`NVD_API_TOKEN` environment variable does not work

[kelvinqian00]

Description

I am using the NVD_API_TOKEN environment variable to provide nvd-clojure with my NVD API key, and it does not work. Using the Clojure Tools method, I should have either expected the scan to proceed, or nvd-clojure to throw an "No NVD API key supplied as config settings or env var." exception. Instead, it seems that nvd-clojure recognizes that the env var was set, but that var is not passed to DependencyCheck. Thus, I get this result (note the first and last lines):

% NVD_API_TOKEN=[REDACTED] clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$(clojure -Spath)\""
[2024-01-31 14:37:19.398] INFO nvd-clojure - User-provided config: {:nvd {:suppression-file "nvd_suppressions.xml", :nvd-api {:key nil}}, :delete-config? false}
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: Instance is null, returning unconfigured instance
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: Setting default auxiliaries to "ODC"
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: setting defaultCompositeCacheAttributes to [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: setting defaultElementAttributes to [ IS_LATERAL = false, IS_SPOOL = true, IS_REMOTE = false, IS_ETERNAL = false, MaxLifeSeconds = 86400, IdleTime = 1800, CreateTime = 1706729839698, LastAccessTime = 1706729839698, getTimeToLiveSeconds() = 86399, createTime = 1706729839698 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.memory.AbstractDoubleLinkedListMemoryCache
INFO: initialized MemoryCache for CENTRAL
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCache
INFO: Constructed cache with name [CENTRAL] and cache attributes [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: No cache event logger defined for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: Using standard serializer [org.apache.commons.jcs3.utils.serialization.StandardSerializer@476fde05] for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [CENTRAL] : Set maxKeySize to: "1,000,000"
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [CENTRAL] : Cache file root directory: ~/.m2/repository/org/owasp/dependency-check-utils/9.0.8/data/9.0/cache
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [CENTRAL] : Indexed Disk Cache is alive.
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.memory.AbstractDoubleLinkedListMemoryCache
INFO: initialized MemoryCache for POM
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCache
INFO: Constructed cache with name [POM] and cache attributes [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: No cache event logger defined for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: Using standard serializer [org.apache.commons.jcs3.utils.serialization.StandardSerializer@1df9186f] for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [POM] : Set maxKeySize to: "1,000,000"
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [POM] : Cache file root directory: ~/.m2/repository/org/owasp/dependency-check-utils/9.0.8/data/9.0/cache
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [POM] : Indexed Disk Cache is alive.
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.memory.AbstractDoubleLinkedListMemoryCache
INFO: initialized MemoryCache for NODEAUDIT
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCache
INFO: Constructed cache with name [NODEAUDIT] and cache attributes [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: No cache event logger defined for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: Using standard serializer [org.apache.commons.jcs3.utils.serialization.StandardSerializer@682e422c] for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [NODEAUDIT] : Set maxKeySize to: "1,000,000"
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [NODEAUDIT] : Cache file root directory: ~/.m2/repository/org/owasp/dependency-check-utils/9.0.8/data/9.0/cache
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [NODEAUDIT] : Indexed Disk Cache is alive.
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheConfigurator
INFO: Parsed regions [CENTRAL, POM, NODEAUDIT]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: Finished configuration in 72 ms.
[2024-01-31 14:37:19.761] WARN NexusAnalyzer - Disabling Nexus analyzer - please specify the URL to a Nexus Server
Checking dependencies for stdin...
  using nvd-clojure: 4.0.0 and dependency-check: 9.0.8
[2024-01-31 14:37:40.641] INFO Engine - Checking for updates
[2024-01-31 14:37:40.648] WARN NvdApiDataSource - An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key

followed by the NVD download failing due to the lack of an NVD API key.

Version

4.0.0

Java version

11.0.10

Installation compliance

• [X] I have read again and made sure that I'm following exactly the instructions for my tool of choice (Leiningen, Clojure CLI, Clojure CLI Tool).
• [X] I understand that false positives can be skipped locally and should be reported to DependencyCheck.

[vemv]

Thanks! Yes, I noticed that the Tools setup had drifted.

I'm sorry I didn't have the time to attend that - very busy January.

setting :nvd-api {:key "87be13d2-blah-blah"} in nvd-clojure.edn does work with Tools.

[kelvinqian00]

Indeed that does work, but I am using nvd-clojure in a context where having a static config file is not very practical.

[kelvinqian00]

Furthermore, I realize that there is a related issue: when you execute nvd-clojure without any NVD API key whatsoever, i.e. not set in the config file nor set as an env var, it should terminate after throwing the "No NVD API key supplied as config settings or env var." exception. However, instead, just like with the first example, nvd-clojure thinks there is a env var, so that exception is not thrown, and the error is only noticed at the DependencyCheck level.

[vemv]

Yes, I had noticed, sorry about that as well.

You might want to generate the .edn file dynamically for now.

The fix should be small anyway and can land soon.

[kelvinqian00]

Indeed, you might've already found the bug, but it's a one line fix. Specifically this line (since the ::not-found does not apply when the value is nil instead of nonexistent).

[vemv]

If you are willing to go through a local install process and verify it works, extending the integration test as well, PR welcome

But the hint is appreciated anyway!

[hlship]

I seem to be hitting this as well, but putting the into my nvd-clojure.edn doesn't help, I get the same errors. I've verified that my token is correct, following the instruction.

[vemv]

Hi @hlship , I've used successfully nvd-clojure with an api key in Lein and deps.edn projects alike.

May you share your config file redacted?

[hlship]

Actually, the code is public:

[hlship]

https://github.com/pedestal/pedestal

[hlship]

clj -T:build cve-check builds the classpath, then invokes NVD to do the work.

[vemv]

This is a file that I've verified to work:

https://github.com/akvo/unep-gpml/blob/3a9782e9e7e7cc1154219f6a3f78d64deb578a63/backend/.nvd/nvd.edn

I don't consider the API keys incredibly secret btw, they are more akin to a username. Cheap to obtain with no PII associated. But one could still build them dynamically if that felt more adequate.