From 4cad286a988fe1db69fa575553439842c13e8bb3 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Fri, 15 Mar 2024 15:31:17 +0100
Subject: [PATCH] Update dependency-check to 9.0.10

Leverage NVD Api Key from GH organization secrets
---
 .github/workflows/maven.yml | 9 +++++++--
 pom.xml                     | 3 +--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index dc69ce4f..5dbb76a4 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -4,6 +4,7 @@ on: [push, pull_request]
 
 jobs:
   build:
+    name: ${{ matrix.isMainBuildEnv && 'Main Build' || 'Build' }}
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macOS-latest]
@@ -38,19 +39,23 @@ jobs:
       - name: Build and Analyse with Maven
         if: github.ref != 'refs/heads/develop' && matrix.isMainBuildEnv
         env: 
+          # NVD API key used by dependency-check
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
           # SonarCloud access token should be generated from https://sonarcloud.io/account/security/
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           # Needed to get some information about the pull request, if any
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: mvn -e -B -V -Pintegration-tests clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=Netcentric_accesscontroltool -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -Pdependency-check,coverage-report
+        run: mvn -e -B -V clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=Netcentric_accesscontroltool -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -DnvdApiKeyEnvironmentVariable=NVD_API_KEY -Pdependency-check,coverage-report,integration-tests
 
       - name: Build, Analyse and Deploy with Maven
         if: github.ref == 'refs/heads/develop' && matrix.isMainBuildEnv
         env: 
+          # NVD API key used by dependency-check
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
           MAVEN_USERNAME: ${{ secrets.OSSRH_TOKEN_USER }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN_PASSWORD }}
           # SonarCloud access token should be generated from https://sonarcloud.io/account/security/
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           # Needed to get some information about the pull request, if any
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: mvn -e -B -V -Pintegration-tests clean deploy org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=Netcentric_accesscontroltool -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -Pdependency-check,coverage-report
+        run: mvn -e -B -V clean deploy org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=Netcentric_accesscontroltool -Dsonar.organization=netcentric -Dsonar.host.url=https://sonarcloud.io -DnvdApiKeyEnvironmentVariable=NVD_API_KEY -Pdependency-check,coverage-report,integration-tests
diff --git a/pom.xml b/pom.xml
index 75523148..33bc00f8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -420,9 +420,8 @@
                 <plugin>
                     <groupId>org.owasp</groupId>
                     <artifactId>dependency-check-maven</artifactId>
-                    <version>8.1.0</version>
+                    <version>9.0.10</version>
                     <configuration>
-                        <cveValidForHours>24</cveValidForHours>
                         <failBuildOnCVSS>11</failBuildOnCVSS>
                         <skipProvidedScope>true</skipProvidedScope>
                         <skipSystemScope>true</skipSystemScope>