-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NVD_API_TOKEN
environment variable does not work
#173
Comments
Thanks! Yes, I noticed that the Tools setup had drifted. I'm sorry I didn't have the time to attend that - very busy January. setting |
Indeed that does work, but I am using nvd-clojure in a context where having a static config file is not very practical. |
Furthermore, I realize that there is a related issue: when you execute nvd-clojure without any NVD API key whatsoever, i.e. not set in the config file nor set as an env var, it should terminate after throwing the "No NVD API key supplied as config settings or env var." exception. However, instead, just like with the first example, nvd-clojure thinks there is a env var, so that exception is not thrown, and the error is only noticed at the DependencyCheck level. |
Yes, I had noticed, sorry about that as well. You might want to generate the .edn file dynamically for now. The fix should be small anyway and can land soon. |
Indeed, you might've already found the bug, but it's a one line fix. Specifically this line (since the |
If you are willing to go through a local install process and verify it works, extending the integration test as well, PR welcome But the hint is appreciated anyway! |
I seem to be hitting this as well, but putting the into my nvd-clojure.edn doesn't help, I get the same errors. I've verified that my token is correct, following the instruction. |
Hi @hlship , I've used successfully nvd-clojure with an api key in Lein and deps.edn projects alike. May you share your config file redacted? |
Actually, the code is public: |
|
This is a file that I've verified to work: https://github.com/akvo/unep-gpml/blob/3a9782e9e7e7cc1154219f6a3f78d64deb578a63/backend/.nvd/nvd.edn I don't consider the API keys incredibly secret btw, they are more akin to a username. Cheap to obtain with no PII associated. But one could still build them dynamically if that felt more adequate. |
Description
I am using the
NVD_API_TOKEN
environment variable to provide nvd-clojure with my NVD API key, and it does not work. Using the Clojure Tools method, I should have either expected the scan to proceed, or nvd-clojure to throw an "No NVD API key supplied as config settings or env var." exception. Instead, it seems that nvd-clojure recognizes that the env var was set, but that var is not passed to DependencyCheck. Thus, I get this result (note the first and last lines):followed by the NVD download failing due to the lack of an NVD API key.
Version
4.0.0
Java version
Installation compliance
The text was updated successfully, but these errors were encountered: