The dependency-check-update task downloads and updates the local copy of the NVD.
There are several reasons that one may want to use this task; primarily, creating
an update that will be run only once a day or once every few days (but not greater
than 7 days) and then use the autoUpdate="false" setting on individual
dependency-check scans. See Internet Access Required
for more information on why this task would be used.
<target name="dependency-check-update" description="Dependency-Check Update">
<dependency-check-update />
</target>
The following properties can be set on the dependency-check-update task.
| Property | Description | Default Value |
|---|---|---|
| proxyServer | The Proxy Server; see the proxy configuration page for more information. | |
| proxyPort | The Proxy Port. | |
| proxyUsername | Defines the proxy user name. | |
| proxyPassword | Defines the proxy password. | |
| nonProxyHosts | Defines the hosts that will not be proxied. | |
| connectionTimeout | The URL Connection Timeout (in milliseconds). | 10000 |
| readtimeout | The URL Read Timeout (in milliseconds). | 60000 |
| failOnError | Whether the build should fail if there is an error executing the update | true |
The following properties can be configured in the plugin. However, they are less frequently changed.
| Property | Description | Default Value |
|---|---|---|
| nvdApiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | |
| nvdApiEndpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
| nvdMaxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
| nvdApiDelay | The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key |
| nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value https://internal.server/cache/nvdcve-{0}.json.gz |
|
| nvdUser | Credentials used for basic authentication for the NVD API Data feed. | |
| nvdPassword | Credentials used for basic authentication for the NVD API Data feed. | |
| nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 |
| dataDirectory | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data |
| databaseDriverName | The name of the database driver. Example: org.h2.Driver. | |
| databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | |
| connectionString | The connection string used to connect to the database. See using a database server. | |
| databaseUser | The username used when connecting to the database. | |
| databasePassword | The password used when connecting to the database. | |
| hostedSuppressionsEnabled | Whether the hosted suppression file will be used. | true |
| hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
| hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2 |
| hostedSuppressionsForceUpdate | Sets whether the hosted suppressions file should update regardless of the autoupdate and validForHours settings |
false |