Expose the NVD API Key as a Task parameter

[bm-fez]

With 9.0.0 of the Dependancy Checker Tool it is recommended an NVD API is used else the performance is very poor.

This can be done using custom argument with the current version

- task: dependency-check-build-task@6
  displayName: 'Vunerability Scan'
  inputs:
    projectName: '$(projectname)'
    scanPath: '$(Build.SourcesDirectory)/**'
    format: HTML, XML
    reportsDirectory: '$(Build.ArtifactStagingDirectory)/vunerabilityscan'
    reportFilename: 'vunerabilityscan.html'
    additionalArguments: '--nvdApiKey $(nvdapikey)' 

However it would be nicer to have a dedicated parameter as this is becoming a core parameter

[Saturate]

I agree, and I can take a look at it.

[bm-fez]

I agree, and I can take a look at it.

I am already on it #147, I had just created the Issue as a marker

[Saturate]

Haha, I'll not commit mine then :) I have a small change on it, as noted in the PR.

[pippolino]

Ciao @bm-fez, can you check the new functionality including parameters masking on the log?

[bm-fez]

@pippolino I am confused, what am I meant to be looking at? IIs the NVDAPIKEY as a named parameter not shipped and working now with key obfuscation in the logs?

If check the logs on one of my pipelines I see

==============================================================================
Task         : OWASP Dependency Check
Description  : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
Version      : 6.1.3
Author       : Dependency Check
Help         : [More Information](https://jeremylong.github.io/DependencyCheck/index.html)
==============================================================================
Starting Dependency Check...
Setting report directory to D:\a\1\TestResults\dependency-check
Creating report directory at D:\a\1\TestResults\dependency-check
Downloading Dependency Check latest installer from GitHub..
Downloading ZIP from "[https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.9/dependency-check-9.0.9-release.zip"...](https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.9/dependency-check-9.0.9-release.zip%22...)
Dependency Check script set to D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.1.3\dependency-check\bin\dependency-check.bat
Invoking Dependency Check...
Path: D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.1.3\dependency-check\bin\dependency-check.bat
Arguments: --project "A Server" --out "D:\a\1\TestResults\dependency-check" --scan "D:\a\1\s\A-Server" --format HTML --format XML --nvdApiKey ***
C:\Windows\system32\cmd.exe /D /S /C "D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.1.3\dependency-check\bin\dependency-check.bat --version"
Dependency-Check Core version 9.0.9

Searching for left over lock files...
found no left over lock files, continuing...
C:\Windows\system32\cmd.exe /D /S /C "D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.1.3\dependency-check\bin\dependency-check.bat --project "A Server" --out D:\a\1\TestResults\dependency-check --scan D:\a\1\s\A-Server --format HTML --format XML --nvdApiKey ***"

[pippolino]

Hi @bm-fez, with the new version v6.2.0 the nvdApiKey parameter have been added and sensitive parameters are masked on the log. The log you show me is from version 6.1.3