We work providing software to banks, partly in cloud but largely on premise products.
We have been Java based for many years, but now looking to move to Clojure as we all love it. While on almost every front it is looking good, our market causes us to need to clearly demonstrate a high level of security compliance. To that end historically we have used code security scanning and specifically HP Fortify. Even when using in Java the cost of such objective 'proof' of security health is a large number of false positives, and given that our customers look to these shared reports for confidence this means long and expensive work to document and then discuss each false positive. Now trying with Clojure this is looking like it could be a killer problem for us: we have a very large number of issues, many of them in the core runtime. Analysing a sample it is pretty clear these are false positives - however we are concerned about the practicality of fighting through - explaining your own Java code (given that the majority of enterprise tooling and customer staff familiarity is in Java) is already hard, explaining Clojure internals which do not decompile to Java is not a promising prospect. I am reaching out to see if anyone else has fought this fight and won, or at least not lost? We have done some preliminary analysis and seems clear that a good portion of these issues could be handled if we could contribute PR changes to core Clojure - however I know that making changes to working code to avoid this kind of static analysis issue is typically not uniformly popular, and would anyhow need careful analysis to detect and avoid any potential performance impacts on added checks. So on that front I am wondering if anyone has managed to contribute back any minor changes to core? -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to [email protected] Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
