Commit 555bd488 authored by Girija Saint Ange's avatar Girija Saint Ange
Browse files

Merge branch '17-document-how-to-set-an-nvd-api-key' into 'master' 

docs: update doc for NVD API key and data feed url

Closes #17

See merge request to-be-continuous/gradle!45
parents ea99db27 5ad9d479

README.md

+36 −0
Original line number Diff line number Diff line
@@ -157,6 +157,42 @@ dependencyCheck { 
}

```



#### Managing NVD API requests limit



Dependency-Check fetches its vulnerabilities database from the _National vulnerability Database_ (NVD) API, that has [requests limit](https://nvd.nist.gov/general/news/API-Key-Announcement). If nothing is done, fetching the database will be very slow.



There are two options to solve this:



1. Use an NVD API key (this will increase the rate limit and therefore reduce the execution time of Dependency-Check)

    * [Request an NVD API key](https://nvd.nist.gov/developers/request-an-api-key),

    * Set the :lock: `NVD_API_KEY` variable as a (masked) GitLab variable,

    * Configure the API key in your Gradle file:

        ```groovy

        // ...

        dependencyCheck {

          // ...

          nvd {

            // NVD_API_KEY got from environment (set it in your GitLab CI/CD variables)

            apiKey = System.getenv("NVD_API_KEY")

          }

          // ...

        }

        ```

2. Setup a [local mirror of NVD Data files](https://jeremylong.github.io/DependencyCheck/data/mirrornvd.html) (this solution might be required if your GitLab runners cannot reach the NVD API).

    * You can use the [vulnz](https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz) tool to automate the sync of Data files from the NVD API. It fetches the vulnerabilities and store them as data feeds (the data feeds will be stored as JSON files with the NVD Vulnerability Data API version 2.0 schema).<br/>

    :information_source: You should store those files in a place reachable by your GitLab runners.

    * Then simply configure this URL as a `datafeedUrl` in your Gradle file:

        ```groovy

        // ...

        dependencyCheck {

          // ...

          nvd {

            datafeedUrl="https://URL-OF-LOCAL-CACHE-NVD-DATA-FEED"

          }

          // ...

        }

        ```



If you're using an [Artifactory](https://jfrog.com/artifactory/) as a repository/mirror, you might need to add a `repositories` block and add an `artifactory` block in the job definition.



Here is an example (change the urls accordingly):