A customer requires that we scan our clojure projects with this tool: http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/
They must get some meaningful report from this. So I thought, well why don't I compile and then decompile the class files and then scan those to at least give them something. However when I do that I get a TON of high security issues in multiple dependencies (ring, clojure.core) Here is the most prevalent: https://cwe.mitre.org/data/definitions/476.html /* */ package nio; /* */ /* */ import clojure.lang.AFunction; /* */ import clojure.lang.IFn; /* */ import clojure.lang.RT; /* */ import clojure.lang.Var; /* */ import java.nio.Buffer; /* */ import java.nio.ByteBuffer; /* */ /* */ public final class core$fn__1869 extends AFunction /* */ { /* 284 */ public static final Var const__0 = (Var)RT.var("clojure.core", "make-array"); /* */ /* */ public Object invoke(Object x) /* */ { /* 297 */ x = null; Object x = ((ByteBuffer)x).duplicate(); /* 298 */ Object array = ((IFn)const__0.getRawRoot()).invoke(Byte.TYPE, Integer.valueOf(((Buffer)x).remaining())); /* 299 */ x = null; ((ByteBuffer)x).get((byte[])array); array = null; return array; /* */ } /* */ } Decompiler: http://jd.benow.ca/ Id the decompiler somehow generating code with these security issues and the actual bytecode does not have them maybe? I have no idea how to move forward with this. We have to "check a box" for them in corporate speak yet there is no clear path to run a dependable security scan against the codebase. Yes I realize this is silly to demand running this tool. Any other tools out there that might be able to scan Clojure code like this? -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
