DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Warning: "An NVD API Key was not provided..."

Open aliyevakhalida opened this issue 1 year ago • 5 comments
trafficstars

We've integrated dependency check into our pipeline. In one of the steps, we're using the following command:

run: |
  gradle dependencyCheckAggregate \
    -PdependencyCheck.nvd.apiKey=${{ inputs.nvd-api-key }}

Despite this configuration, we're, most of the time, receiving the warning: "An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key." Are we missing something in our setup that's causing this warning to persist? We'd appreciate any insights or guidance on resolving this issue. Thank you.

Note: Despite receiving this warning, there were instances where the check completed successfully and did not take a significant amount of time

aliyevakhalida avatar Apr 02 '24 09:04 aliyevakhalida

Fairly certain you should closer read documentation on the tools you use.

http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html

Not a gradler myself, but I expect you would see no issue if your project-property included the config group in addition to the plugin and the propertyname.

So try dependencyCheck.nvd.apiKey instead of dependencyCheck.apiKey in your command.

aikebah avatar Apr 07 '24 07:04 aikebah

ATM - I'm not sure if you can pass gradle configs for ODC via the CLI. You can configure the plugin using an init script. Several security tools use this approach.

jeremylong avatar Apr 07 '24 12:04 jeremylong

As mentioned above, dependencyCheck.nvd.apiKey seems to do it

./gradlew dependencyCheckAggregate -PdependencyCheck.nvd.apiKey=<API_KEY>

3vmartinet avatar Aug 26 '24 11:08 3vmartinet

Fairly certain you should closer read documentation on the tools you use.

http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html

Not a gradler myself, but I expect you would see no issue if your project-property included the config group in addition to the plugin and the propertyname.

So try dependencyCheck.nvd.apiKey instead of dependencyCheck.apiKey in your command.

@aikebah, @3vmartinet, @jeremylong this didn't work. We are still getting failures most of the time, but sometimes (very randomly) the check succeeds. I am going to update the description and add the config group for future readers of the thread

aliyevakhalida avatar Sep 04 '24 08:09 aliyevakhalida

You can always use an init script to configure the task. Example can be found here: https://github.com/jeremylong/DependencyCheck/issues/4044#issuecomment-1030828651

jeremylong avatar Sep 05 '24 10:09 jeremylong