Skip to content

Commit

Permalink
feat: Enable configuration of a lower resultsPerPage on NVD API (#6843)
Browse files Browse the repository at this point in the history
  • Loading branch information
@aikebah
aikebah committed Jul 16, 2024
1 parent ed0e8cb commit ffbc6d8
Show file tree
Hide file tree
Showing 13 changed files with 66 additions and 1 deletion.
24 changes: 24 additions & 0 deletions ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,11 @@ public class Update extends Purge {
*/
private int nvdApiDelay = 0;

/**
* The number of records per page of NVD API data.
*/
private Integer nvdApiResultsPerPage;

/**
* The Proxy Server.
*/
Expand Down Expand Up @@ -287,6 +292,24 @@ public void setNvdApiDelay(int nvdApiDelay) {
this.nvdApiDelay = nvdApiDelay;
}

/**
* Get the value of nvdApiResultsPerPage.
*
* @return the value of nvdApiResultsPerPage
*/
public int getNvdApiResultsPerPage() {
return nvdApiResultsPerPage;
}

/**
* Set the value of nvdApiResultsPerPage.
*
* @param nvdApiResultsPerPage new value of nvdApiResultsPerPage
*/
public void setApiResultsPerPage(int nvdApiResultsPerPage) {
this.nvdApiResultsPerPage = nvdApiResultsPerPage;
}

/**
* Get the value of proxyServer.
*
Expand Down Expand Up @@ -620,6 +643,7 @@ protected void populateSettings() throws BuildException {
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_KEY, nvdApiKey);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint);
getSettings().setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay);
getSettings().setIntIfNotNull(Settings.KEYS.NVD_API_RESULTS_PER_PAGE, nvdApiResultsPerPage);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, nvdUser);
getSettings().setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_PASSWORD, nvdPassword);
Expand Down
1 change: 1 addition & 0 deletions ant/src/site/markdown/config-update.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ nvdApiKey | The API Key to access the NVD API; obtained from https://
nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0
nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key
nvdApiResultsPerPage | The number records for a single page from NVD API (must be <=2000). | 2000
nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp;
nvdUser | Credentials used for basic authentication for the NVD API Data feed. | &nbsp;
nvdPassword | Credentials used for basic authentication for the NVD API Data feed. | &nbsp;
Expand Down
1 change: 1 addition & 0 deletions ant/src/site/markdown/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ nvdApiKey | The API Key to access the NVD API; obtained from https://
nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0
nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key
nvdApiResultsPerPage | The number records for a single page from NVD API (must be <=2000). | 2000
nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp;
nvdUser | Credentials used for basic authentication for the NVD API Data feed. | &nbsp;
nvdPassword | Credentials used for basic authentication for the NVD API Data feed. | &nbsp;
Expand Down
1 change: 1 addition & 0 deletions cli/src/main/java/org/owasp/dependencycheck/App.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -661,6 +661,7 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_ENDPOINT,
cli.getStringArgument(CliParser.ARGUMENT.NVD_API_ENDPOINT));
settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, cli.getIntegerValue(CliParser.ARGUMENT.NVD_API_DELAY));
settings.setIntIfNotNull(Settings.KEYS.NVD_API_RESULTS_PER_PAGE, cli.getIntegerValue(CliParser.ARGUMENT.NVD_API_RESULTS_PER_PAGE));
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_URL));
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_USER, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_USER));
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_PASSWORD, cli.getStringArgument(CliParser.ARGUMENT.NVD_API_DATAFEED_PASSWORD));
Expand Down
17 changes: 17 additions & 0 deletions cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,17 @@ private void validateArgs() throws FileNotFoundException, ParseException {
throw new ParseException("Invalid Setting: nvdApiDelay must be a number greater than or equal to 0.");
}
}
value = line.getOptionValue(ARGUMENT.NVD_API_RESULTS_PER_PAGE);
if (value != null) {
try {
final int i = Integer.parseInt(value);
if (i <= 0 || i > 2000) {
throw new ParseException("Invalid Setting: nvdApiResultsPerPage must be a number in the range [1, 2000].");
}
} catch (NumberFormatException ex) {
throw new ParseException("Invalid Setting: nvdApiResultsPerPage must be a number in the range [1, 2000].");
}
}
}
if (isRunScan()) {
validatePathExists(getScanFiles(), ARGUMENT.SCAN);
Expand Down Expand Up @@ -353,6 +364,8 @@ private void addAdvancedOptions(final Options options) {
"Only update the local NVD data cache; no scan will be executed."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_DELAY, "milliseconds",
"Time in milliseconds to wait between downloading from the NVD."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_RESULTS_PER_PAGE, "count",
"The number records for a single page from NVD API (must be <=2000)."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_ENDPOINT, "endpoint",
"The NVD API Endpoint - setting this is rare."))
.addOption(newOptionWithArg(ARGUMENT.NVD_API_DATAFEED_URL, "url",
Expand Down Expand Up @@ -1163,6 +1176,10 @@ public static class ARGUMENT {
* The time in milliseconds to wait between downloading NVD API data.
*/
public static final String NVD_API_DELAY = "nvdApiDelay";
/**
* The number records for a single page from NVD API.
*/
public static final String NVD_API_RESULTS_PER_PAGE = "nvdApiResultsPerPage";
/**
* The short CLI argument name for setting the location of the data
* directory.
Expand Down
1 change: 1 addition & 0 deletions cli/src/site/markdown/arguments.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ Advanced Options
| | \-\-nvdApiEndpoint | \<endpoint\> | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
| | \-\-nvdMaxRetryCount | \<count\> | The maximum number of retry requests for a single call to the NVD API. | 10 |
| | \-\-nvdApiDelay | \<milliseconds\>| The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key |
| | \-\-nvdApiResultsPerPage | \<number\> | The number records for a single page from NVD API (must be <=2000). | 2000 |
| | \-\-nvdDatafeed | \<url\> | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp; |
| | \-\-nvdUser | \<username\> | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
| | \-\-nvdPassword | \<password\> | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
Expand Down
5 changes: 4 additions & 1 deletion core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,10 @@ private boolean processApi() throws UpdateException {
+ "an NVD API key as the update can take a VERY long time without an API Key");
builder.withDelay(10000);
}
builder.withResultsPerPage(RESULTS_PER_PAGE);

final int resultsPerPage = Math.min(settings.getInt(Settings.KEYS.NVD_API_RESULTS_PER_PAGE, RESULTS_PER_PAGE), RESULTS_PER_PAGE);

builder.withResultsPerPage(resultsPerPage);
//removed due to the virtualMatch filter causing overhead with the NVD API
//final String virtualMatch = settings.getString(Settings.KEYS.CVE_CPE_STARTS_WITH_FILTER);
//if (virtualMatch != null) {
Expand Down
8 changes: 8 additions & 0 deletions maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -992,6 +992,13 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
@Parameter(property = "nvdApiDelay")
private Integer nvdApiDelay;

/**
* The number records for a single page from NVD API (must be <=2000).
*/
@SuppressWarnings("CanBeFinal")
@Parameter(property = "nvdApiResultsPerPage")
private Integer nvdApiResultsPerPage;

/**
* The path to dotnet core.
*/
Expand Down Expand Up @@ -2354,6 +2361,7 @@ protected void populateSettings() {
settings.setStringIfNotEmpty(Settings.KEYS.DB_FILE_NAME, dbFilename);
settings.setStringIfNotNull(Settings.KEYS.NVD_API_ENDPOINT, nvdApiEndpoint);
settings.setIntIfNotNull(Settings.KEYS.NVD_API_DELAY, nvdApiDelay);
settings.setIntIfNotNull(Settings.KEYS.NVD_API_RESULTS_PER_PAGE, nvdApiResultsPerPage);
settings.setStringIfNotEmpty(Settings.KEYS.NVD_API_DATAFEED_URL, nvdDatafeedUrl);
settings.setIntIfNotNull(Settings.KEYS.NVD_API_VALID_FOR_HOURS, nvdValidForHours);
settings.setIntIfNotNull(Settings.KEYS.NVD_API_MAX_RETRY_COUNT, nvdMaxRetryCount);
Expand Down
1 change: 1 addition & 0 deletions maven/src/site/markdown/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon.
nvdApiServerId | The id of a server defined in the settings.xml that configures the credentials (password is used as ApiKey) for accessing the NVD API. | &nbsp; |
nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key . |
nvdApiResultsPerPage | The number records for a single page from NVD API (must be <=2000). | 2000 |
nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp; |
nvdDatafeedServerId | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the NVD API Data feed.| &nbsp; |
nvdUser | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
Expand Down
1 change: 1 addition & 0 deletions src/site/markdown/dependency-check-gradle/configuration-aggregate.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ nvd | apiKey | The API Key to access the NVD API; obtained f
nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key |
nvd | resultsPerPage | The number records for a single page from NVD API (must be <=2000). | 2000 |
nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
nvd | datafeedUser | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
nvd | datafeedPassword | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
Expand Down
1 change: 1 addition & 0 deletions src/site/markdown/dependency-check-gradle/configuration-update.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ nvd | apiKey | The API Key to access the NVD API; obtained f
nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key . |
nvd | resultsPerPage | The number records for a single page from NVD API (must be <=2000). | 2000 |
nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
nvd | datafeedUser | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
nvd | datafeedPassword | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
Expand Down
1 change: 1 addition & 0 deletions src/site/markdown/dependency-check-gradle/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ nvd | apiKey | The API Key to access the NVD API; obtained f
nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key |
nvd | resultsPerPage | The number records for a single page from NVD API (must be <=2000). | 2000 |
nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp; |
nvd | datafeedUser | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
nvd | datafeedPassword | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
Expand Down
5 changes: 5 additions & 0 deletions utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,11 @@ public static final class KEYS {
* updates.
*/
public static final String NVD_API_VALID_FOR_HOURS = "nvd.api.check.validforhours";
/**
* The properties key to control the results per page lower than NVD's default of 2000
* See #6863 for the rationale on allowing lower configurations.
*/
public static final String NVD_API_RESULTS_PER_PAGE = "nvd.api.results.per.page";
/**
* The properties key that indicates how often the NVD API data feed
* needs to be updated before a full refresh is evaluated.
Expand Down

0 comments on commit ffbc6d8

Please sign in to comment.