feat: utilize nvd api (#363)

README.md

@@ -5,6 +5,11 @@
 The dependency-check gradle plugin allows projects to monitor dependent libraries for
 known, published vulnerabilities.
 
+## 9.0.0 Upgrade Notice
+
+**Breaking Changes** are included in the 9.0.0 release. Please see the [9.0.0 Upgrade Notice](https://github.com/jeremylong/DependencyCheck#900-upgrade-notice)
+on the primary dependency-check site for more information.
+
 ## Current Release
 
 The latest version is 
@@ -25,7 +30,7 @@ buildscript {
         mavenCentral()
     }
     dependencies {
-        classpath 'org.owasp:dependency-check-gradle:8.4.3'
+        classpath 'org.owasp:dependency-check-gradle:9.0.0'
     }
 }
 
@@ -62,7 +67,7 @@ buildscript {
     mavenCentral()
   }
   dependencies {
-    classpath 'org.owasp:dependency-check-gradle:8.4.3'
+    classpath 'org.owasp:dependency-check-gradle:9.0.0'
   }
 }
 
@@ -79,7 +84,7 @@ buildscript {
     mavenCentral()
   }
   dependencies {
-    classpath 'org.owasp:dependency-check-gradle:8.4.3'
+    classpath 'org.owasp:dependency-check-gradle:9.0.0'
   }
 }
 
@@ -108,7 +113,7 @@ subprojects {
 
 ```kotlin
 plugins {
-    id("org.owasp.dependencycheck") version "8.4.3" apply false 
+    id("org.owasp.dependencycheck") version "9.0.0" apply false 
 }
 
 allprojects {

build.gradle

@@ -17,7 +17,8 @@
  */
 
 ext {
-    odcVersion = '8.4.3'
+    odcVersion = '9.0.0'
+    openVulnClientVersion = '5.0.1'
     slackWebhookVersion = '1.4.0'
     spockCoreVersion = '2.3-groovy-3.0'
 }
@@ -58,13 +59,14 @@ repositories {
 
 dependencies {
     implementation(
-            localGroovy(),
-            gradleApi()
+        localGroovy(),
+        gradleApi()
     )
     api(
-            "org.owasp:dependency-check-core:$odcVersion",
-            "org.owasp:dependency-check-utils:$odcVersion",
-            "net.gpedro.integrations.slack:slack-webhook:$slackWebhookVersion"
+        "org.owasp:dependency-check-core:$odcVersion",
+        "org.owasp:dependency-check-utils:$odcVersion",
+        "io.github.jeremylong:open-vulnerability-clients:$openVulnClientVersion",
+        "net.gpedro.integrations.slack:slack-webhook:$slackWebhookVersion"
     )
 
     testImplementation gradleTestKit()

src/main/groovy/org/owasp/dependencycheck/gradle/extension/DependencyCheckExtension.groovy

@@ -61,7 +61,7 @@ class DependencyCheckExtension {
     /**
      * The configuration extension that defines the location of the NVD CVE data.
      */
-    CveExtension cve = new CveExtension()
+    NvdExtension nvd = new NvdExtension()
 
     /**
      * The configuration extension that configures the hosted suppressions file.
@@ -81,10 +81,6 @@ class DependencyCheckExtension {
      * Set to false if the proxy does not support HEAD requests. The default is true.
      */
     Boolean quickQueryTimestamp
-    /**
-     * The number of hours to wait before checking for additional updates from the NVD.
-     */
-    Integer cveValidForHours
     /**
      * The directory where the reports will be written. Defaults to 'build/reports'.
      */
@@ -235,12 +231,12 @@ class DependencyCheckExtension {
     }
 
     /**
-     * Allows programmatic configuration of the cve extension
-     * @param configClosure the closure to configure the cve extension
-     * @return the cve extension
+     * Allows programmatic configuration of the nvd extension
+     * @param configClosure the closure to configure the nvd extension
+     * @return the nvd extension
      */
-    def cve(Closure configClosure) {
-        return project.configure(cve, configClosure)
+    def nvd(Closure configClosure) {
+        return project.configure(nvd, configClosure)
     }
 
     /**

src/main/groovy/org/owasp/dependencycheck/gradle/extension/NvdExtension.groovy

@@ -0,0 +1,47 @@
+/*
+ * This file is part of dependency-check-gradle.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2023 Jeremy Long. All Rights Reserved.
+ */
+
+package org.owasp.dependencycheck.gradle.extension;
+
+@groovy.transform.CompileStatic
+class NvdExtension {
+    /**
+     * The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key.
+     */
+    String apiKey
+    /**
+     * The number of milliseconds to wait between calls to the NVD API.
+     */
+    Integer delay
+    /**
+     * The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data.
+     */
+    String datafeedUrl
+    /**
+     * Credentials used for basic authentication for the NVD API Data feed.
+     */
+    String datafeedUser
+    /**
+     * Credentials used for basic authentication for the NVD API Data feed.
+     */
+    String datafeedPassword
+    /**
+     * The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.
+     */
+    Integer validForHours
+}

src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy

@@ -246,8 +246,8 @@ abstract class AbstractAnalyze extends ConfiguredTask {
         Set<String> vulnerabilities = new HashSet<>();
         for (Dependency d : engine.getDependencies()) {
             for (Vulnerability v : d.getVulnerabilities()) {
-                if ((v.getCvssV2() != null && v.getCvssV2().getScore() >= config.failBuildOnCVSS)
-                        || (v.getCvssV3() != null && v.getCvssV3().getBaseScore() >= config.failBuildOnCVSS)
+                if ((v.getCvssV2() != null && v.getCvssV2().getCvssData() != null && v.getCvssV2().getCvssData().getBaseScore() >= config.failBuildOnCVSS)
+                        || (v.getCvssV3() != null && v.getCvssV3().getCvssData() != null && v.getCvssV3().getCvssData().getBaseScore() >= config.failBuildOnCVSS)
                         || (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= config.failBuildOnCVSS)
                         //safety net to fail on any if for some reason the above misses on 0
                         || (config.failBuildOnCVSS <= 0.0f)) {

src/main/groovy/org/owasp/dependencycheck/gradle/tasks/ConfiguredTask.groovy

@@ -86,30 +86,20 @@ abstract class ConfiguredTask extends DefaultTask {
         settings.setStringIfNotEmpty(DB_CONNECTION_STRING, config.data.connectionString)
         settings.setStringIfNotEmpty(DB_USER, config.data.username)
         settings.setStringIfNotEmpty(DB_PASSWORD, config.data.password)
-        settings.setStringIfNotEmpty(CVE_MODIFIED_JSON, config.cve.urlModified)
-        settings.setStringIfNotEmpty(CVE_BASE_JSON, config.cve.urlBase)
-        settings.setIntIfNotNull(CVE_DOWNLOAD_WAIT_TIME, config.cve.waitTime)
-        if (config.cve.startYear != null) {
-            if (config.cve.startYear >= 2002) {
-                settings.setInt(CVE_START_YEAR, config.cve.startYear)
-            } else {
-                throw new InvalidUserDataException('Invalid setting: `cve.startYear` must be 2002 or greater')
-            }
-        }
-        if (config.cve.user && config.cve.password) {
-            settings.setStringIfNotEmpty(CVE_USER, config.cve.user)
-            settings.setStringIfNotEmpty(CVE_PASSWORD, config.cve.password)
+
+
+        settings.setStringIfNotEmpty(NVD_API_KEY, config.nvd.apiKey)
+        settings.setIntIfNotNull(NVD_API_DELAY, config.nvd.delay)
+        settings.setIntIfNotNull(NVD_API_VALID_FOR_HOURS, config.nvd.validForHours);
+
+        settings.setStringIfNotEmpty(NVD_API_DATAFEED_URL, config.nvd.datafeedUrl)
+        if (config.nvd.datafeedUser && config.nvd.datafeedPassword) {
+            settings.setStringIfNotEmpty(NVD_API_DATAFEED_USER, config.nvd.datafeedUser)
+            settings.setStringIfNotEmpty(NVD_API_DATAFEED_PASSWORD, config.nvd.datafeedPassword)
         }
 
         settings.setBooleanIfNotNull(DOWNLOADER_QUICK_QUERY_TIMESTAMP, config.quickQueryTimestamp)
         settings.setFloat(JUNIT_FAIL_ON_CVSS, config.junitFailOnCVSS)
-        if (config.cveValidForHours != null) {
-            if (config.cveValidForHours >= 0) {
-                settings.setInt(CVE_CHECK_VALID_FOR_HOURS, config.cveValidForHours)
-            } else {
-                throw new InvalidUserDataException('Invalid setting: `validForHours` must be 0 or greater')
-            }
-        }
         settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_ENABLED, config.hostedSuppressions.enabled)
         settings.setBooleanIfNotNull(HOSTED_SUPPRESSIONS_FORCEUPDATE, config.hostedSuppressions.forceupdate)
         settings.setStringIfNotNull(HOSTED_SUPPRESSIONS_URL, config.hostedSuppressions.url)