Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning: "An NVD API Key was not provided..." #7377

Open
bendolaccio opened this issue Feb 6, 2025 · 1 comment
Open

Warning: "An NVD API Key was not provided..." #7377

bendolaccio opened this issue Feb 6, 2025 · 1 comment
Labels
question

Comments

@bendolaccio
Copy link

I'm trying to use the dependency-check-maven plugin, but I always get stuck in the updateof the NVD database. This is my easy set up:

<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>12.0.2</version>
  <executions>
    <execution>
      <goals>
         <goal>check</goal>
      </goals>
    </execution>
   </executions>
</plugin>

I'm running it in a gitlab pipeline and the output is this:

    22047 [INFO] Checking for updates
    22057 [WARNING] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key
    60332 [INFO] NVD API has 280,241 records in this update

And the update takes forever. I cannot wait 3-4 hours, also because it is running on a docker container.

I tried to provide the NVD API Key by getting it from https://nvd.nist.gov/developers/request-an-api-key and by modifiyng my pom.xml I added this I also added a bit of delay because the API cannot remote call too often:

<configuration>
   <nvdApiKey>1230b944-xxxx-xxxx-xxxx-c51993ff5a17</nvdApiKey>
   <nvdApiDelay>3000</nvdApiDelay>
</configuration>

But the output was always the same. I tried with <autoupdate>false</autoupdate> but same result.

The key is okay, I think, the cmd test with curl is giving me this output:

>curl -H "Accept: application/json" -H "apiKey: 1230b944-xxxx-xxxx-xxxx-c51993ff5a17" -v https://services.nvd.nist.gov/rest/json/cves/2.0\?cpeName\=cpe:2.3:o:microsoft:windows_10:1607:\*:\*:\*:\*:\*:\*:\*
* Host services.nvd.nist.gov:443 was resolved.
* IPv6: (none)
* IPv4: 54.85.30.225
*   Trying 54.85.30.225:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Connected to services.nvd.nist.gov (54.85.30.225) port 443
* using HTTP/1.x
> GET /rest/json/cves/2.0\?cpeName\=cpe:2.3:o:microsoft:windows_10:1607:\*:\*:\*:\*:\*:\*:\* HTTP/1.1
> Host: services.nvd.nist.gov
> User-Agent: curl/8.10.1
> Accept: application/json
> apiKey: 1230b944-xxxx-xxxx-xxxx-c51993ff5a17
>
* Request completely sent off
< HTTP/1.1 400 Bad Request
< x-frame-options: SAMEORIGIN
< access-control-allow-origin: *
< access-control-allow-headers: accept, apiKey, content-type, origin, x-requested-with
< access-control-allow-methods: GET, HEAD, OPTIONS
< access-control-allow-credentials: false
< date: Thu, 06 Feb 2025 13:26:09 GMT
< content-length: 0
< apikey: Yes
< strict-transport-security: max-age=31536000
<
* Connection #0 to host services.nvd.nist.gov left intact

I really don't know what to do. Can anyone help me?
@aikebah
Copy link
Collaborator

aikebah commented Feb 8, 2025
edited
Loading

First of all: make sure that you use some shared cache location in your gitlab pipeline or else each build will have to re-download the entire 280k+ entries over and over.
If your CI/CD environment has a shared local repository for maven mounted it that would work, as by default (with no further configuration settings) the dependency-check maven plugin will use a folder in the maven localRepo as it's caching folder.
However if your CI/CD runs with a freshly created empty maven localrepo you should find a way to put some persistent storage caching into play.

Regarding the NVD API Key.... if you still get that error after adding the configuration in your maven pom there is likely an error regarding where you've put that configuration.

The initial run will take some time. How much will depend on the load towards NVD (the number of retries it needs to download the whole set. Subsequent runs when you cache the data would typically only retrieve 0-5k entries (the entries updated / added since your last build).

The NvdApiDelay would not need an override, DependencyCheck itself defaults to different timeouts for unauthenticated (no NvdApiKey - hence the warning, that delay is much larger, meaning the initial download will take a significant amount of extra time) and authenticated (with an API key - higher rate allowed, so smaller delays) usage of the NVD API.

http://jeremylong.github.io/DependencyCheck/data/index.html has some hints for you on how to deal with NVD data in CI/CD environments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aikebah @bendolaccio