""$JSON_TOOLS_CONFIG_FILE\"" > test-output; then
+  echo "$step_name Should have failed with non-zero code!"
   exit 1
 fi
 
-if ! grep --silent "$SUCCESS_REGEX" example-lein-output; then
-  echo "Should have found vulnerabilities! (Step 3 - JSON)"
+if ! grep --silent "$SUCCESS_REGEX" test-output; then
+  echo "$step_name Should have found vulnerabilities!"
   exit 1
 fi
 
-# 4.- Dogfood the `nvd-clojure` project (EDN)
+# 4.- Dogfood the `nvd-clojure` project
 
 cd "$PROJECT_DIR" || exit 1
 
 own_classpath="$(lein with-profile -user,-dev,-test classpath)"
 
+# 4.1 - Dogfood the `nvd-clojure` project (EDN)
+#
+step_name=">>> [Step 4.1 lein dogfooding & EDN]"
+
+echo "$step_name starting..."
+
 if ! lein with-profile -user,-dev,+ci,+skip-self-check run -m nvd.task.check "$DOGFOODING_CONFIG_FILE" "$own_classpath"; then
-  echo "nvd-clojure did not pass dogfooding! (EDN)"
+  echo "$step_name nvd-clojure did not pass dogfooding! (EDN)"
   exit 1
 fi
 
-# 4.- Dogfood the `nvd-clojure` project (JSON)
+# 4.2. - Dogfood the `nvd-clojure` project (JSON)
 
-cd "$PROJECT_DIR" || exit 1
+step_name=">>> [Step 4.2 lein dogfooding & JSON]"
 
-own_classpath="$(lein with-profile -user,-dev,-test classpath)"
+echo "$step_name starting..."
 
 if ! lein with-profile -user,-dev,+ci,+skip-self-check run -m nvd.task.check "$JSON_DOGFOODING_CONFIG_FILE" "$own_classpath"; then
-  echo "nvd-clojure did not pass dogfooding! (JSON)"
+  echo "$step_name nvd-clojure did not pass dogfooding! (JSON)"
   exit 1
 fi
 

.github/workflows/ci.yaml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java-version: ["11", "17", "21", "24"]
+        java-version: ["11", "17", "21", "25"]
     steps:
       - uses: actions/setup-java@v1
         with:
@@ -46,7 +46,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java-version: ["11", "17", "21", "24"]
+        java-version: ["11", "17", "21", "25"]
     steps:
       - uses: actions/setup-java@v1
         with:

.gitignore

@@ -12,8 +12,8 @@
 .portal/vs-code.edn
 /checkouts/
 /classes/
-/example-lein-output
-/example/example-lein-output
+/test-output
+/example/test-output
 /example/target/
 /lib/
 /plugin/target/

CHANGELOG.md

@@ -1,3 +1,8 @@
+# Changes from 5.1.0 to 5.2.0
+
+* Update `dependency-check-core` from 12.1.3 to [12.1.6](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1216-2025-09-24).
+* Support [setting user & password for OSS Index analyzer](https://github.com/rm-hull/nvd-clojure/tree/v5.2.0#configuration-options), as OSS Index [now requires authentication](https://ossindex.sonatype.org/doc/auth-required) 
+
 # Changes from 5.0.0 to 5.1.0
 
 * Update `dependency-check-core` from 12.1.0 to [12.1.3](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1213-2025-06-10).

Makefile

@@ -2,7 +2,7 @@
 
 # Example usage:
 # copy a one-off Clojars token to your clipboard
-# GIT_TAG=v5.1.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
+# GIT_TAG=v5.2.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
 
 deploy: check-env
 	lein clean

README.md

@@ -18,19 +18,19 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to
 
 ### Installation and basic usage
 
-> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.1.0/FAQ.md#what-is-classpath-interference)
+> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md#what-is-classpath-interference)
 
 #### Leiningen
 
 <details>
 
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.1.0"]`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting of `[nvd-clojure/nvd-clojure "5.2.0"]`. Said project can be located inside the targeted repo's Git repository.
 
 ```clj
 (defproject nvd-helper "local"
   :description "nvd-clojure helper project"
-  :dependencies [[nvd-clojure "5.1.0"]
-                 [org.clojure/clojure "1.12.0"]]
+  :dependencies [[nvd-clojure "5.2.0"]
+                 [org.clojure/clojure "1.12.3"]]
   :jvm-opts ["-Dclojure.main.report=stderr"])
 ```
 
@@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
 
 <details>
 
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.1.0"}`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "5.2.0"}`. Said project can be located inside the targeted repo's Git repository.
 
 Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.
 
@@ -155,7 +155,7 @@ dependency relationships are:
 dependencies, and suggest upgraded versions, and can optionally be configured
 to update the project file.
 
-(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.1.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))
+(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))
 
 ## Configuration
 
@@ -199,6 +199,8 @@ There are some specific settings below which are worthy of a few comments:
 * `:output-dir` default value `target/nvd/`: the directory to save reports into
 * `:throw-if-check-unsuccessful` - makes the program exit by throwing an exception instead of by invoking `System/exit`.
   - This can ease certain usages.
+* `:ossindex-user` & `:ossindex-password` (within the `:analyzer` map): These are **MANDATORY** if you want to use the OSS Index analyzer. Without
+  them set, the OSS Index analyzer will be disabled (see https://ossindex.sonatype.org/doc/auth-required) Note that you can alternatively set the `ANALYZER_OSSINDEX_USER` and `ANALYZER_OSSINDEX_PASSWORD` environment variables.
 
 ## Logging
 
@@ -212,7 +214,7 @@ You can also set logging properties directly through Java system properties (the
 clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ...
 ```
 
-## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.1.0/FAQ.md)
+## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v5.2.0/FAQ.md)
 
 ## Attribution