feat: Utilize NVD API

.github/workflows/build.yml

@@ -63,6 +63,7 @@ jobs:
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
         run: mvn -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
       - name: SARIF Multitool
         uses: microsoft/sarif-actions@v0.1

.github/workflows/pull_requests.yml

@@ -73,6 +73,8 @@ jobs:
           version: 6.0.2
       - name: Regression Test Maven Plugin
         id: build
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
         run: |
             mvn -s settings.xml -pl utils,core,maven -am compile verify -DtestMavenPlugin -DreleaseTesting --no-transfer-progress --batch-mode
       - name: Archive IT test logs

.github/workflows/release.yml

@@ -74,6 +74,7 @@ jobs:
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
         run: |
           mvn -s settings.xml -Prelease "-DnexusUrl=https://oss.sonatype.org/" clean package source:jar javadoc:jar gpg:sign deploy site site:stage -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} 
       - name: Archive code coverage results

README.md

@@ -8,15 +8,25 @@ Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to
 
 Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki].
 
-## 8.0.0 Upgrade Notice
+## 9.0.0 Upgrade Notice
 
-8.0.0 contains breaking changes which requires updates to the database. If using
+### NVD API Key Highly Recommended
+
+With 9.0.0 dependency-check has moved from using the NVD data-feed to the NVD API.
+Users of dependency-check are **highly** encouraged to obtain an NVD API Key; see https://nvd.nist.gov/developers/request-an-api-key
+Without an NVD API Key dependency-check's updates will be **extremely slow**.
+Please see the documentation for the cli, maven, gradle, or ant integrations on
+how to set the NVD API key.
+
+### Breaking Changes
+
+9.0.0 contains breaking changes which requires updates to the database. If using
 an externally hosted database the schema will need to be updated. When using the
-embedded H2 database the schema should be upgraded automatically. However, if
+embedded H2 database, the schema should be upgraded automatically. However, if
 issues arise you may need to purge the database:
 
 - gradle: `./gradlew dependencyCheckPurge`
-- maven: `mvn org.owasp:dependency-check-maven:8.0.0:purge`
+- maven: `mvn org.owasp:dependency-check-maven:9.0.0:purge`
 - cli: `dependency-check.sh --purge`
 
 ## Requirements

ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>8.4.4-SNAPSHOT</version>
+        <version>9.0.0-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -41,8 +41,8 @@
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.SeverityUtil;
 import org.slf4j.impl.StaticLoggerBinder;
-//CSOFF: MethodCount
 
+//CSOFF: MethodCount
 /**
  * An Ant task definition to execute dependency-check during an Ant build.
  *
@@ -882,7 +882,7 @@ public Boolean isNuspecAnalyzerEnabled() {
      */
     public Boolean isNugetconfAnalyzerEnabled() {
         return nugetconfAnalyzerEnabled;
-    }    
+    }
 
     /**
      * Sets whether or not the analyzer is enabled.
@@ -2217,8 +2217,8 @@ private void checkForFailure(Dependency[] dependencies) throws BuildException {
         for (Dependency d : dependencies) {
             boolean addName = true;
             for (Vulnerability v : d.getVulnerabilities()) {
-                if ((v.getCvssV2() != null && v.getCvssV2().getScore() >= failBuildOnCVSS)
-                        || (v.getCvssV3() != null && v.getCvssV3().getBaseScore() >= failBuildOnCVSS)
+                if ((v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore() >= failBuildOnCVSS)
+                        || (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore() >= failBuildOnCVSS)
                         || (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= failBuildOnCVSS)
                         //safety net to fail on any if for some reason the above misses on 0
                         || (failBuildOnCVSS <= 0.0f)) {

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java

@@ -133,10 +133,13 @@ public void setHostedSuppressionsUrl(final String hostedSuppressionsUrl) {
     }
 
     /**
-     * Sets the {@link Thread#getContextClassLoader() Thread Context Class Loader} to the one for this class,
-     * and then calls {@link #executeWithContextClassloader()}. This is done because the JCS cache needs to have
-     * the Thread Context Class Loader set to something that can resolve it's classes. Other build tools do this
-     * by default but Ant does not.
+     * Sets the
+     * {@link Thread#getContextClassLoader() Thread Context Class Loader} to the
+     * one for this class, and then calls
+     * {@link #executeWithContextClassloader()}. This is done because the JCS
+     * cache needs to have the Thread Context Class Loader set to something that
+     * can resolve it's classes. Other build tools do this by default but Ant
+     * does not.
      *
      * @throws BuildException throws if there is a problem. See
      * {@link #executeWithContextClassloader()} for details