Merge pull request #442 from yetanalytics/nvd-scan-remove

[SQL-275][SQL-276] Replace nvd-clojure scanning with Dependabot

.github/workflows/test.yml

@@ -3,13 +3,6 @@ name: CI
 on: push
 
 jobs:
-  nvd_scan:
-    uses: yetanalytics/workflow-nvd/.github/workflows/nvd-scan.yml@v2
-    with:
-      nvd-clojure-version: "3.3.0"
-      classpath-command: "clojure -Spath -Adb-sqlite:db-postgres"
-      nvd-config-filename: ".nvd/config.json"
-
   lint:
     uses: yetanalytics/workflow-linter/.github/workflows/linter.yml@v2024.08.01
     with:

Makefile

@@ -23,10 +23,10 @@ resources/public/admin:
 # All other phony targets run lrsql instances that can be used and tested
 # during development. All start up with fixed DB properties and seed creds.
 
-.phony: clean-dev, ci, ephemeral, ephemeral-prod, sqlite, postgres, bench, bench-async, check-vuln, keycloak-demo, ephemeral-oidc, superset-demo, clamav-demo, test-sqlite, test-postgres, test-postgres-11, test-postgres-12, test-postgres-13, test-postgres-14, test-postgres-15
+.phony: clean-dev, ci, ephemeral, ephemeral-prod, sqlite, postgres, bench, bench-async, keycloak-demo, ephemeral-oidc, superset-demo, clamav-demo, test-sqlite, test-postgres, test-postgres-11, test-postgres-12, test-postgres-13, test-postgres-14, test-postgres-15
 
 clean-dev:
-	rm -rf *.db *.log resources/public tmp target/nvd
+	rm -rf *.db *.log resources/public tmp
 
 # Tests
 
@@ -95,13 +95,6 @@ bench-async:
 		-a true \
 		-u username -p password
 
-# Vulnerability check
-
-target/nvd:
-	clojure -Xnvd check :classpath '"'"$$(clojure -Spath -A:db-sqlite:db-postgres)"'"' :config-filename '".nvd/config.json"'
-
-check-vuln: target/nvd
-
 # Demo instance of Keycloak used for interactive development
 
 keycloak-demo:
@@ -298,3 +291,7 @@ run-jar-postgres: target/bundle
 
 pom.xml:
 	clojure -Adb-sqlite:db-postgres -Spom
+
+# TODO: Add a local vulnerability checker.
+# Note that we removed our previous one that used nvd-clojure as that app was
+# becoming too unreliable; perhaps look into clj-watson?

deps.edn

@@ -140,9 +140,6 @@
   {:extra-deps  {io.github.clojure/tools.build {:git/tag "v0.10.0"
                                                 :git/sha "3a2c484"}}
    :extra-paths ["src/build"]}
-  :nvd
-  {:replace-deps {nvd-clojure/nvd-clojure {:mvn/version "2.6.0"}}
-   :ns-default   nvd.task}
   :doc
   {:replace-deps {com.yetanalytics/markdoc {:git/url "https://github.com/yetanalytics/markdoc"
                                             :git/tag "v0.0.1"

doc/dev.md

@@ -23,7 +23,6 @@ The SQL LRS can be built or run with the following Makefile targets. They can be
 | `bundle`           | Build a complete distribution of the SQL LRS including the user interface and native runtimes for multiple operating systems.                                                                                |
 | `bench`            | Run a load test and benchmark performance, returning performance metrics on predefined test data. Requires a running SQL LRS instance to test against. This test sends requests synchronously on one thread. |
 | `bench-async`      | Same as `bench` but it runs with concurrent requests on multiple threads.                                                                                                                                    |
-| `check-vuln`       | Run the [nvd-clojure](https://github.com/rm-hull/nvd-clojure) tool, which checks for vulnerabilities against the [National Vulnerability Database](https://nvd.nist.gov/).                                   |
 
 #### Run Targets
 
@@ -118,4 +117,3 @@ java -cp bench.jar lrsql.bench [arguments]
 Sample insert and query inputs can be found in the distribution at `bench/`
 
 [<- Back to Index](index.md)
-