Skip to content

Commit

Permalink
docs: update documentation for the NVD API
Browse files Browse the repository at this point in the history
  • Loading branch information
@jeremylong
jeremylong committed Oct 16, 2023
1 parent 8283c81 commit e79480f
Show file tree
Hide file tree
Showing 8 changed files with 59 additions and 63 deletions.
13 changes: 7 additions & 6 deletions ant/src/site/markdown/config-update.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,16 @@ failOnError | Whether the build should fail if there is an error execu

Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
The following properties can be configured in the plugin. However, they are less frequently changed.

Property | Description | Default Value
---------------------|----------------------------------------------------------------------------------------------------------------------|------------------
cveUrlModified | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
cveUrlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz
cveWaitTime | The time in milliseconds to wait between downloads from the NVD. | 4000
cveStartYear | The first year of NVD CVE data to download from the NVD. | 2002
nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |  
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. |  
nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |  
nvdUser | Credentials used for basic authentication for the NVD API Data feed. |  
nvdPassword | Credentials used for basic authentication for the NVD API Data feed. |  
nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4
dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |  
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |  
Expand Down
18 changes: 9 additions & 9 deletions ant/src/site/markdown/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ The following properties can be set on the dependency-check task.
Property | Description | Default Value
----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
cveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD | 4
failOnError | Whether the build should fail if there is an error executing the dependency-check analysis | true
failBuildOnCVSS | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)| 11
junitFailOnCVSS | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. | 0
Expand Down Expand Up @@ -140,15 +139,16 @@ pathToGo | The path to `go`.

Advanced Configuration
====================
The following properties can be configured in the plugin. However, they are less frequently changed. One exception
may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
The following properties can be configured in the plugin. However, they are less frequently changed.

Property | Description | Default Value
---------------------|--------------------------------------------------------------------------|------------------
cveUrlModified | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
cveUrlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz
cveWaitTime | The time in milliseconds to wait between downloads from the NVD. | 4000
cveStartYear | The first year of NVD CVE data to download from the NVD. | 2002
Property | Description | Default Value
---------------------|--------------------------------------------------------------------------------------------------------------|------------------
nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |  
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. |  
nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |  
nvdUser | Credentials used for basic authentication for the NVD API Data feed. |  
nvdPassword | Credentials used for basic authentication for the NVD API Data feed. |  
nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4
dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |  
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |  
Expand Down
2 changes: 1 addition & 1 deletion cli/src/main/resources/completion-for-dependency-check.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ _odc_completions()
--nodeAuditSkipDevDependencies
--nodePackageSkipDevDependencies
--nonProxyHosts <list>
--nvdApiKey
--nvdApiKey <apiKey>
--nvdDatafeed <url>
--nvdUser <user>
--nvdPassword <password>
Expand Down
13 changes: 6 additions & 7 deletions cli/src/site/markdown/arguments.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,20 +20,19 @@ The following table lists the command line arguments:
| \-h | \-\-help | | Print the help message. | Optional |
| | \-\-advancedHelp | | Print the advanced help message. | Optional |
| \-v | \-\-version | | Print the version information. | Optional |
| | \-\-cveValidForHours | \<hours\> | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional |
| | \-\-enableExperimental | | Enable the [experimental analyzers](../analyzers/index.html). If not set the analyzers marked as experimental below will not be loaded or used. | Optional |
| | \-\-enableRetired | | Enable the [retired analyzers](../analyzers/index.html). If not set the analyzers marked as retired below will not be loaded or used. | Optional |

Advanced Options
================
| Short | Argument Name | Parameter | Description | Default Value |
|-------|---------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
| | \-\-cveUrlModified | \<url\> | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz |
| | \-\-cveUrlBase | \<url\> | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz |
| | \-\-cveUser | \<username\> | Credentials used for basic authentication for the CVE data. | &nbsp; |
| | \-\-cvePassword | \<password\> | Credentials used for basic authentication for the CVE data. | &nbsp; |
| | \-\-cveStartYear | \<year\> | The first year of NVD CVE data to retrieve. | 2002 |
| | \-\-cveDownloadWait | \<milliseconds\>| The number of milliseconds to wait between NVD CVE download. | 4000 |
| | \-\-nvdApiKey | \<apiKey\> | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | &nbsp; |
| | \-\-nvdApiDelay | \<milliseconds\>| The number of milliseconds to wait between calls to the NVD API. | &nbsp; |
| | \-\-nvdDatafeed | \<url\> | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
| | \-\-nvdUser | \<username\> | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
| | \-\-nvdPassword | \<password\> | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
| | \-\-nvdValidForHours | \<hours\> | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 |
| | \-\-hints | \<file\> | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html) | &nbsp; |
| \-P | \-\-propertyfile | \<file\> | Specifies a file that contains properties to use instead of application defaults. The key values used in the properties file are not the same as the arguments listed on this page; use the keys here: https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck.properties | &nbsp; |
| | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp; |
Expand Down
Loading

0 comments on commit e79480f

Please sign in to comment.