search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.26k stars 1.25k forks source link

Setting nvdApiKey in plugin configuration is ignored despite it being supposed to take priority #6836

Closed SingingBush closed 3 weeks ago

SingingBush commented 1 month ago

I am aware the recommended way to configure the API key for NVD is via the maven settings.xml. However nvdApiKey is a documented configuration property (related code) that should work if the key is set directly in the pom:

            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>10.0.2</version>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                        <configuration>
                            <nvdApiKey>***************************</nvdApiKey>
                        </configuration>
                    </execution>
                </executions>
            </plugin>

Initially I'd been using ${env.NVD_API_KEY} for the nvdApiKey value and noticed that despite having a valid value set for NVD_API_KEY in my environment, when running mvn dependency-check:check I'd still get the [WARNING] An NVD API Key was not provided message. So I pasted the key directly into the pom and tried again and still got the same message.

I also tried using <nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable> as per https://github.com/jeremylong/DependencyCheck/blob/b44770a045302e8d701e67f69759e5fa9b061748/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java#L942-L949 unfortunately this still resulted in the [WARNING] An NVD API Key was not provided message.

It seems like a bug, which makes sense considering how many related issues have been raised: NVD API Key was not provided.

jeremylong commented 1 month ago

Using:

<build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>${plugins.odc.version}</version>
                <inherited>false</inherited>
                <configuration>
                    <nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
                </configuration>
            </plugin>
        </plugins>
</build>

Running mvn org.owasp:dependency-check-maven:update-only I get:

[INFO] Checking for updates
[INFO] NVD API has 8,500 records in this update
[INFO] Recoverable I/O exception (javax.net.ssl.SSLException) caught when processing request to {s}->https://services.nvd.nist.gov:443
[INFO] Recoverable I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request to {s}->https://services.nvd.nist.gov:443
[INFO] Downloaded 10,000/8,500 (118%)
[INFO] Downloaded 8,500/8,500 (100%)
[INFO] Completed processing batch 1/5 (20%) in 3,765ms
[INFO] Completed processing batch 2/5 (40%) in 779ms
[INFO] Completed processing batch 3/5 (60%) in 222ms
[INFO] Completed processing batch 4/5 (80%) in 396ms
[INFO] Completed processing batch 5/5 (100%) in 432ms
jeremylong commented 1 month ago

You would have to share your complete pom.xml and the command executed for us to have any idea why the API key is not being picked up.

SingingBush commented 1 month ago

I'm running mvn dependency-check:check. Interestingly I've been able to get it working by moving the config of the api key to the pluginManagement section:

<build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.owasp</groupId>
                    <artifactId>dependency-check-maven</artifactId>
                    <version>10.0.2</version>
                    <configuration>
                        <nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
                    </configuration>
                </plugin>
            </plugins>
        </pluginManagement>

        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                        <configuration>
                            <failBuildOnCVSS>9</failBuildOnCVSS>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
</build>
aikebah commented 1 month ago

Run mvn help:effective-pom to make maven output the effective pom.xml it uses for your project if you want to dive deeper into what's going wrong in your case if you configure it as part of the plugins section. My suspicion is that something in your pom inheritance structure and/or settings.xml might be interfering in some unknown way.

For those cases typically the goals of the maven help plugin come to the rescue of investigating what the active profiles, effective settings and effective pom are in your build.

https://maven.apache.org/plugins/maven-help-plugin/