feat: Allow to pass NVD API key via environment variable

[kwin]

Clarify precedence of API key plugin parameters in javadoc This closes #6443

Fixes Issue #6443

Have test cases been added to cover the new functionality?

no

[jeremylong]

It would likely be good to include a default env variable name - and if it exists use it.

[kwin]

@jeremylong Do you have a good idea for a default environment variable name?

The problem is eclipse-sisu/sisu.plexus#29 here, i.e. it is not easy to invalidate the default value. In order to deliberately not use the environment variable name with the default value one would need to provide an invalid environment name (as empty strings do not overwrite the default value). Also with the default value it is no longer clear what the intention of the user is (i.e. when to emit warnings/error in case of unassigned environment variables).

Given all that I would rather not give a default value.

[jeremylong]

Regarding the default environment variable name - why would it be a problem if there was a default? Do you think random machines using ODC would have an environment variable: NVD_API_KEY setup that isn't an NVD API KEY?

[kwin]

Do you think random machines using ODC would have an environment variable: NVD_API_KEY setup that isn't an NVD API KEY?

Unlikely but may happen. My concern is more that it becomes impossible to emit a proper warning in case something is not setup as it should be. With this PR the following sources are considered

1. explicit API key
2. API key from environment variable
3. API key in settings.xml in configured server id

Each option is only considered if the accoding plugin parameter is set.
Once you give 2 a default, that would always need to be considered and it is unclear under which circumstances a warning should be emitted if the API key cannot be found somewhere and what message it should contain...