Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: make nvd api endpoint configurable #6287

Merged
merged 1 commit into from Dec 13, 2023
Merged

fix: make nvd api endpoint configurable #6287

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 0 additions & 4 deletions ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java
View file
Open in desktop
Expand Up @@ -21,17 +21,13 @@
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;

import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.Project;
import org.apache.tools.ant.Task;
import org.owasp.dependencycheck.Engine;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.impl.StaticLoggerBinder;
import org.slf4j.spi.LocationAwareLogger;

/**
* An Ant task definition to execute dependency-check during an Ant build.
Expand Down
23 changes: 23 additions & 0 deletions ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
View file
Open in desktop
Expand Up @@ -37,6 +37,10 @@
@SuppressWarnings("common-java:DuplicatedBlocks")
public class Update extends Purge {

/**
* The NVD API endpoint.
*/
private String nvdApiEndpoint;
/**
* The NVD API Key.
*/
Expand Down Expand Up @@ -139,6 +143,24 @@ public Update() {
StaticLoggerBinder.getSingleton().setTask(this);
}

/**
* Get the value of nvdApiEndpoint.
*
* @return the value of nvdApiEndpoint
*/
public String getNvdApiEndpoint() {
return nvdApiEndpoint;
}

/**
* Set the value of nvdApiEndpoint.
*
* @param nvdApiEndpoint new value of nvdApiEndpoint
*/
public void setNvdApiEndpoint(String nvdApiEndpoint) {
this.nvdApiEndpoint = nvdApiEndpoint;
}

/**
* Get the value of nvdApiKey.
*
Expand Down Expand Up @@ -596,6 +618,7 @@ protected void populateSettings() throws BuildException {
getSettings().setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);

getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, nvdApiKey);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint);
getSettings().setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, nvdUser);
Expand Down
1 change: 1 addition & 0 deletions ant/src/site/markdown/config-update.md
View file
Open in desktop
Expand Up @@ -35,6 +35,7 @@ The following properties can be configured in the plugin. However, they are less
Property | Description | Default Value
---------------------|----------------------------------------------------------------------------------------------------------------------|------------------
nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |  
nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0
nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key
nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` |  
Expand Down
1 change: 1 addition & 0 deletions ant/src/site/markdown/configuration.md
View file
Open in desktop
Expand Up @@ -144,6 +144,7 @@ The following properties can be configured in the plugin. However, they are less
Property | Description | Default Value
---------------------|--------------------------------------------------------------------------------------------------------------|------------------
nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |  
nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0
nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key
nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` |  
Expand Down
2 changes: 2 additions & 0 deletions cli/src/main/java/org/owasp/dependencycheck/App.java
View file
Open in desktop
Expand Up @@ -656,6 +656,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
}
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, key);
}
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_ENDPOINT,
cli.getStringArgument(CliParser.ARGUMENT.NVD_API_ENDPOINT));
settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, cli.getIntegerValue(CliParser.ARGUMENT.NVD_API_DELAY));
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_URL));
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_USER));
Expand Down
8 changes: 7 additions & 1 deletion cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View file
Open in desktop
Expand Up @@ -353,6 +353,8 @@ private void addAdvancedOptions(final Options options) {
"Only update the local NVD data cache; no scan will be executed."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_DELAY, "milliseconds",
"Time in milliseconds to wait between downloading from the NVD."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_ENDPOINT, "endpoint",
"The NVD API Endpoint - setting this is rare."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_URL, "url",
"The URL to the NVD API Datafeed."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_USER, "user",
Expand Down Expand Up @@ -1128,7 +1130,11 @@ public static class ARGUMENT {
*/
public static final String DATA_DIRECTORY = "data";
/**
* The CLI argument name for setting the URL for the CVE Data Files.
* The CLI argument name for setting the URL for the NVD API Endpoint
*/
public static final String NVD_API_ENDPOINT = "nvdApiEndpoint";
/**
* The CLI argument name for setting the URL for the NVD API Key.
*/
public static final String NVD_API_KEY = "nvdApiKey";
/**
Expand Down
1 change: 1 addition & 0 deletions cli/src/site/markdown/arguments.md
View file
Open in desktop
Expand Up @@ -28,6 +28,7 @@ Advanced Options
| Short | Argument Name | Parameter | Description | Default Value |
|-------|---------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
| | \-\-nvdApiKey | \<apiKey\> | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
| | \-\-nvdApiEndpoint | \<endpoint\> | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
| | \-\-nvdMaxRetryCount | \<count\> | The maximum number of retry requests for a single call to the NVD API. | 10 |
| | \-\-nvdApiDelay | \<milliseconds\>| The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key |
| | \-\-nvdDatafeed | \<url\> | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp; |
Expand Down
4 changes: 4 additions & 0 deletions core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java
View file
Open in desktop
Expand Up @@ -297,6 +297,10 @@ private boolean processApi() throws UpdateException {

ZonedDateTime lastModifiedRequest = dbProperties.getTimestamp(DatabaseProperties.NVD_API_LAST_MODIFIED);
final NvdCveClientBuilder builder = NvdCveClientBuilder.aNvdCveApi();
final String endpoint = settings.getString(Settings.KEYS.NVD_API_ENDPOINT);
if (endpoint != null) {
builder.withEndpoint(endpoint);
}
if (lastModifiedRequest != null) {
final ZonedDateTime end = lastModifiedRequest.minusDays(-120);
builder.withLastModifiedFilter(lastModifiedRequest, end);
Expand Down
13 changes: 7 additions & 6 deletions maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View file
Open in desktop
Expand Up @@ -77,7 +77,6 @@
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
Expand All @@ -88,7 +87,6 @@
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.logging.Level;
import org.apache.maven.artifact.repository.ArtifactRepository;

import org.apache.maven.artifact.resolver.filter.ExcludesArtifactFilter;
Expand All @@ -109,9 +107,6 @@
import org.owasp.dependencycheck.utils.SeverityUtil;
import org.owasp.dependencycheck.xml.pom.Model;
import org.owasp.dependencycheck.xml.pom.PomUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.spi.LocationAwareLogger;

//CSOFF: FileLength
/**
Expand Down Expand Up @@ -941,7 +936,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@SuppressWarnings("CanBeFinal")
@Parameter(property = "nvdValidForHours")
private Integer nvdValidForHours;

/**
* The NVD API Endpoint; setting this is uncommon.
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "nvdApiEndpoint")
private String nvdApiEndpoint;
/**
* The NVD API Data Feed URL.
*/
Expand Down Expand Up @@ -2334,6 +2334,7 @@ protected void populateSettings() {
}
settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
settings.setStringIfNotEmpty(Settings.KEYS.DB_FILE_NAME, dbFilename);
settings.setStringIfNotNull(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint);
settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay);
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl);
settings.setIntIfNotNull(Settings.KEYS.NVD_API_VALID_FOR_HOURS, nvdValidForHours);
Expand Down
1 change: 1 addition & 0 deletions maven/src/site/markdown/configuration.md
View file
Open in desktop
Expand Up @@ -143,6 +143,7 @@ The following properties can be configured in the plugin. However, they are less
Property | Description | Default Value |
-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvdApiServerId | The id of a server defined in the settings.xml that configures the credentials (password is used as ApiKey) for accessing the NVD API. | &nbsp; |
nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key . |
Expand Down
1 change: 1 addition & 0 deletions src/site/markdown/dependency-check-gradle/configuration-aggregate.md
View file
Open in desktop
Expand Up @@ -86,6 +86,7 @@ Note, if ANY of the cve configuration group are set - they should all be set to
Config Group | Property | Description | Default Value |
-------------|-------------------|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key |
nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
Expand Down
1 change: 1 addition & 0 deletions src/site/markdown/dependency-check-gradle/configuration-update.md
View file
Open in desktop
Expand Up @@ -63,6 +63,7 @@ The following properties can be configured in the dependencyCheck task. However,
Config Group | Property | Description | Default Value |
-------------|-------------------|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key . |
nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
Expand Down
1 change: 1 addition & 0 deletions src/site/markdown/dependency-check-gradle/configuration.md
View file
Open in desktop
Expand Up @@ -68,6 +68,7 @@ The following properties can be configured in the dependencyCheck task. However,
Config Group | Property | Description | Default Value
-------------|-------------------|----------------------------------------------------------------------------------------------------------------------|------------------
nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 2000 with an NVD API Key or 8000 without an API Key |
nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
Expand Down
5 changes: 4 additions & 1 deletion utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View file
Open in desktop
Expand Up @@ -161,7 +161,10 @@ public static final class KEYS {
* be imported.
*/
public static final String CVE_CPE_STARTS_WITH_FILTER = "cve.cpe.startswith.filter";

/**
* The NVD API Endpoint.
*/
public static final String NVD_API_ENDPOINT = "nvd.api.endpoint";
/**
* API Key for the NVD API.
*/
Expand Down