diff --git a/ant/src/site/markdown/config-update.md b/ant/src/site/markdown/config-update.md index c3b776a0ec3..5f70375753b 100644 --- a/ant/src/site/markdown/config-update.md +++ b/ant/src/site/markdown/config-update.md @@ -30,15 +30,16 @@ failOnError | Whether the build should fail if there is an error execu Advanced Configuration ==================== -The following properties can be configured in the plugin. However, they are less frequently changed. One exception -may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. +The following properties can be configured in the plugin. However, they are less frequently changed. Property | Description | Default Value ---------------------|----------------------------------------------------------------------------------------------------------------------|------------------ -cveUrlModified | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz -cveUrlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz -cveWaitTime | The time in milliseconds to wait between downloads from the NVD. | 4000 -cveStartYear | The first year of NVD CVE data to download from the NVD. | 2002 +nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   +nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. |   +nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   +nvdUser | Credentials used for basic authentication for the NVD API Data feed. |   +nvdPassword | Credentials used for basic authentication for the NVD API Data feed. |   +nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   diff --git a/ant/src/site/markdown/configuration.md b/ant/src/site/markdown/configuration.md index 590ba015646..ac5e81ab55c 100644 --- a/ant/src/site/markdown/configuration.md +++ b/ant/src/site/markdown/configuration.md @@ -33,7 +33,6 @@ The following properties can be set on the dependency-check task. Property | Description | Default Value ----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------- autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true -cveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD | 4 failOnError | Whether the build should fail if there is an error executing the dependency-check analysis | true failBuildOnCVSS | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)| 11 junitFailOnCVSS | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. | 0 @@ -140,15 +139,16 @@ pathToGo | The path to `go`. Advanced Configuration ==================== -The following properties can be configured in the plugin. However, they are less frequently changed. One exception -may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. +The following properties can be configured in the plugin. However, they are less frequently changed. -Property | Description | Default Value ----------------------|--------------------------------------------------------------------------|------------------ -cveUrlModified | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz -cveUrlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz -cveWaitTime | The time in milliseconds to wait between downloads from the NVD. | 4000 -cveStartYear | The first year of NVD CVE data to download from the NVD. | 2002 +Property | Description | Default Value +---------------------|--------------------------------------------------------------------------------------------------------------|------------------ +nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   +nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. |   +nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   +nvdUser | Credentials used for basic authentication for the NVD API Data feed. |   +nvdPassword | Credentials used for basic authentication for the NVD API Data feed. |   +nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   diff --git a/cli/src/main/resources/completion-for-dependency-check.sh b/cli/src/main/resources/completion-for-dependency-check.sh index f2a4c0d903a..1f94fd5d0a3 100755 --- a/cli/src/main/resources/completion-for-dependency-check.sh +++ b/cli/src/main/resources/completion-for-dependency-check.sh @@ -87,7 +87,7 @@ _odc_completions() --nodeAuditSkipDevDependencies --nodePackageSkipDevDependencies --nonProxyHosts - --nvdApiKey + --nvdApiKey --nvdDatafeed --nvdUser --nvdPassword diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md index b91953e1f4c..602138e32a9 100644 --- a/cli/src/site/markdown/arguments.md +++ b/cli/src/site/markdown/arguments.md @@ -20,7 +20,6 @@ The following table lists the command line arguments: | \-h | \-\-help | | Print the help message. | Optional | | | \-\-advancedHelp | | Print the advanced help message. | Optional | | \-v | \-\-version | | Print the version information. | Optional | -| | \-\-cveValidForHours | \ | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional | | | \-\-enableExperimental | | Enable the [experimental analyzers](../analyzers/index.html). If not set the analyzers marked as experimental below will not be loaded or used. | Optional | | | \-\-enableRetired | | Enable the [retired analyzers](../analyzers/index.html). If not set the analyzers marked as retired below will not be loaded or used. | Optional | @@ -28,12 +27,12 @@ Advanced Options ================ | Short | Argument Name | Parameter | Description | Default Value | |-------|---------------------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------| -| | \-\-cveUrlModified | \ | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz | -| | \-\-cveUrlBase | \ | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz | -| | \-\-cveUser | \ | Credentials used for basic authentication for the CVE data. |   | -| | \-\-cvePassword | \ | Credentials used for basic authentication for the CVE data. |   | -| | \-\-cveStartYear | \ | The first year of NVD CVE data to retrieve. | 2002 | -| | \-\-cveDownloadWait | \| The number of milliseconds to wait between NVD CVE download. | 4000 | +| | \-\-nvdApiKey | \ | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +| | \-\-nvdApiDelay | \| The number of milliseconds to wait between calls to the NVD API. |   | +| | \-\-nvdDatafeed | \ | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   | +| | \-\-nvdUser | \ | Credentials used for basic authentication for the NVD API Data feed. |   | +| | \-\-nvdPassword | \ | Credentials used for basic authentication for the NVD API Data feed. |   | +| | \-\-nvdValidForHours | \ | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 | | | \-\-hints | \ | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html) |   | | \-P | \-\-propertyfile | \ | Specifies a file that contains properties to use instead of application defaults. The key values used in the properties file are not the same as the arguments listed on this page; use the keys here: https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck.properties |   | | | \-\-updateonly | | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. |   | diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md index 0b27980812f..822914f7612 100644 --- a/maven/src/site/markdown/configuration.md +++ b/maven/src/site/markdown/configuration.md @@ -15,7 +15,6 @@ The following properties can be set on the dependency-check-maven plugin. Property | Description | Default Value ----------------------------|------------------------------------|------------------ autoUpdate | Sets whether auto-updating of the NVD CVE/CPE, retireJS and hosted suppressions data is enabled. It is not recommended that this be turned to false. | true -cveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD. | 4 format | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, ALL). This configuration is ignored if `formats` is defined. This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML formats | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, ALL). This configuration overrides the value from `format`. This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. |   junitFailOnCVSS | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. | 0 @@ -139,23 +138,23 @@ filterNonVulnerable | A boolean controlling whether or not the Retire JS Analyze Advanced Configuration ==================== -The following properties can be configured in the plugin. However, they are less frequently changed. One exception -may be the cveUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. +The following properties can be configured in the plugin. However, they are less frequently changed. Property | Description | Default Value | -------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------| -cveUrlModified | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz | -cveUrlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz | -cveServerId | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the cveUrl. |   | -cveUser | The username used when connecting to the cveUrl. Must be empty if cveServerId is specified and should be used. |   | -cvePassword | The password used when connecting to the cveUrl. Must be empty if cveServerId is specified and should be used. |   | -cveWaitTime | The time in milliseconds to wait between downloads from the NVD. | 4000 | -cveStartYear | The first year of NVD CVE data to download from the NVD. | 2002 +nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +nvdApiServerId | The id of a server defined in the settings.xml that configures the credentials (password is used as ApiKey) for accessing the NVD API. |   | +nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. |   | +nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   | +nvdDatafeedServerId | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the NVD API Data feed.|   | +nvdUser | Credentials used for basic authentication for the NVD API Data feed. |   | +nvdPassword | Credentials used for basic authentication for the NVD API Data feed. |   | +nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 | suppressionFileServerId | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the suppressionFiles. |   | suppressionFileUser | The username used when connecting to the suppressionFiles. Must be empty if suppressionFileServerId is specified and should be used. |   | suppressionFilePassword | The password used when connecting to the suppressionFiles. Must be empty if suppressionFileServerId is specified and should be used. |   | -connectionTimeout | Sets the URL Connection Timeout (in milliseconds) used when downloading external data. | 10000 | -readTimeout | Sets the URL Read Timeout (in milliseconds) used when downloading external data. | 60000 | +connectionTimeout | Sets the URL Connection Timeout (in milliseconds) used when downloading external data. | 10000 | +readTimeout | Sets the URL Read Timeout (in milliseconds) used when downloading external data. | 60000 | dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | ~/.m2/repository/org/owasp/dependency-check-data/ | databaseDriverName | The name of the database driver. Example: org.h2.Driver. |   | databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   | diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md index 2166f33014a..600a2740bc0 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md +++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md @@ -29,7 +29,6 @@ Property | Description ---------------------|----------------------------------------------------------------------------------------------------------------------|------------------ autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true analyzedTypes | The default artifact types that will be analyzed. | ['jar', 'aar', 'js', 'war', 'ear', 'zip'] -cveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD. | 4 format | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, ALL). | HTML formats | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, ALL). |   junitFailOnCVSS | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. | 0 @@ -86,10 +85,12 @@ Note, if ANY of the cve configuration group are set - they should all be set to Config Group | Property | Description | Default Value | -------------|-------------------|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------| -cve | urlModified | URL for the modified CVE JSON data feed. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz | -cve | urlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz | -cve | waitTime | The time in milliseconds to wait between downloads from the NVD. | 4000 | -cve | startYear | The first year of NVD CVE data to download from the NVD. | 2002 | +nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +nvd | delay | The number of milliseconds to wait between calls to the NVD API. |   | +nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   | +nvd | datafeedUser | Credentials used for basic authentication for the NVD API Data feed. |   | +nvd | datafeedPassword | Credentials used for basic authentication for the NVD API Data feed. |   | +nvd | validForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 | data | directory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. |   | data | driver | The name of the database driver. Example: org.h2.Driver. |   | data | driverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   | diff --git a/src/site/markdown/dependency-check-gradle/configuration-update.md b/src/site/markdown/dependency-check-gradle/configuration-update.md index 868d5d3f2e8..2d88f314a15 100644 --- a/src/site/markdown/dependency-check-gradle/configuration-update.md +++ b/src/site/markdown/dependency-check-gradle/configuration-update.md @@ -27,13 +27,12 @@ check.dependsOn dependencyCheckUpdate Property | Description | Default Value ---------------------|------------------------------------|------------------ -cveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD. | 4 failOnError | Fails the build if an error occurs during the dependency-check analysis. | true #### Example ```groovy dependencyCheck { - cveValidForHours=1 + failOnError=true } ``` @@ -59,26 +58,26 @@ dependencyCheck { ### Advanced Configuration -The following properties can be configured in the dependencyCheck task. However, they are less frequently changed. One exception -may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. -Note, if ANY of the cve configuration group are set - they should all be set to ensure things work as expected. +The following properties can be configured in the dependencyCheck task. However, they are less frequently changed. Config Group | Property | Description | Default Value | -------------|-------------------|--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------| -cve | urlModified | URL for the modified CVE JSON data feed. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz | -cve | urlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz | -cve | waitTime | The time in milliseconds to wait between downloads from the NVD. | 4000 | -cve | startYear | The first year of NVD CVE data to download from the NVD. | 2002 | +nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +nvd | delay | The number of milliseconds to wait between calls to the NVD API. |   | +nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   | +nvd | datafeedUser | Credentials used for basic authentication for the NVD API Data feed. |   | +nvd | datafeedPassword | Credentials used for basic authentication for the NVD API Data feed. |   | +nvd | validForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 | data | directory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. |   | data | driver | The name of the database driver. Example: org.h2.Driver. |   | data | driverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   | data | connectionString | The connection string used to connect to the database. See using a [database server](../data/database.html). |   | data | username | The username used when connecting to the database. |   | data | password | The password used when connecting to the database. |   | -hostedSuppressions | enabled | Whether the hosted suppressions file will be used. | true -hostedSuppressions | forceupdate | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting. | false -hostedSuppressions | url | The URL to the Retire JS repository. | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml -hostedSuppressions | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 +hostedSuppressions | enabled | Whether the hosted suppressions file will be used. | true | +hostedSuppressions | forceupdate | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting. | false | +hostedSuppressions | url | The URL to the Retire JS repository. | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml | +hostedSuppressions | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 | #### Example ```groovy diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md index 22215f35595..3652e407232 100644 --- a/src/site/markdown/dependency-check-gradle/configuration.md +++ b/src/site/markdown/dependency-check-gradle/configuration.md @@ -29,7 +29,6 @@ Property | Description ---------------------|----------------------------------------------------------------------------------------------------------------------|------------------ autoUpdate | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true analyzedTypes | The default artifact types that will be analyzed. | ['jar', 'aar', 'js', 'war', 'ear', 'zip'] -cveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD. | 4 format | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, ALL). | HTML formats | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, ALL). |   junitFailOnCVSS | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. | 0 @@ -64,18 +63,16 @@ Please see https://docs.gradle.org/current/userguide/build_environment.html#sec: ### Advanced Configuration -The following properties can be configured in the dependencyCheck task. However, they are less frequently changed. One exception -may be the cve Url properties, which can be used to host a mirror of the NVD within an enterprise environment. When mirroring the -NVD you must mirror the *.json.gz and the *.meta files. Note, if ANY of the cve Url configurations are set - they should both be set to ensure things work as expected. +The following properties can be configured in the dependencyCheck task. However, they are less frequently changed. Config Group | Property | Description | Default Value -------------|-------------------|----------------------------------------------------------------------------------------------------------------------|------------------ -cve | urlModified | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz | -cve | urlBase | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz | -cve | waitTime | The time in milliseconds to wait between downloads from the NVD. | 4000 | -cve | startYear | The first year of NVD CVE data to download from the NVD. | 2002 | -cve | user | The user to authenticate (to a proxy/mirror) for download of CVE datastreams. |   | -cve | password | The password to authenticate (to a proxy/mirror) for download of CVE datastreams. |   | +nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |   | +nvd | delay | The number of milliseconds to wait between calls to the NVD API. |   | +nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data |   | +nvd | datafeedUser | Credentials used for basic authentication for the NVD API Data feed. |   | +nvd | datafeedPassword | Credentials used for basic authentication for the NVD API Data feed. |   | +nvd | validForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 | data | directory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. |   | data | driver | The name of the database driver. Example: org.h2.Driver. |   | data | driverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |   |