Warning: "An NVD API Key was not provided..."

[aliyevakhalida]

We've integrated dependency check into our pipeline. In one of the steps, we're using the following command:

run: |
  gradle dependencyCheckAggregate \
    -PdependencyCheck.apiKey=${{ inputs.nvd-api-key }}

Despite this configuration, we're, most of the time, receiving the warning: "An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key." Are we missing something in our setup that's causing this warning to persist? We'd appreciate any insights or guidance on resolving this issue. Thank you.

Note: Despite receiving this warning, there were instances where the check completed successfully and did not take a significant amount of time

[aikebah]

Fairly certain you should closer read documentation on the tools you use.

http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html

Not a gradler myself, but I expect you would see no issue if your project-property included the config group in addition to the plugin and the propertyname.

So try dependencyCheck.nvd.apiKey instead of dependencyCheck.apiKey in your command.

[jeremylong]

ATM - I'm not sure if you can pass gradle configs for ODC via the CLI. You can configure the plugin using an init script. Several security tools use this approach.