Warning: "An NVD API Key was not provided..."

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.42k stars 1.28k forks source link

Warning: "An NVD API Key was not provided..." #6561

Open aliyevakhalida opened 7 months ago

aliyevakhalida commented 7 months ago

We've integrated dependency check into our pipeline. In one of the steps, we're using the following command:

run: |
  gradle dependencyCheckAggregate \
    -PdependencyCheck.nvd.apiKey=${{ inputs.nvd-api-key }}

Despite this configuration, we're, most of the time, receiving the warning: "An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key." Are we missing something in our setup that's causing this warning to persist? We'd appreciate any insights or guidance on resolving this issue. Thank you.

Note: Despite receiving this warning, there were instances where the check completed successfully and did not take a significant amount of time

aikebah commented 7 months ago

Fairly certain you should closer read documentation on the tools you use.

http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html

Not a gradler myself, but I expect you would see no issue if your project-property included the config group in addition to the plugin and the propertyname.

So try dependencyCheck.nvd.apiKey instead of dependencyCheck.apiKey in your command.

jeremylong commented 7 months ago

ATM - I'm not sure if you can pass gradle configs for ODC via the CLI. You can configure the plugin using an init script. Several security tools use this approach.

3vmartinet commented 2 months ago

As mentioned above, dependencyCheck.nvd.apiKey seems to do it

./gradlew dependencyCheckAggregate -PdependencyCheck.nvd.apiKey=<API_KEY>

aliyevakhalida commented 2 months ago

Fairly certain you should closer read documentation on the tools you use.

http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html

Not a gradler myself, but I expect you would see no issue if your project-property included the config group in addition to the plugin and the propertyname.

So try dependencyCheck.nvd.apiKey instead of dependencyCheck.apiKey in your command.

@aikebah, @3vmartinet, @jeremylong this didn't work. We are still getting failures most of the time, but sometimes (very randomly) the check succeeds. I am going to update the description and add the config group for future readers of the thread

jeremylong commented 2 months ago

You can always use an init script to configure the task. Example can be found here: https://github.com/jeremylong/DependencyCheck/issues/4044#issuecomment-1030828651

loicmathieu commented 2 weeks ago

I confirm that ./gradlew dependencyCheckAggregate -PdependencyCheck.nvd.apiKey=<API_KEY> didn't work.

What I ended up is to add the NVD API KEY in an environment variable and configure the task to use this env variable.

dependencyCheck {
    nvd.apiKey = System.getenv("NVD_API_KEY")
}

jeremylong commented 1 week ago

If you can't modify the build.gradle - you can use an init script to configure the API key.