Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to OWASP DependencyCheck v9.0.1 #314

Open
costas80 opened this issue Nov 27, 2023 · 6 comments
Open

Upgrade to OWASP DependencyCheck v9.0.1 #314

costas80 opened this issue Nov 27, 2023 · 6 comments

Comments

@costas80
Copy link

Would it be possible to foresee an upgrade to OWASP DependencyCheck v9.0.1? The main driver for this is the update for the new NVD API which now requires an API key. Using the previous API will be deprecated on December 15th 2023 (see here for details).
@costas80
Copy link
Author

costas80 commented Dec 4, 2023

Note that version 9.0.1 had stability issues. The wrapped OWASP DependencyCheck should be v9.0.2 (the latest at the time of writing this).

@mims-github
Copy link

Or would be contribution PRs welcome for this upgrade?

@costas80 costas80 mentioned this issue Dec 12, 2023
Open
@costas80
Copy link
Author

Following up on @mims-github, I made a PR for the update (see above) that works for me locally. This works by passing an NVD API key as a direct string or as a system property. For example:

lazy val root = (project in file(".")).enablePlugins(PlayScala, SbtWeb)
  .settings(dependencyCheckNvdApiKey := sys.props.get("nvdApiKey"))
  .settings(dependencyCheckOSSIndexWarnOnlyOnRemoteErrors := Some(true))
  .settings(dependencyCheckFailBuildOnCVSS := 0.0F)
  .settings(dependencyCheckSuppressionFile := Some(file("project/owasp-suppressions.xml")))

In my view however this needs a bit more work to be complete. Specifically:

  • I added a scripted test to set a NVD API key I passed locally as a system property. If the other tests are to be corrected however and actually work they would similarly need an NVD API key. I could have just set this everywhere but then for automation purposes this would need a specific API key that is generated for this project.
  • In initial testing the plugin was extremely slow, possibly because it was busy updating the local NVD database or because the provided NVD API key was not valid. I couldn't get any logging to show some sort of progress or error (like you get from using the ODC via CLI or maven - I'm no SBT expert however), and the tests would just seemingly hang until they failed due to a timeout raised by scripted. In general, it would be great to have some progress logging introduced and better error handling.

Although testing with a valid NVD API key now works and completes quite fast, I changed our project's vulnerability checking that would use this to use the ODC CLI version (after doing a dist and extracting the collected libraries). I would however like to switch back to this plugin if the issues I note are addressed.

@rintcius rintcius mentioned this issue Dec 14, 2023
Open
@mims-github
Copy link

@albuch
Thanks for sharing this plugin with us and all the work you put in it. 👏

May you clarify how you welcome contributions to make that awesome plugin ready for the future?
Thanks in advance.

@hagerf
Copy link

hagerf commented Feb 16, 2024

@albuch
Hi.
Looking at this repo, it seems a bit suspiciously like it has been abandoned. Is this the case?
Thanks

@dkichler-improving
Copy link

@albuch Bump on the above requests/comments ☝️. I'm sure the community would be happy to take on maintenance of this plugin - I wonder if you might be willing to help transition it to the sbt organization if you are unable to or have no interest in continued maintenance?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hagerf @costas80 @mims-github @dkichler-improving