OWASP Dependency Check Maven Plugin

Question

I'm trying to use the dependency-check-maven plugin, but I always get stuck in the updateof the NVD database. This is my easy set up:

<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>12.0.2</version>
  <executions>
    <execution>
      <goals>
         <goal>check</goal>
      </goals>
    </execution>
   </executions>
</plugin>

I'm running it in a gitlab pipeline and the output is this:

    22047 [INFO] Checking for updates
    22057 [WARNING] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key
    60332 [INFO] NVD API has 280,241 records in this update

And the update takes forever. I cannot wait 3-4 hours, also because it is running on a docker container.

I tried to provide the NVD API Key by getting it from https://nvd.nist.gov/developers/request-an-api-key and by modifiyng my pom.xml I added this I also added a bit of delay because the API cannot remote call too often:

<configuration>
   <nvdApiKey>1230b944-xxxx-xxxx-xxxx-c51993ff5a17</nvdApiKey>
   <nvdApiDelay>3000</nvdApiDelay>
</configuration>

But the output was always the same. I tried with <autoupdate>false</autoupdate> but same result.

I really don't know what to do. Can anyone help me?

Answer 1

We use OWASP DepCheck plugin as well, together with standalone SonarQube server.

Basically, you'll need to solve 2 issues to use OWASP DepCheck plugin effectively:

1. Avoid throttling during NVD DB updates by making sure the plugin uses the NVD API key. Hardcode it in pom.xml, provide it via CLI option, or via evironment variable -- doesn't matter, choose whatever is easier to maintain. We chose Gitlab CI variables to avoid exposing the key in logs and/or repos.

2. Avoid unnecessary DB updates by caching NVD DB downloaded by the plugin. You can use Gitlab CI/CD caching, Docker volumes or bind mounts if you use Docker-based Gitlab runners. We chose Docker bind mounts since we only have one mighty build server, and don't need to share the cache between hosts.

This is how it all comes together, giving you both a nice HTML report as a Gitlab artifact, and also the same info as part of the SonarQube scan report:

pom.xml

            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>${dependency-check-maven.version}</version>
                <configuration>
                    <dataDirectory>/tmp/owasp</dataDirectory>
                    <formats>
                        <!-- we need both HTML (for humans) and JSON (for machines) to make the report useful in Sonar -->
                       <format>html</format>
                       <format>json</format>
                    </formats>
                </configuration>
            </plugin>

/etc/gitlab-runner/config.toml:

[[runners]]
  ...
  executor = "docker"
  [runners.docker]
    disable_cache = false
    volumes = [..., "/usr/share/owasp:/tmp/owasp:rw", ...]
    ...

.gitlab-ci.yml:

sonar:
  stage: test
  image: node:${NODE_IMAGE_VERSION}
  needs:
    - job: generate-version
      artifacts: true
    - job: build
      artifacts: true
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
    GIT_STRATEGY: clone
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    # run dependency check here before sonar task is executed
    - mvn ${MAVEN_CLI_OPTS} -Drevision=${VERSION} -DnvdApiKey=${NVD_API_KEY} -DassemblyAnalyzerEnabled=false -Dsonar.qualitygate.wait=true verify dependency-check:aggregate sonar:sonar
  allow_failure: true
  artifacts:
    when: always
    name: "${CI_PROJECT_NAME}-v${VERSION}-owasp-depcheck-report"
    expose_as: "OWASP Dependency Check report"
    expire_in: 7 days
    paths:
      - 'target/dependency-check-report.html'