-
New Feature
-
Resolution: Fixed
-
Major
-
None
-
-
5.5.0
DependencyCheck (https://github.com/jeremylong/DependencyCheck) library since version 9.0.0 has moved from using the NVD data-feed to the NVD API. Users of dependency-check are highly encouraged to obtain an NVD API Key.
If we set "dependency-check" version on the dependency-check-jenkins-plugin anything >= 9.0.0, any local vulnerability update is showing following Warning and leading to a very slow download process needing ~20 minutes.
[DependencyCheck] [WARN] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key [DependencyCheck] [INFO] NVD API has 235,780 records in this update
Moreover in case there are more than one thread of it running, it fails with following:
[DependencyCheck] [ERROR] Error updating the NVD Data; the NVD returned a 403 or 404 error [DependencyCheck] [DependencyCheck] Consider using an NVD API Key; see https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#nvd-api-key-highly-recommended [DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data; the NVD returned a 403 or 404 error [DependencyCheck] [DependencyCheck] Consider using an NVD API Key; see https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#nvd-api-key-highly-recommended [DependencyCheck] at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:387) [DependencyCheck] at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:116) [DependencyCheck] at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906) [DependencyCheck] at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:711) [DependencyCheck] at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637) [DependencyCheck] at org.owasp.dependencycheck.App.runScan(App.java:262) [DependencyCheck] at org.owasp.dependencycheck.App.run(App.java:194) [DependencyCheck] at org.owasp.dependencycheck.App.main(App.java:89) [DependencyCheck] [ERROR] Failed to process CVE-2000-0240
We would like to have the ability to configure a NVD API Key for dependency-check-jenkins-plugin so that any interaction with NVD via API call (while running scans) uses this API key.