chore: [DevOps] Switch to Mirror for CVE Downloads (#202)

MatKuhr · CharlesDuboisSAP · web-flow · commit c9443a213701 · 2024-12-03T10:27:12.000+01:00
* Switch to cvebin mirror

* temporary cchange checkout action

* Update .github/workflows/fosstars-report.yml

* Update pom.xml

Co-authored-by: Charles Dubois &lt;103174266+CharlesDuboisSAP@users.noreply.github.com&gt;

---------

Co-authored-by: Charles Dubois &lt;103174266+CharlesDuboisSAP@users.noreply.github.com&gt;
diff --git a/.github/workflows/fosstars-report.yml b/.github/workflows/fosstars-report.yml
@@ -26,12 +26,12 @@ jobs:
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
 
-      - name: Restore CVE Database
+      - name: "Restore CVE Database"
         uses: actions/cache/restore@v4
         with:
           path: ${{ env.CVE_CACHE_DIR }}
           key: ${{ env.CVE_CACHE_KEY }}
-#          fail-on-cache-miss: true
+          fail-on-cache-miss: true
 
       - name: "Build SDK"
         run: |
@@ -48,9 +48,16 @@ jobs:
         env:
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
         run: |
-          mvn -T1 --no-transfer-progress dependency-check:check
+          mvn -T1 --no-transfer-progress --batch-mode org.owasp:dependency-check-maven:check org.owasp:dependency-check-maven:aggregate
 
-      - name: Delete Old CVE Cache
+      - name: "Archive CVE Report"
+        uses: actions/upload-artifact@v4
+        with:
+          name: cve-report
+          path: target/dependency-check-report.html
+          retention-days: 7
+
+      - name: "Delete Old CVE Cache"
         run: |
           CACHE_IDS=$(gh cache list --key "${{ env.CVE_CACHE_KEY }}" --ref "${{ env.CVE_CACHE_REF }}" --json id | jq -r '.[] | .id')
           for CACHE_ID in $CACHE_IDS; do
@@ -60,7 +67,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Create Updated CVE Cache
+      - name: "Create Updated CVE Cache"
         uses: actions/cache/save@v4
         with:
           path: ${{ env.CVE_CACHE_DIR }}
diff --git a/pom.xml b/pom.xml
@@ -593,9 +593,11 @@ https://gitbox.apache.org/repos/asf?p=maven-pmd-plugin.git;a=blob_plain;f=src/ma
         <version>11.1.0</version>
         <configuration>
           <connectionTimeout>60000</connectionTimeout>
-          <nvdMaxRetryCount>10</nvdMaxRetryCount>
+          <nvdMaxRetryCount>20</nvdMaxRetryCount>
           <failBuildOnCVSS>7</failBuildOnCVSS>
-          <nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
+          <!-- Using the https://mirror.cveb.in mirror because NVD is too slow.
+           For more information see this discussion: https://github.com/jeremylong/DependencyCheck/issues/7180#issuecomment-2500914164 -->
+          <nvdDatafeedUrl>https://mirror.cveb.in/nvd/json/cve/1.1/nvdcve-1.1-{0}.json.gz</nvdDatafeedUrl>
           <suppressionFile>${project.rootdir}/.pipeline/dependency-check-suppression.xml</suppressionFile>
           <nvdValidForHours>46</nvdValidForHours>
           <skipProvidedScope>true</skipProvidedScope>
