From 85965a583a9cc488a98a64c55e3d9fb1d3a6b12d Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 12 Dec 2023 18:12:59 -0500 Subject: [PATCH] fix: make nvd api endpoint configurable resolves #6277 --- .../owasp/dependencycheck/taskdefs/Purge.java | 4 ---- .../dependencycheck/taskdefs/Update.java | 23 +++++++++++++++++++ ant/src/site/markdown/config-update.md | 1 + ant/src/site/markdown/configuration.md | 1 + .../java/org/owasp/dependencycheck/App.java | 2 ++ .../org/owasp/dependencycheck/CliParser.java | 8 ++++++- cli/src/site/markdown/arguments.md | 1 + .../data/update/NvdApiDataSource.java | 4 ++++ .../maven/BaseDependencyCheckMojo.java | 13 ++++++----- maven/src/site/markdown/configuration.md | 1 + .../configuration-aggregate.md | 1 + .../configuration-update.md | 1 + .../dependency-check-gradle/configuration.md | 1 + .../owasp/dependencycheck/utils/Settings.java | 5 +++- 14 files changed, 54 insertions(+), 12 deletions(-) diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java index 72d47e7fca3..8b215d06f55 100644 --- a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java +++ b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java @@ -21,17 +21,13 @@ import java.io.File; import java.io.IOException; import java.io.InputStream; -import java.lang.reflect.Field; import org.apache.tools.ant.BuildException; import org.apache.tools.ant.Project; import org.apache.tools.ant.Task; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.utils.Settings; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.slf4j.impl.StaticLoggerBinder; -import org.slf4j.spi.LocationAwareLogger; /** * An Ant task definition to execute dependency-check during an Ant build. diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java index 0d998b545ad..b26bb7e16fb 100644 --- a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java +++ b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java @@ -37,6 +37,10 @@ @SuppressWarnings("common-java:DuplicatedBlocks") public class Update extends Purge { + /** + * The NVD API endpoint. + */ + private String nvdApiEndpoint; /** * The NVD API Key. */ @@ -139,6 +143,24 @@ public Update() { StaticLoggerBinder.getSingleton().setTask(this); } + /** + * Get the value of nvdApiEndpoint. + * + * @return the value of nvdApiEndpoint + */ + public String getNvdApiEndpoint() { + return nvdApiEndpoint; + } + + /** + * Set the value of nvdApiEndpoint. + * + * @param nvdApiEndpoint new value of nvdApiEndpoint + */ + public void setNvdApiEndpoint(String nvdApiEndpoint) { + this.nvdApiEndpoint = nvdApiEndpoint; + } + /** * Get the value of nvdApiKey. * @@ -596,6 +618,7 @@ protected void populateSettings() throws BuildException { getSettings().setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled); getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, nvdApiKey); + getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint); getSettings().setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay); getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl); getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, nvdUser); diff --git a/ant/src/site/markdown/config-update.md b/ant/src/site/markdown/config-update.md index 6bc83c61d4b..67d63add8d8 100644 --- a/ant/src/site/markdown/config-update.md +++ b/ant/src/site/markdown/config-update.md @@ -35,6 +35,7 @@ The following properties can be configured in the plugin. However, they are less Property | Description | Default Value ---------------------|----------------------------------------------------------------------------------------------------------------------|------------------ nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   +nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` |   diff --git a/ant/src/site/markdown/configuration.md b/ant/src/site/markdown/configuration.md index b108f7bff26..4c10ea5afd3 100644 --- a/ant/src/site/markdown/configuration.md +++ b/ant/src/site/markdown/configuration.md @@ -144,6 +144,7 @@ The following properties can be configured in the plugin. However, they are less Property | Description | Default Value ---------------------|--------------------------------------------------------------------------------------------------------------|------------------ nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   +nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` |   diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java index 12ed6ab6db1..dafed884840 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/cli/src/main/java/org/owasp/dependencycheck/App.java @@ -656,6 +656,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException { } settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, key); } + settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_ENDPOINT, + cli.getStringArgument(CliParser.ARGUMENT.NVD_API_ENDPOINT)); settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, cli.getIntegerValue(CliParser.ARGUMENT.NVD_API_DELAY)); settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_URL)); settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_USER)); diff --git a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java index ff4acef2b0c..d6bd6596104 100644 --- a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -353,6 +353,8 @@ private void addAdvancedOptions(final Options options) { "Only update the local NVD data cache; no scan will be executed.")) .addOption(newOptionWithArg(ARGUMENT.NVD_API_DELAY, "milliseconds", "Time in milliseconds to wait between downloading from the NVD.")) + .addOption(newOptionWithArg(ARGUMENT.NVD_API_ENDPOINT, "endpoint", + "The NVD API Endpoint - setting this is rare.")) .addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_URL, "url", "The URL to the NVD API Datafeed.")) .addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_USER, "user", @@ -1128,7 +1130,11 @@ public static class ARGUMENT { */ public static final String DATA_DIRECTORY = "data"; /** - * The CLI argument name for setting the URL for the CVE Data Files. + * The CLI argument name for setting the URL for the NVD API Endpoint + */ + public static final String NVD_API_ENDPOINT = "nvdApiEndpoint"; + /** + * The CLI argument name for setting the URL for the NVD API Key. */ public static final String NVD_API_KEY = "nvdApiKey"; /** diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md index 0c9df36429d..da8ab2a8c44 100644 --- a/cli/src/site/markdown/arguments.md +++ b/cli/src/site/markdown/arguments.md @@ -28,6 +28,7 @@ Advanced Options | Short | Argument Name | Parameter | Description | Default Value | |-------|---------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------| | | \-\-nvdApiKey | \ | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +| | \-\-nvdApiEndpoint | \ | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 | | | \-\-nvdMaxRetryCount | \ | The maximum number of retry requests for a single call to the NVD API. | 10 | | | \-\-nvdApiDelay | \| The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key | | | \-\-nvdDatafeed | \ | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` |   | diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java b/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java index 0e3a67fa4a7..2eb49a00116 100644 --- a/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java +++ b/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java @@ -297,6 +297,10 @@ private boolean processApi() throws UpdateException { ZonedDateTime lastModifiedRequest = dbProperties.getTimestamp(DatabaseProperties.NVD_API_LAST_MODIFIED); final NvdCveClientBuilder builder = NvdCveClientBuilder.aNvdCveApi(); + final String endpoint = settings.getString(Settings.KEYS.NVD_API_ENDPOINT); + if (endpoint != null) { + builder.withEndpoint(endpoint); + } if (lastModifiedRequest != null) { final ZonedDateTime end = lastModifiedRequest.minusDays(-120); builder.withLastModifiedFilter(lastModifiedRequest, end); diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 0ce6cac2bf8..9acc3d70f2a 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -77,7 +77,6 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; -import java.lang.reflect.Field; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -88,7 +87,6 @@ import java.util.Objects; import java.util.Optional; import java.util.Set; -import java.util.logging.Level; import org.apache.maven.artifact.repository.ArtifactRepository; import org.apache.maven.artifact.resolver.filter.ExcludesArtifactFilter; @@ -109,9 +107,6 @@ import org.owasp.dependencycheck.utils.SeverityUtil; import org.owasp.dependencycheck.xml.pom.Model; import org.owasp.dependencycheck.xml.pom.PomUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.slf4j.spi.LocationAwareLogger; //CSOFF: FileLength /** @@ -941,7 +936,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @SuppressWarnings("CanBeFinal") @Parameter(property = "nvdValidForHours") private Integer nvdValidForHours; - + /** + * The NVD API Endpoint; setting this is uncommon. + */ + @SuppressWarnings("CanBeFinal") + @Parameter(property = "nvdApiEndpoint") + private String nvdApiEndpoint; /** * The NVD API Data Feed URL. */ @@ -2334,6 +2334,7 @@ protected void populateSettings() { } settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory); settings.setStringIfNotEmpty(Settings.KEYS.DB_FILE_NAME, dbFilename); + settings.setStringIfNotNull(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint); settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay); settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl); settings.setIntIfNotNull(Settings.KEYS.NVD_API_VALID_FOR_HOURS, nvdValidForHours); diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md index d429c11607c..2e7ba72e3e6 100644 --- a/maven/src/site/markdown/configuration.md +++ b/maven/src/site/markdown/configuration.md @@ -143,6 +143,7 @@ The following properties can be configured in the plugin. However, they are less Property | Description | Default Value | -------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------| nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 | nvdApiServerId | The id of a server defined in the settings.xml that configures the credentials (password is used as ApiKey) for accessing the NVD API. |   | nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 | nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key . | diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md index 88af812a5b3..69d1f3fd77c 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md +++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md @@ -86,6 +86,7 @@ Note, if ANY of the cve configuration group are set - they should all be set to Config Group | Property | Description | Default Value | -------------|-------------------|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------| nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 | nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 | nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key | nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   | diff --git a/src/site/markdown/dependency-check-gradle/configuration-update.md b/src/site/markdown/dependency-check-gradle/configuration-update.md index 6df0c67e554..301adc90d8a 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-update.md +++ b/src/site/markdown/dependency-check-gradle/configuration-update.md @@ -63,6 +63,7 @@ The following properties can be configured in the dependencyCheck task. However, Config Group | Property | Description | Default Value | -------------|-------------------|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------| nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 | nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 | nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key . | nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   | diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md index eafb42ec431..8115828ebee 100644 --- a/src/site/markdown/dependency-check-gradle/configuration.md +++ b/src/site/markdown/dependency-check-gradle/configuration.md @@ -68,6 +68,7 @@ The following properties can be configured in the dependencyCheck task. However, Config Group | Property | Description | Default Value -------------|-------------------|----------------------------------------------------------------------------------------------------------------------|------------------ nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 | nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 | nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key | nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   | diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 7141acf6d8f..7fda5772208 100644 --- a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -161,7 +161,10 @@ public static final class KEYS { * be imported. */ public static final String CVE_CPE_STARTS_WITH_FILTER = "cve.cpe.startswith.filter"; - + /** + * The NVD API Endpoint. + */ + public static final String NVD_API_ENDPOINT = "nvd.api.endpoint"; /** * API Key for the NVD API. */