Maybe you can found the answer here http://stackoverflow.com/a/6590437
Regards. Andrey On Wed, Oct 21, 2015 at 11:35 PM, ryan medlin <ryan.w.med...@gmail.com> wrote: > A customer requires that we scan our clojure projects with this tool: > > http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ > > > They must get some meaningful report from this. > > So I thought, well why don't I compile and then decompile the class files > and then scan those to at least give them something. > > However when I do that I get a TON of high security issues in multiple > dependencies (ring, clojure.core) > > Here is the most prevalent: > > https://cwe.mitre.org/data/definitions/476.html > > /* */ package nio; > /* */ > /* */ import clojure.lang.AFunction; > /* */ import clojure.lang.IFn; > /* */ import clojure.lang.RT; > /* */ import clojure.lang.Var; > /* */ import java.nio.Buffer; > /* */ import java.nio.ByteBuffer; > /* */ > /* */ public final class core$fn__1869 extends AFunction > /* */ { > /* 284 */ public static final Var const__0 = (Var)RT.var("clojure.core", > "make-array"); > /* */ > /* */ public Object invoke(Object x) > /* */ { > /* 297 */ x = null; Object x = ((ByteBuffer)x).duplicate(); > /* 298 */ Object array = > ((IFn)const__0.getRawRoot()).invoke(Byte.TYPE, > Integer.valueOf(((Buffer)x).remaining())); > /* 299 */ x = null; ((ByteBuffer)x).get((byte[])array); array = null; > return array; > /* */ } > /* */ } > > > Decompiler: > > http://jd.benow.ca/ > > Id the decompiler somehow generating code with these security issues and > the actual bytecode does not have them maybe? > > > I have no idea how to move forward with this. We have to "check a box" > for them in corporate speak yet there is no clear path to run a dependable > security scan against the codebase. > > > Yes I realize this is silly to demand running this tool. > > Any other tools out there that might be able to scan Clojure code like > this? > > > > -- > You received this message because you are subscribed to the Google > Groups "Clojure" group. > To post to this group, send email to clojure@googlegroups.com > Note that posts from new members are moderated - please be patient with > your first post. > To unsubscribe from this group, send email to > clojure+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/clojure?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Clojure" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to clojure+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Andrey Antukh - Андрей Антух - <n...@niwi.nz> http://www.niwi.nz https://github.com/niwinz -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
