A Leiningen plugin for detecting vulnerable project dependencies. Basic clojure wrapper for OWASP Dependency Check.
To run dependency-check without having to add it to every Leiningen project as a project-level plugin,
add dependency-check to the :plugins
vector of your :user
profile. E.g., a ~/.lein/profiles.clj
with dependency-check as a plugin -
{:user {:plugins [[com.livingsocial/lein-dependency-check "1.4.0"]]}}
If you are on Leiningen 1.x do lein plugin install lein-dependency-check 1.4.0
.
Add [com.livingsocial/lein-dependency-check "1.4.0"]
to the :plugins
vector of your project.clj.
Project-level configuration may be provided under a :dependency-check
key in your project.clj. Currently supported options are:
log
log each vulnerability found to stdoutthrow
throw an exception after analysis and reporting if vulnerabilities are found, eg. to fail a buildmin-cvss-v3
minimum CVSSv3 score required to:throw
(number from 0.0 to 10.0), defaults to 0.0properties-file
Specifies a file that contains properties to merge with default valuesoutput-format
Vector of desired output formats: xml, csv, json, html, vuln, alloutput-directory
Directory to output results tosuppression-file
Path to the suppression XML file
To generate a dependency-check-report.html
report file to the current project's target
directory, run:
$ lein dependency-check
To generate the report in XML format, run:
$ lein dependency-check --output-format :xml
To generate the report in multiple formats, run:
$ lein dependency-check --output-format :xml,:json,:html,:csv
To write the report to a different directory (e.g., /tmp
), run:
$ lein dependency-check --output-directory /tmp
To set logging to stdout:
$ lein dependency-check --log
To set throw error when vulnerabilities found:
$ lein dependency-check --throw
To only throw if there are vulnerabilities with or above a given CVSSv3:
$ lein dependency-check --throw --min-cvss-v3 5
To set a suppression file:
$ lein dependency-check --suppression-file /suppression.xml
To set a properties file:
$ lein dependency-check --properties-file /dependencycheck.properties
Support for suppressing false positives can be utilized by creating suppression.xml
in your project's root directory.
Suppression snippets can be copied from the HTML report file directly into suppression.xml
. Upon rerun of lein-dependency-check
, the suppression file will be used and warnings will not be present in report.
For more information about dependency-check suppression system see https://jeremylong.github.io/DependencyCheck/general/suppression.html
Copyright © 2016 LivingSocial
Distributed as open source under the terms of the MIT License.