Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NVD_API_TOKEN environment variable does not work #173

Open
2 tasks done
kelvinqian00 opened this issue Jan 31, 2024 · 13 comments
Open
2 tasks done

NVD_API_TOKEN environment variable does not work #173

kelvinqian00 opened this issue Jan 31, 2024 · 13 comments

Comments

@kelvinqian00
Copy link

kelvinqian00 commented Jan 31, 2024

Description

I am using the NVD_API_TOKEN environment variable to provide nvd-clojure with my NVD API key, and it does not work. Using the Clojure Tools method, I should have either expected the scan to proceed, or nvd-clojure to throw an "No NVD API key supplied as config settings or env var." exception. Instead, it seems that nvd-clojure recognizes that the env var was set, but that var is not passed to DependencyCheck. Thus, I get this result (note the first and last lines):

% NVD_API_TOKEN=[REDACTED] clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$(clojure -Spath)\""
[2024-01-31 14:37:19.398] INFO nvd-clojure - User-provided config: {:nvd {:suppression-file "nvd_suppressions.xml", :nvd-api {:key nil}}, :delete-config? false}
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: Instance is null, returning unconfigured instance
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: Setting default auxiliaries to "ODC"
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: setting defaultCompositeCacheAttributes to [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: setting defaultElementAttributes to [ IS_LATERAL = false, IS_SPOOL = true, IS_REMOTE = false, IS_ETERNAL = false, MaxLifeSeconds = 86400, IdleTime = 1800, CreateTime = 1706729839698, LastAccessTime = 1706729839698, getTimeToLiveSeconds() = 86399, createTime = 1706729839698 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.memory.AbstractDoubleLinkedListMemoryCache
INFO: initialized MemoryCache for CENTRAL
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCache
INFO: Constructed cache with name [CENTRAL] and cache attributes [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: No cache event logger defined for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: Using standard serializer [org.apache.commons.jcs3.utils.serialization.StandardSerializer@476fde05] for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [CENTRAL] : Set maxKeySize to: "1,000,000"
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [CENTRAL] : Cache file root directory: ~/.m2/repository/org/owasp/dependency-check-utils/9.0.8/data/9.0/cache
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [CENTRAL] : Indexed Disk Cache is alive.
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.memory.AbstractDoubleLinkedListMemoryCache
INFO: initialized MemoryCache for POM
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCache
INFO: Constructed cache with name [POM] and cache attributes [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: No cache event logger defined for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: Using standard serializer [org.apache.commons.jcs3.utils.serialization.StandardSerializer@1df9186f] for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [POM] : Set maxKeySize to: "1,000,000"
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [POM] : Cache file root directory: ~/.m2/repository/org/owasp/dependency-check-utils/9.0.8/data/9.0/cache
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [POM] : Indexed Disk Cache is alive.
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.memory.AbstractDoubleLinkedListMemoryCache
INFO: initialized MemoryCache for NODEAUDIT
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCache
INFO: Constructed cache with name [NODEAUDIT] and cache attributes [ useLateral = true, useRemote = true, useDisk = true, maxObjs = 0, maxSpoolPerRun = -1, diskUsagePattern = UPDATE, spoolChunkSize = 2 ]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: No cache event logger defined for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.AuxiliaryCacheConfigurator
INFO: Using standard serializer [org.apache.commons.jcs3.utils.serialization.StandardSerializer@682e422c] for auxiliary [jcs.auxiliary.ODC]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [NODEAUDIT] : Set maxKeySize to: "1,000,000"
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [NODEAUDIT] : Cache file root directory: ~/.m2/repository/org/owasp/dependency-check-utils/9.0.8/data/9.0/cache
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.auxiliary.disk.indexed.IndexedDiskCache
INFO: Region [NODEAUDIT] : Indexed Disk Cache is alive.
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheConfigurator
INFO: Parsed regions [CENTRAL, POM, NODEAUDIT]
Jan 31, 2024 2:37:19 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: Finished configuration in 72 ms.
[2024-01-31 14:37:19.761] WARN NexusAnalyzer - Disabling Nexus analyzer - please specify the URL to a Nexus Server
Checking dependencies for stdin...
  using nvd-clojure: 4.0.0 and dependency-check: 9.0.8
[2024-01-31 14:37:40.641] INFO Engine - Checking for updates
[2024-01-31 14:37:40.648] WARN NvdApiDataSource - An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key

followed by the NVD download failing due to the lack of an NVD API key.

Version

4.0.0

Java version

11.0.10

Installation compliance

@vemv
Copy link
Collaborator

vemv commented Jan 31, 2024

Thanks! Yes, I noticed that the Tools setup had drifted.

I'm sorry I didn't have the time to attend that - very busy January.

setting :nvd-api {:key "87be13d2-blah-blah"} in nvd-clojure.edn does work with Tools.

@kelvinqian00
Copy link
Author

Indeed that does work, but I am using nvd-clojure in a context where having a static config file is not very practical.

@kelvinqian00
Copy link
Author

Furthermore, I realize that there is a related issue: when you execute nvd-clojure without any NVD API key whatsoever, i.e. not set in the config file nor set as an env var, it should terminate after throwing the "No NVD API key supplied as config settings or env var." exception. However, instead, just like with the first example, nvd-clojure thinks there is a env var, so that exception is not thrown, and the error is only noticed at the DependencyCheck level.

@vemv
Copy link
Collaborator

vemv commented Jan 31, 2024

Yes, I had noticed, sorry about that as well.

You might want to generate the .edn file dynamically for now.

The fix should be small anyway and can land soon.

@kelvinqian00
Copy link
Author

Indeed, you might've already found the bug, but it's a one line fix. Specifically this line (since the ::not-found does not apply when the value is nil instead of nonexistent).

@vemv
Copy link
Collaborator

vemv commented Jan 31, 2024

If you are willing to go through a local install process and verify it works, extending the integration test as well, PR welcome

But the hint is appreciated anyway!

@hlship
Copy link

hlship commented Mar 22, 2024

I seem to be hitting this as well, but putting the into my nvd-clojure.edn doesn't help, I get the same errors. I've verified that my token is correct, following the instruction.

@vemv
Copy link
Collaborator

vemv commented Mar 22, 2024

Hi @hlship , I've used successfully nvd-clojure with an api key in Lein and deps.edn projects alike.

May you share your config file redacted?

@hlship
Copy link

hlship commented Mar 22, 2024

Actually, the code is public:

@hlship
Copy link

hlship commented Mar 22, 2024

@hlship
Copy link

hlship commented Mar 22, 2024

clj -T:build cve-check builds the classpath, then invokes NVD to do the work.

@vemv
Copy link
Collaborator

vemv commented Mar 23, 2024

This is a file that I've verified to work:

https://github.com/akvo/unep-gpml/blob/3a9782e9e7e7cc1154219f6a3f78d64deb578a63/backend/.nvd/nvd.edn

I don't consider the API keys incredibly secret btw, they are more akin to a username. Cheap to obtain with no PII associated. But one could still build them dynamically if that felt more adequate.

@RolT
Copy link

RolT commented Oct 9, 2024

@hlship are you sure it's an issue with the API token ? If you verified it and it's not present in the config file it should work. It could be this problem instead: #179

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants