stevespringett
commented
6 years ago The process is actually really simple.
- Dependency-Check downloads the NIST XML files from a HTTP server
- Dependency-Check creates a local H2 database and Lucene index
- Dependency-Check uses the index/database during analysis
In step 1, the default is to download the XML files directly from the NVD. This has a number of disadvantages. This project simply mirrors the XML from the NVD to a web server (or file system) that your organization controls (typically on the local network). Dependency-Check can then be configured to download the XML files from the mirror rather than the NVD.
There are four properties that tells Dependency-Check where to download the files from. Refer to https://jeremylong.github.io/DependencyCheck/data/mirrornvd.html The actual configuration will vary slightly depending on if you're using the CLI, Jenkins, Maven, Gradle, or Ant plugin but the result is the same.
When using a mirror, the properties will resemble something like:
cveUrl12Modified=http://hostname/mirror/nvd/nvdcve-modified.xml.gz
cveUrl20Modified=http://hostname/mirror/nvd/nvdcve-2.0-modified.xml.gz
cveUrl12Base=http://hostname/mirror/nvd/nvdcve-%d.xml.gz
cveUrl20Base=http://hostname/mirror/nvd/nvdcve-2.0-%d.xml.gzIf you're using Dependency-Track v3.1 (releasing this month), the mirroring functionality is built-in so you don't need this project. Just point Dependency-Check to the above URLs.
Hi Steve,
I would like to enquire, with regards to nist-data-mirror, how can one make use of the downloaded xml/json files with OWASP Dependency Check? From what I understand, Dependency Check makes use of a h2.db file to run the scan but this project(nist-data-mirror) gets a local copy of NIST vulnerability data in the form of xml/json files. How are the 2 projects tied together and what steps must i take in order to integrate the downloaded xml/json files via this project into Dependency Check?
I hope to hear from you soon.