Make NVD API key optional

rm-hull / nvd-clojure

National Vulnerability Database dependency checker for Clojure projects

MIT License

273 stars 35 forks source link

Make NVD API key optional #176

Closed DerGuteMoritz closed 5 months ago

DerGuteMoritz commented 5 months ago

Description

According to DependencyCheck's upgrade notice, providing an NVD API key is not required but (only) highly recommended. That is to say, the NVD API can still be used without an API key (albeit with some restrictions). However, nvd-clojure requires providing a key. Since registering for a key incurs some organizational overhead, it would be nice to be able to use the public API in the meantime. In other words: Make the API key optional on nvd-clojure's end, as well.

Version

4.0.0

Java version

openjdk version "17.0.7" 2023-04-18
OpenJDK Runtime Environment (build 17.0.7+7-nixos)
OpenJDK 64-Bit Server VM (build 17.0.7+7-nixos, mixed mode, sharing)

Installation compliance

[X] I have read again and made sure that I'm following exactly the instructions for my tool of choice (Leiningen, Clojure CLI, Clojure CLI Tool).
[X] I understand that false positives can be skipped locally and should be reported to DependencyCheck.

vemv commented 5 months ago

Thanks for a sensible issue/suggestion.

I don't think it's in the best interest of any involved part to keep fostering a slower, issue-prone code path.

The organizational overhead is minimal as obtaining a key requires providing no PII at all. The key you will instantly receive is more akin to a user ID than to a password - therefore if it's any trouble to keep it secret for CI, I'd consider it safe to check into version control.

DerGuteMoritz commented 5 months ago

By organizational overhead I was mainly referring to the terms of use one has to accept for creating an account. For example, they state:

Services which utilize or access the NVD API are asked to display the following notice prominently within the application: "This product uses the NVD API but is not endorsed or certified by the NVD."

Not 100% sure what is implied by this and since I am not a lawyer, I'd either have to clear this with my legal department or have somebody higher up the chain check this off and accept the risk of not fully grokking the implications.

In any case, it's not important to me anymore since we've since figured it out and registered an account :smile: Feel free to close.

vemv commented 5 months ago

Services which utilize or access the NVD API are asked to display the following notice prominently within the application: "This product uses the NVD API but is not endorsed or certified by the NVD."

Most likely this refers to libraries/services which sole purpose is performing NVD-based checks.

Note that a production app does not package NVD in any way - it usage is typically limited to a build-time check.

Cheers - V