Skip to content

Commit

Permalink
fix: make nvd api endpoint configurable (#6287)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeremylong
jeremylong committed Dec 13, 2023
1 parent f14e0f9 commit 0b56fb3
Show file tree
Hide file tree
Showing 14 changed files with 54 additions and 12 deletions.
4 changes: 0 additions & 4 deletions ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java
View file
Expand Up @@ -21,17 +21,13 @@
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;

import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.Project;
import org.apache.tools.ant.Task;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.impl.StaticLoggerBinder;
import org.slf4j.spi.LocationAwareLogger;

/**
* An Ant task definition to execute dependency-check during an Ant build.
Expand Down
23 changes: 23 additions & 0 deletions ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
View file
Expand Up @@ -37,6 +37,10 @@
@SuppressWarnings("common-java:DuplicatedBlocks")
public class Update extends Purge {

/**
* The NVD API endpoint.
*/
private String nvdApiEndpoint;
/**
* The NVD API Key.
*/
Expand Down Expand Up @@ -139,6 +143,24 @@ public Update() {
StaticLoggerBinder.getSingleton().setTask(this);
}

/**
* Get the value of nvdApiEndpoint.
*
* @return the value of nvdApiEndpoint
*/
public String getNvdApiEndpoint() {
return nvdApiEndpoint;
}

/**
* Set the value of nvdApiEndpoint.
*
* @param nvdApiEndpoint new value of nvdApiEndpoint
*/
public void setNvdApiEndpoint(String nvdApiEndpoint) {
this.nvdApiEndpoint = nvdApiEndpoint;
}

/**
* Get the value of nvdApiKey.
*
Expand Down Expand Up @@ -596,6 +618,7 @@ protected void populateSettings() throws BuildException {
getSettings().setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);

getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, nvdApiKey);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint);
getSettings().setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, nvdUser);
Expand Down
1 change: 1 addition & 0 deletions ant/src/site/markdown/config-update.md
View file
Expand Up @@ -35,6 +35,7 @@ The following properties can be configured in the plugin. However, they are less
Property | Description | Default Value
---------------------|----------------------------------------------------------------------------------------------------------------------|------------------
nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |  
nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0
nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key
nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` |  
Expand Down
1 change: 1 addition & 0 deletions ant/src/site/markdown/configuration.md
View file
Expand Up @@ -144,6 +144,7 @@ The following properties can be configured in the plugin. However, they are less
Property | Description | Default Value
---------------------|--------------------------------------------------------------------------------------------------------------|------------------
nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |  
nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0
nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key
nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` |  
Expand Down
2 changes: 2 additions & 0 deletions cli/src/main/java/org/owasp/dependencycheck/App.java
View file
Expand Up @@ -656,6 +656,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
}
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, key);
}
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_ENDPOINT,
cli.getStringArgument(CliParser.ARGUMENT.NVD_API_ENDPOINT));
settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, cli.getIntegerValue(CliParser.ARGUMENT.NVD_API_DELAY));
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_URL));
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_USER));
Expand Down
8 changes: 7 additions & 1 deletion cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View file
Expand Up @@ -353,6 +353,8 @@ private void addAdvancedOptions(final Options options) {
"Only update the local NVD data cache; no scan will be executed."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_DELAY, "milliseconds",
"Time in milliseconds to wait between downloading from the NVD."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_ENDPOINT, "endpoint",
"The NVD API Endpoint - setting this is rare."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_URL, "url",
"The URL to the NVD API Datafeed."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_USER, "user",
Expand Down Expand Up @@ -1128,7 +1130,11 @@ public static class ARGUMENT {
*/
public static final String DATA_DIRECTORY = "data";
/**
* The CLI argument name for setting the URL for the CVE Data Files.
* The CLI argument name for setting the URL for the NVD API Endpoint
*/
public static final String NVD_API_ENDPOINT = "nvdApiEndpoint";
/**
* The CLI argument name for setting the URL for the NVD API Key.
*/
public static final String NVD_API_KEY = "nvdApiKey";
/**
Expand Down
1 change: 1 addition & 0 deletions cli/src/site/markdown/arguments.md
View file
Expand Up @@ -28,6 +28,7 @@ Advanced Options
| Short | Argument Name | Parameter | Description | Default Value |
|-------|---------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
| | \-\-nvdApiKey | \<apiKey\> | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
| | \-\-nvdApiEndpoint | \<endpoint\> | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
| | \-\-nvdMaxRetryCount | \<count\> | The maximum number of retry requests for a single call to the NVD API. | 10 |
| | \-\-nvdApiDelay | \<milliseconds\>| The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key |
| | \-\-nvdDatafeed | \<url\> | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp; |
Expand Down
4 changes: 4 additions & 0 deletions core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java
View file
Expand Up @@ -297,6 +297,10 @@ private boolean processApi() throws UpdateException {

ZonedDateTime lastModifiedRequest = dbProperties.getTimestamp(DatabaseProperties.NVD_API_LAST_MODIFIED);
final NvdCveClientBuilder builder = NvdCveClientBuilder.aNvdCveApi();
final String endpoint = settings.getString(Settings.KEYS.NVD_API_ENDPOINT);
if (endpoint != null) {
builder.withEndpoint(endpoint);
}
if (lastModifiedRequest != null) {
final ZonedDateTime end = lastModifiedRequest.minusDays(-120);
builder.withLastModifiedFilter(lastModifiedRequest, end);
Expand Down
13 changes: 7 additions & 6 deletions maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View file
Expand Up @@ -77,7 +77,6 @@
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
Expand All @@ -88,7 +87,6 @@
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.logging.Level;
import org.apache.maven.artifact.repository.ArtifactRepository;

import org.apache.maven.artifact.resolver.filter.ExcludesArtifactFilter;
Expand All @@ -109,9 +107,6 @@
import org.owasp.dependencycheck.utils.SeverityUtil;
import org.owasp.dependencycheck.xml.pom.Model;
import org.owasp.dependencycheck.xml.pom.PomUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.spi.LocationAwareLogger;

//CSOFF: FileLength
/**
Expand Down Expand Up @@ -941,7 +936,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@SuppressWarnings("CanBeFinal")
@Parameter(property = "nvdValidForHours")
private Integer nvdValidForHours;

/**
* The NVD API Endpoint; setting this is uncommon.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "nvdApiEndpoint")
private String nvdApiEndpoint;
/**
* The NVD API Data Feed URL.
*/
Expand Down Expand Up @@ -2334,6 +2334,7 @@ protected void populateSettings() {
}
settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
settings.setStringIfNotEmpty(Settings.KEYS.DB_FILE_NAME, dbFilename);
settings.setStringIfNotNull(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint);
settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay);
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl);
settings.setIntIfNotNull(Settings.KEYS.NVD_API_VALID_FOR_HOURS, nvdValidForHours);
Expand Down
1 change: 1 addition & 0 deletions maven/src/site/markdown/configuration.md
View file
Expand Up @@ -143,6 +143,7 @@ The following properties can be configured in the plugin. However, they are less
Property | Description | Default Value |
-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvdApiServerId | The id of a server defined in the settings.xml that configures the credentials (password is used as ApiKey) for accessing the NVD API. | &nbsp; |
nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key . |
Expand Down
1 change: 1 addition & 0 deletions src/site/markdown/dependency-check-gradle/configuration-aggregate.md
View file
Expand Up @@ -86,6 +86,7 @@ Note, if ANY of the cve configuration group are set - they should all be set to
Config Group | Property | Description | Default Value |
-------------|-------------------|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key |
nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
Expand Down
1 change: 1 addition & 0 deletions src/site/markdown/dependency-check-gradle/configuration-update.md
View file
Expand Up @@ -63,6 +63,7 @@ The following properties can be configured in the dependencyCheck task. However,
Config Group | Property | Description | Default Value |
-------------|-------------------|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key . |
nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
Expand Down
1 change: 1 addition & 0 deletions src/site/markdown/dependency-check-gradle/configuration.md
View file
Expand Up @@ -68,6 +68,7 @@ The following properties can be configured in the dependencyCheck task. However,
Config Group | Property | Description | Default Value
-------------|-------------------|----------------------------------------------------------------------------------------------------------------------|------------------
nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key |
nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
Expand Down
5 changes: 4 additions & 1 deletion utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View file
Expand Up @@ -161,7 +161,10 @@ public static final class KEYS {
* be imported.
*/
public static final String CVE_CPE_STARTS_WITH_FILTER = "cve.cpe.startswith.filter";

/**
* The NVD API Endpoint.
*/
public static final String NVD_API_ENDPOINT = "nvd.api.endpoint";
/**
* API Key for the NVD API.
*/
Expand Down

0 comments on commit 0b56fb3

Please sign in to comment.