Commit 5ad9d479 authored by Pierre Smeyers's avatar Pierre Smeyers Committed by Girija Saint Ange
Browse files

Apply 1 suggestion(s) to 1 file(s)

parent 90117c72

README.md

+35 −32
Original line number Diff line number Diff line
@@ -156,15 +156,17 @@ dependencyCheck { 
  }

}

```

Dependency-Check fetches its vulnerbility database from the NVD API which has rate limiting. There are two choices



1. Use NVD API key, the rate limit is higher which reduces the execution time of Dependency-Check

2. Use your local NVD Data feed cache url, you need it, if your Gitlab runners cannot contact the NVD API (e.g. if they are not allowed to connect to the Internet), you can maintain a local data feed cache with the [vulnz](https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz) tool. It fetches the vulnerabilities and store them as data feeds (the data feeds will be stored as JSON files with the NVD Vulnerability Data API version 2.0 schema). This data feed URL should be reachable by your Gitlab runners.

#### Managing NVD API requests limit



In order to configure a NVD API key, you need to:

Dependency-Check fetches its vulnerabilities database from the _National vulnerability Database_ (NVD) API, that has [requests limit](https://nvd.nist.gov/general/news/API-Key-Announcement). If nothing is done, fetching the database will be very slow.



* Set the `NVD_API_KEY` variable with your NVD API key. :warning: This is a sensitive value, so we recommend you add it as a **masked** Gitlab variable

There are two options to solve this:



1. Use an NVD API key (this will increase the rate limit and therefore reduce the execution time of Dependency-Check)

    * [Request an NVD API key](https://nvd.nist.gov/developers/request-an-api-key),

    * Set the :lock: `NVD_API_KEY` variable as a (masked) GitLab variable,

    * Configure the API key in your Gradle file:

        ```groovy

        // ...

        dependencyCheck {
@@ -176,9 +178,10 @@ dependencyCheck { 
          // ...

        }

        ```



In order to configure a NVD data feed URL, you need to:



2. Setup a [local mirror of NVD Data files](https://jeremylong.github.io/DependencyCheck/data/mirrornvd.html) (this solution might be required if your GitLab runners cannot reach the NVD API).

    * You can use the [vulnz](https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz) tool to automate the sync of Data files from the NVD API. It fetches the vulnerabilities and store them as data feeds (the data feeds will be stored as JSON files with the NVD Vulnerability Data API version 2.0 schema).<br/>

    :information_source: You should store those files in a place reachable by your GitLab runners.

    * Then simply configure this URL as a `datafeedUrl` in your Gradle file:

        ```groovy

        // ...

        dependencyCheck {