Try fix CVE scan (#225)

* Try fix CVE scan

* Revert temporary changes

Author: MatKuhr

.github/workflows/fosstars-report.yml

@@ -38,12 +38,6 @@ jobs:
           MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} clean install -DskipTests -DskipFormatting"
           mvn $MVN_ARGS
 
-      - name: "Fosstars Rating"
-        uses: SAP/[email protected]
-        with:
-          report-branch: fosstars-report
-          token: ${{ secrets.GITHUB_TOKEN }}
-
       - name: "CVE Scan"
         env:
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
@@ -73,6 +67,13 @@ jobs:
           path: ${{ env.CVE_CACHE_DIR }}
           key: ${{ env.CVE_CACHE_KEY }}
 
+      # This action changes the active branch!
+      - name: "Fosstars Rating"
+        uses: SAP/[email protected]
+        with:
+          report-branch: fosstars-report
+          token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: "Slack Notification"
         if: failure()
         uses: slackapi/[email protected]

pom.xml

@@ -594,9 +594,7 @@ https://gitbox.apache.org/repos/asf?p=maven-pmd-plugin.git;a=blob_plain;f=src/ma
           <connectionTimeout>60000</connectionTimeout>
           <nvdMaxRetryCount>20</nvdMaxRetryCount>
           <failBuildOnCVSS>7</failBuildOnCVSS>
-          <!-- Using the https://mirror.cveb.in mirror because NVD is too slow.
-           For more information see this discussion: https://github.com/jeremylong/DependencyCheck/issues/7180#issuecomment-2500914164 -->
-          <nvdDatafeedUrl>https://mirror.cveb.in/nvd/json/cve/1.1/nvdcve-1.1-{0}.json.gz</nvdDatafeedUrl>
+          <nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
           <suppressionFile>${project.rootdir}/.pipeline/dependency-check-suppression.xml</suppressionFile>
           <nvdValidForHours>46</nvdValidForHours>
           <skipProvidedScope>true</skipProvidedScope>