Most Clojure classes cannot be decompiled to Java (locals clearing is all over it and has no Java equivalent, just as one problem, there are others).
Some people have tried this with Fortify and other bytecode oriented scanners but I don't know of anyone that's gotten any results that were useful. On Thursday, April 2, 2020 at 5:33:50 PM UTC-5, Didier wrote: > > Reviving an old topic here, does anyone know of a Clojure 1.10 compatible > security analysis tool? I too thought of just decompiling the .class to > Java. It also appears Fortify can run on bytecode only, so I might give > that a try if I can't find anything else. > > Regards > > On Wednesday, 21 October 2015 15:14:31 UTC-7, Alex Miller wrote: >> >> In general, Clojure code cannot be decompiled from .class to .java as the >> Clojure generated bytecode does things that cannot be represented in Java. >> The particular issue below looks like the local-clearing code. It is >> possible to turn that off during compilation, however there are likely >> other things as well that cannot be decompiled satisfactorily. >> >> FindBugs works directly from bytecode (not source code) so might be more >> amenable for this kind of analysis. There is a sonar plugin ( >> https://github.com/zmsp/sonar-clojure) which uses Eastwood and Kibit >> that might also be useful. >> >> FYI, Clojure is registered in CVE with id CVE-2015-4653 (although there >> are no reports registered yet). I gather that it is useful to create at >> least one such thing to make it searchable and I have that on my todo list >> (although it's not a high priority). >> >> Alex >> >> >> On Wednesday, October 21, 2015 at 3:41:21 PM UTC-5, ryan medlin wrote: >>> >>> A customer requires that we scan our clojure projects with this tool: >>> >>> http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ >>> >>> >>> They must get some meaningful report from this. >>> >>> So I thought, well why don't I compile and then decompile the class >>> files and then scan those to at least give them something. >>> >>> However when I do that I get a TON of high security issues in multiple >>> dependencies (ring, clojure.core) >>> >>> Here is the most prevalent: >>> >>> https://cwe.mitre.org/data/definitions/476.html >>> >>> /* */ package nio; >>> /* */ >>> /* */ import clojure.lang.AFunction; >>> /* */ import clojure.lang.IFn; >>> /* */ import clojure.lang.RT; >>> /* */ import clojure.lang.Var; >>> /* */ import java.nio.Buffer; >>> /* */ import java.nio.ByteBuffer; >>> /* */ >>> /* */ public final class core$fn__1869 extends AFunction >>> /* */ { >>> /* 284 */ public static final Var const__0 = >>> (Var)RT.var("clojure.core", "make-array"); >>> /* */ >>> /* */ public Object invoke(Object x) >>> /* */ { >>> /* 297 */ x = null; Object x = ((ByteBuffer)x).duplicate(); >>> /* 298 */ Object array = >>> ((IFn)const__0.getRawRoot()).invoke(Byte.TYPE, >>> Integer.valueOf(((Buffer)x).remaining())); >>> /* 299 */ x = null; ((ByteBuffer)x).get((byte[])array); array = >>> null; return array; >>> /* */ } >>> /* */ } >>> >>> >>> Decompiler: >>> >>> http://jd.benow.ca/ >>> >>> Id the decompiler somehow generating code with these security issues and >>> the actual bytecode does not have them maybe? >>> >>> >>> I have no idea how to move forward with this. We have to "check a box" >>> for them in corporate speak yet there is no clear path to run a dependable >>> security scan against the codebase. >>> >>> >>> Yes I realize this is silly to demand running this tool. >>> >>> Any other tools out there that might be able to scan Clojure code like >>> this? >>> >>> >>> >>> -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/a5df2592-6ade-4503-a58d-9004b901955a%40googlegroups.com.
