Closed SingingBush closed 3 weeks ago
Using:
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${plugins.odc.version}</version>
<inherited>false</inherited>
<configuration>
<nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
</configuration>
</plugin>
</plugins>
</build>
Running mvn org.owasp:dependency-check-maven:update-only
I get:
[INFO] Checking for updates
[INFO] NVD API has 8,500 records in this update
[INFO] Recoverable I/O exception (javax.net.ssl.SSLException) caught when processing request to {s}->https://services.nvd.nist.gov:443
[INFO] Recoverable I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request to {s}->https://services.nvd.nist.gov:443
[INFO] Downloaded 10,000/8,500 (118%)
[INFO] Downloaded 8,500/8,500 (100%)
[INFO] Completed processing batch 1/5 (20%) in 3,765ms
[INFO] Completed processing batch 2/5 (40%) in 779ms
[INFO] Completed processing batch 3/5 (60%) in 222ms
[INFO] Completed processing batch 4/5 (80%) in 396ms
[INFO] Completed processing batch 5/5 (100%) in 432ms
You would have to share your complete pom.xml
and the command executed for us to have any idea why the API key is not being picked up.
I'm running mvn dependency-check:check
. Interestingly I've been able to get it working by moving the config of the api key to the pluginManagement section:
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>10.0.2</version>
<configuration>
<nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
</configuration>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
<configuration>
<failBuildOnCVSS>9</failBuildOnCVSS>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
Run mvn help:effective-pom
to make maven output the effective pom.xml it uses for your project if you want to dive deeper into what's going wrong in your case if you configure it as part of the plugins section.
My suspicion is that something in your pom inheritance structure and/or settings.xml might be interfering in some unknown way.
For those cases typically the goals of the maven help plugin come to the rescue of investigating what the active profiles, effective settings and effective pom are in your build.
I am aware the recommended way to configure the API key for NVD is via the maven settings.xml. However nvdApiKey is a documented configuration property (related code) that should work if the key is set directly in the pom:
Initially I'd been using
${env.NVD_API_KEY}
for the nvdApiKey value and noticed that despite having a valid value set forNVD_API_KEY
in my environment, when runningmvn dependency-check:check
I'd still get the[WARNING] An NVD API Key was not provided
message. So I pasted the key directly into the pom and tried again and still got the same message.I also tried using
<nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
as per https://github.com/jeremylong/DependencyCheck/blob/b44770a045302e8d701e67f69759e5fa9b061748/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java#L942-L949 unfortunately this still resulted in the[WARNING] An NVD API Key was not provided
message.It seems like a bug, which makes sense considering how many related issues have been raised: NVD API Key was not provided.