Reviving an old topic here, does anyone know of a Clojure 1.10 compatible security analysis tool? I too thought of just decompiling the .class to Java. It also appears Fortify can run on bytecode only, so I might give that a try if I can't find anything else.
Regards On Wednesday, 21 October 2015 15:14:31 UTC-7, Alex Miller wrote: > > In general, Clojure code cannot be decompiled from .class to .java as the > Clojure generated bytecode does things that cannot be represented in Java. > The particular issue below looks like the local-clearing code. It is > possible to turn that off during compilation, however there are likely > other things as well that cannot be decompiled satisfactorily. > > FindBugs works directly from bytecode (not source code) so might be more > amenable for this kind of analysis. There is a sonar plugin ( > https://github.com/zmsp/sonar-clojure) which uses Eastwood and Kibit that > might also be useful. > > FYI, Clojure is registered in CVE with id CVE-2015-4653 (although there > are no reports registered yet). I gather that it is useful to create at > least one such thing to make it searchable and I have that on my todo list > (although it's not a high priority). > > Alex > > > On Wednesday, October 21, 2015 at 3:41:21 PM UTC-5, ryan medlin wrote: >> >> A customer requires that we scan our clojure projects with this tool: >> >> http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ >> >> >> They must get some meaningful report from this. >> >> So I thought, well why don't I compile and then decompile the class files >> and then scan those to at least give them something. >> >> However when I do that I get a TON of high security issues in multiple >> dependencies (ring, clojure.core) >> >> Here is the most prevalent: >> >> https://cwe.mitre.org/data/definitions/476.html >> >> /* */ package nio; >> /* */ >> /* */ import clojure.lang.AFunction; >> /* */ import clojure.lang.IFn; >> /* */ import clojure.lang.RT; >> /* */ import clojure.lang.Var; >> /* */ import java.nio.Buffer; >> /* */ import java.nio.ByteBuffer; >> /* */ >> /* */ public final class core$fn__1869 extends AFunction >> /* */ { >> /* 284 */ public static final Var const__0 = >> (Var)RT.var("clojure.core", "make-array"); >> /* */ >> /* */ public Object invoke(Object x) >> /* */ { >> /* 297 */ x = null; Object x = ((ByteBuffer)x).duplicate(); >> /* 298 */ Object array = >> ((IFn)const__0.getRawRoot()).invoke(Byte.TYPE, >> Integer.valueOf(((Buffer)x).remaining())); >> /* 299 */ x = null; ((ByteBuffer)x).get((byte[])array); array = null; >> return array; >> /* */ } >> /* */ } >> >> >> Decompiler: >> >> http://jd.benow.ca/ >> >> Id the decompiler somehow generating code with these security issues and >> the actual bytecode does not have them maybe? >> >> >> I have no idea how to move forward with this. We have to "check a box" >> for them in corporate speak yet there is no clear path to run a dependable >> security scan against the codebase. >> >> >> Yes I realize this is silly to demand running this tool. >> >> Any other tools out there that might be able to scan Clojure code like >> this? >> >> >> >> -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/e8a5a6f9-3a0f-4431-80ba-2138ee0f8d75%40googlegroups.com.
