@@ -151,6 +151,21 @@ A Dependency Check is a quite long operation and therefore the job is configured
However, if you want to enable an automatic Dependency-Check scan, you will have to override the `rules` keyword for the `mvn-dependency-check` job.
Dependency-Check fetches its vulnerbility database from the NVD API which has rate limiting. Using an NVD API key, the rate limit is higher which reduces the execution time of Dependency-Check.
In order to configure an NVD API key you need to:
* Set the `NVD_API_KEY` variable with your NVD API key. :warning: This is a sensitive value, so we recommend you add it as a **masked** Gitlab variable
* Add `-DnvdApiKey=$NVD_API_KEY` to `MAVEN_DEPENDENCY_CHECK_ARGS`
In case your Gitlab runners cannot contact the NVD API (e.g. if they are not allowed to connect to the Internet), you can maintain a local data feed cache with the [vulnz](https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz) tool.
In order to configure Dependency-Check to fetch the vulnerabilities from your cache you need to:
* Run the [vulnz](https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz) tool in order to fetch the vulnerabilities and store them as data feeds (the data feeds will be stored as JSON files with the NVD Vulnerability Data API version 2.0 schema)
* Make these data feeds accessible via a URL reachable by your Gitlab runners
* Add `-DnvdDatafeedUrl=https://URL-OF-LOCAL-CACHE` to `MAVEN_DEPENDENCY_CHECK_ARGS`
Furthermore, if you want to upload Dependency-Check reports to SonarQube, you have to:
* Move `mvn-dependency-check` to the `build` stage
