fix: Use of NVD api 2.0 (fixes #3541) (#3544)

anthonyharrison · web-flow · commit c656c23ca43f · 2023-11-29T16:44:41.000-08:00
diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py
@@ -550,7 +550,9 @@ def main(argv=None):
         args["nvd_api_key"] = os.getenv("NVD_API_KEY")
 
     if args["nvd_api_key"]:
-        nvd_type = "api"
+        if nvd_type != "api2":
+            LOGGER.debug(f"{nvd_type} - changing to api. API Key {args['nvd_api_key']}")
+            nvd_type = "api"
 
     # If you're not using an NVD key, let you know how to get one
     if nvd_type == "json-nvd" and not args["nvd_api_key"] and not args["offline"]:
diff --git a/cve_bin_tool/nvd_api.py b/cve_bin_tool/nvd_api.py
@@ -168,9 +168,14 @@ async def get_nvd_params(
         await self.validate_nvd_api()
 
         if self.invalid_api:
-            self.logger.warning(
-                f'Unable to access NVD using provided API key: {self.params["apiKey"]}'
-            )
+            if self.api_version == "1.0":
+                self.logger.warning(
+                    f'Unable to access NVD using provided API key: {self.params["apiKey"]}'
+                )
+            else:
+                self.logger.warning(
+                    f'Unable to access NVD using provided API key: {self.header["apiKey"]}'
+                )
         else:
             if time_of_last_update:
                 # Fetch all the updated CVE entries from the modified date. Subtracting 2-minute offset for updating cve entries
@@ -228,7 +233,11 @@ async def validate_nvd_api(self):
                 data = await response.json()
                 if data.get("error", False):
                     self.logger.error(f"NVD API error: {data['error']}")
-                    raise NVDKeyError(self.params["apiKey"])
+                    if self.api_version == "1.0":
+                        raise NVDKeyError(self.params["apiKey"])
+                    else:
+                        raise NVDKeyError(self.header["apiKey"])
+
         except aiohttp.ClientResponseError as client_err:
             self.logger.debug(f"Response {client_err}")
             self.invalid_api = True
@@ -240,6 +249,9 @@ async def validate_nvd_api(self):
             if self.api_version == "1.0":
                 del self.params["apiKey"]
                 self.api_key = ""
+            else:
+                del self.header["apiKey"]
+                self.api_key = ""
 
     async def load_nvd_request(self, start_index):
         """Get single NVD request and update year_wise_data list which contains list of all CVEs"""
