build(deps): bump io.github.jeremylong:open-vulnerability-clients from 7.3.2 to 9.0.2 (#7630)

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Chad Wilson <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nicolas Humblot <[email protected]>
Co-authored-by: Chad Wilson <[email protected]>
Co-authored-by: Jeremy Long <[email protected]>

Author: 4 people

core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java

@@ -315,12 +315,11 @@ private boolean processApi() throws UpdateException {
         if (key != null) {
             //using a higher delay as the system may not be able to process these faster.
             builder.withApiKey(key)
-                    .withDelay(5000)
-                    .withThreadCount(4);
+                    .withrequestsPerThirtySeconds(settings.getInt(Settings.KEYS.NVD_API_REQUESTS_PER_30_SECONDS_WITH_API_KEY, 50));
         } else {
             LOGGER.warn("An NVD API Key was not provided - it is highly recommended to use "
                     + "an NVD API key as the update can take a VERY long time without an API Key");
-            builder.withDelay(10000);
+            builder.withrequestsPerThirtySeconds(settings.getInt(Settings.KEYS.NVD_API_REQUESTS_PER_30_SECONDS_WITHOUT_API_KEY, 5));
         }
 
         final int resultsPerPage = Math.min(settings.getInt(Settings.KEYS.NVD_API_RESULTS_PER_PAGE, RESULTS_PER_PAGE), RESULTS_PER_PAGE);

core/src/main/resources/dependencycheck.properties

@@ -56,6 +56,12 @@ nvd.api.check.validforhours=4
 nvd.api.datafeed.validfordays=7
 nvd.api.max.retry.count=30
 nvd.api.delay=0
+
+# these are the default NVD API request limits - these can be set lower,
+# but the client used will not let you exceed these values
+nvd.api.requestsperthirtysecondswithoutapikey=5
+nvd.api.requestsperthirtysecondswithapikey=50
+
 #nvd.api.datafeed.url=https://example.com/nvd-cache/
 #nvd.api.datafeed.user=
 #nvd.api.datafeed.password=

core/src/test/resources/dependencycheck.properties

@@ -52,6 +52,8 @@ nvd.api.check.validforhours=4
 nvd.api.datafeed.validfordays=7
 nvd.api.max.retry.count=30
 nvd.api.delay=0
+nvd.api.requestsperthirtysecondswithoutapikey=5
+nvd.api.requestsperthirtysecondswithapikey=50
 #nvd.api.datafeed.url=https://example.com/nvd-cache/
 #nvd.api.datafeed.user=
 #nvd.api.datafeed.password=

pom.xml

@@ -924,7 +924,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>io.github.jeremylong</groupId>
                 <artifactId>open-vulnerability-clients</artifactId>
-                <version>7.3.2</version>
+                <version>9.0.2</version>
             </dependency>
             <dependency>
                 <groupId>org.anarres.jdiagnostics</groupId>

utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -173,6 +173,14 @@ public static final class KEYS {
          * The delay between requests for the NVD API.
          */
         public static final String NVD_API_DELAY = "nvd.api.delay";
+        /**
+         * The number of requests made to the NVD API per 30 seconds when no API KEY is provided.
+         */
+        public static final String NVD_API_REQUESTS_PER_30_SECONDS_WITHOUT_API_KEY = "nvd.api.requestsperthirtysecondswithoutapikey";
+        /**
+         * The number of requests made to the NVD API per 30 seconds when an API KEY is provided.
+         */
+        public static final String NVD_API_REQUESTS_PER_30_SECONDS_WITH_API_KEY = "nvd.api.requestsperthirtysecondswithapikey";
         /**
          * The maximum number of retry requests for a single call to the NVD
          * API.

utils/src/test/resources/dependencycheck.properties

@@ -52,6 +52,8 @@ nvd.api.check.validforhours=4
 nvd.api.datafeed.validfordays=7
 nvd.api.max.retry.count=30
 nvd.api.delay=0
+nvd.api.requestsperthirtysecondswithoutapikey=5
+nvd.api.requestsperthirtysecondswithapikey=50
 #nvd.api.datafeed.url=https://example.com/nvd-cache/
 #nvd.api.datafeed.user=
 #nvd.api.datafeed.password=