sbt-dependency-check icon indicating copy to clipboard operation
sbt-dependency-check copied to clipboard

Published 20 hours ago verified publisher icon albuch

Upgrade to OWASP DependencyCheck v9.0.1

Open costas80 opened this issue 1 year ago • 5 comments

Would it be possible to foresee an upgrade to OWASP DependencyCheck v9.0.1? The main driver for this is the update for the new NVD API which now requires an API key. Using the previous API will be deprecated on December 15th 2023 (see here for details).

costas80 avatar Nov 27 '23 07:11 costas80

Note that version 9.0.1 had stability issues. The wrapped OWASP DependencyCheck should be v9.0.2 (the latest at the time of writing this).

costas80 avatar Dec 04 '23 09:12 costas80

Or would be contribution PRs welcome for this upgrade?

mims-github avatar Dec 11 '23 14:12 mims-github

Following up on @mims-github, I made a PR for the update (see above) that works for me locally. This works by passing an NVD API key as a direct string or as a system property. For example:

lazy val root = (project in file(".")).enablePlugins(PlayScala, SbtWeb)
  .settings(dependencyCheckNvdApiKey := sys.props.get("nvdApiKey"))
  .settings(dependencyCheckOSSIndexWarnOnlyOnRemoteErrors := Some(true))
  .settings(dependencyCheckFailBuildOnCVSS := 0.0F)
  .settings(dependencyCheckSuppressionFile := Some(file("project/owasp-suppressions.xml")))

In my view however this needs a bit more work to be complete. Specifically:

  • I added a scripted test to set a NVD API key I passed locally as a system property. If the other tests are to be corrected however and actually work they would similarly need an NVD API key. I could have just set this everywhere but then for automation purposes this would need a specific API key that is generated for this project.
  • In initial testing the plugin was extremely slow, possibly because it was busy updating the local NVD database or because the provided NVD API key was not valid. I couldn't get any logging to show some sort of progress or error (like you get from using the ODC via CLI or maven - I'm no SBT expert however), and the tests would just seemingly hang until they failed due to a timeout raised by scripted. In general, it would be great to have some progress logging introduced and better error handling.

Although testing with a valid NVD API key now works and completes quite fast, I changed our project's vulnerability checking that would use this to use the ODC CLI version (after doing a dist and extracting the collected libraries). I would however like to switch back to this plugin if the issues I note are addressed.

costas80 avatar Dec 12 '23 07:12 costas80

@albuch Thanks for sharing this plugin with us and all the work you put in it. :clap:

May you clarify how you welcome contributions to make that awesome plugin ready for the future? Thanks in advance.

mims-github avatar Jan 16 '24 10:01 mims-github

@albuch Hi. Looking at this repo, it seems a bit suspiciously like it has been abandoned. Is this the case? Thanks

hagerf avatar Feb 16 '24 15:02 hagerf