Try fix CVE scan

Author: MatKuhr

.github/workflows/fosstars-report.yml

@@ -1,6 +1,11 @@
 name: "Fosstars (Security)"
 on:
   workflow_dispatch:
+    inputs:
+      branch:
+        description: "Branch to create the report for"
+        required: true
+        default: "main"
   schedule:
     - cron: '42 03 * * MON-FRI' # 03:42 on weekdays, a somewhat random time to avoid producing load spikes on the GH actions infrastructure
 
@@ -18,6 +23,8 @@ jobs:
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v4
+        with:
+          ref: refs/heads/${{ github.event.inputs.branch }}
 
       - name: "Setup java"
         uses: actions/setup-java@v4
@@ -38,12 +45,6 @@ jobs:
           MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} clean install -DskipTests -DskipFormatting"
           mvn $MVN_ARGS
 
-      - name: "Fosstars Rating"
-        uses: SAP/[email protected]
-        with:
-          report-branch: fosstars-report
-          token: ${{ secrets.GITHUB_TOKEN }}
-
       - name: "CVE Scan"
         env:
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
@@ -73,13 +74,19 @@ jobs:
           path: ${{ env.CVE_CACHE_DIR }}
           key: ${{ env.CVE_CACHE_KEY }}
 
-      - name: "Slack Notification"
-        if: failure()
-        uses: slackapi/[email protected]
+      - name: "Fosstars Rating"
+        uses: SAP/[email protected]
         with:
-          webhook: ${{ secrets.SLACK_WEBHOOK }}
-          webhook-type: incoming-webhook
-          payload: |
-            {
-              "text": "⚠️ OWASP Dependency check failed! 😬 Please inspect & fix by clicking <https://github.com/SAP/ai-sdk-java/actions/runs/${{ github.run_id }}|here>"
-            }
+          report-branch: fosstars-report
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # - name: "Slack Notification"
+      #   if: failure()
+      #   uses: slackapi/[email protected]
+      #   with:
+      #     webhook: ${{ secrets.SLACK_WEBHOOK }}
+      #     webhook-type: incoming-webhook
+      #     payload: |
+      #       {
+      #         "text": "⚠️ OWASP Dependency check failed! 😬 Please inspect & fix by clicking <https://github.com/SAP/ai-sdk-java/actions/runs/${{ github.run_id }}|here>"
+      #       }

pom.xml

@@ -594,9 +594,7 @@ https://gitbox.apache.org/repos/asf?p=maven-pmd-plugin.git;a=blob_plain;f=src/ma
           <connectionTimeout>60000</connectionTimeout>
           <nvdMaxRetryCount>20</nvdMaxRetryCount>
           <failBuildOnCVSS>7</failBuildOnCVSS>
-          <!-- Using the https://mirror.cveb.in mirror because NVD is too slow.
-           For more information see this discussion: https://github.com/jeremylong/DependencyCheck/issues/7180#issuecomment-2500914164 -->
-          <nvdDatafeedUrl>https://mirror.cveb.in/nvd/json/cve/1.1/nvdcve-1.1-{0}.json.gz</nvdDatafeedUrl>
+          <nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
           <suppressionFile>${project.rootdir}/.pipeline/dependency-check-suppression.xml</suppressionFile>
           <nvdValidForHours>46</nvdValidForHours>
           <skipProvidedScope>true</skipProvidedScope>