cveUser and cvePass for dependency-check.sh CLI #3028
Comments
|
Sorry about the missing arguments. You can create a properties file with: cve.user=user
cve.password=passThen include the properties using the |
|
While the CLI argument is being added in the next release - I would recommend continuing to use the properties file to avoid storing credentials in the history... |
|
Awesome thank you @jeremylong do you have a link I can use to buy you a coffee/beer? |
|
@rjpearce only thing I have setup is GH sponsors: https://github.com/sponsors/jeremylong |
|
Thanks. @jeremylong I haven't been able to get it working using the properties file. I can see from the log output that cve.username and cve.password is being correctly picked up: cve.password='********' However it looks like when the request is made to the server no basic auth is added to request. User-Agent: Java/14.0.1 if I use curl the basic auth is present: Authorization: Basic dXNlcjpwdw== I have tried to follow the NvdCve updates through the code by I'm getting rather lost and confused. Let me know if there is more debugging I can do additional things to try. |
|
The CVE creds are used in two places: From there you can trace into the Downloader and eventually end up at: Which then calls: |
|
@rjpearce with the recent release - are you still having issues with the basic auth? |
|
Hi Jeremy, Thank you, Sorry for the slow response. We ended up not using Artifactory for our solution. We switched to a very simple solution by building a Docker container based on owasp/dependency-check that has runs dependency-check with --updateonly. This leverages depedency-checks existing ability to cache NVD data to build a daily docker image. We then tag the docker image and consume it in other CI/CD jobs. Below is the code I used to ascertain auth sanity: Source info: https://hub.docker.com/r/owasp/dependency-checkdocker pull owasp/dependency-check:$DC_VERSION
docker run --rm \
-e user=$USER \
-u $(id -u ${USER}):$(id -g ${USER}) \
--volume $(pwd):/src:z \
--volume "$DATA_DIRECTORY":/usr/share/dependency-check/data:z \
--volume $(pwd)/odc-reports:/report:z \
owasp/dependency-check:$DC_VERSION \
--scan /src \
--format "ALL" \
--project "$DC_PROJECT" \
--cveUser 'foo' \
--cvePassword 'secret' \
--cveUrlBase http://host.docker.internal:8000/nvdcve-1.1-%d.json.gz \
--cveUrlModified http://host.docker.internal:8000/nvdcve-1.1-modified.json.gz \
--out /reportA simple web serverimport http.server
import socketserver
import base64
class GetHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
expected_auth = b'Basic ' + base64.b64encode('{}:{}'.format('foo', 'secret').encode('ascii'))
actual_auth = self.headers.get('Authorization', '').encode('ascii')
if expected_auth == actual_auth:
print('Credentials valid')
else:
print('Credentials invalid')
print('Headers -------')
print(self.headers)
print('--------')
http.server.SimpleHTTPRequestHandler.do_GET(self)
PORT = 8000
Handler = GetHandler
with socketserver.TCPServer(("", PORT), Handler) as httpd:
print("Listening on port", PORT)
httpd.serve_forever()OutputListening on port 8000
**Credentials valid**
Headers -------
Authorization: Basic Zm9vOnNlY3JldA==
Accept-Encoding: gzip, deflate
User-Agent: Java/14.0.2
Host: host.docker.internal:8000
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive |
Hello,
I'm working on a mirror of NVD database in a JFrog/Artifactory artifactory repo which requires authorisation.
I have set the --cveUrlBase and --cveUrlModified correctly but there seems to be no way to set the username and password when using the CLI client.
In the Maven dependency check there is and setting.
Is there any way of setting these for the CLI client?
Thank you and Merry Christmas.
The text was updated successfully, but these errors were encountered: