> On Jul 3, 2024, at 6:06 AM, Lari Hotari <lhot...@apache.org> wrote:
>
> Hi,
>
> In Apache Pulsar, we use the OWASP Dependency-Check maven plugin to report
> vulnerabilities in dependencies in apache/pulsar GitHub Actions workflows.
>
> The Dependency Check maven plugin will download the NVD database which takes
> a long time. In Apache Pulsar GitHub Actions workflows, we cache the
> Dependency Check database to speed up the process. However, recently the
> download has been so slow that the download doesn't complete in time so that
> it could be cached. workflow runs:
> https://github.com/apache/pulsar/actions/workflows/ci-owasp-dependency-check.yaml
I did not see exactly where the download happens in the workflow. Is there a
separate action or workflow?
>
> There's a warning in the logs that suggests getting an API key.
> "Warning: An NVD API Key was not provided - it is highly recommended to use
> an NVD API key as the update can take a VERY long time without an API Key"
>
> On ASF Slack, I have asked the ASF Infra team for recommendations for
> addressing this problem.
Seems to me that you need Infra’s help as the Apache org’s GitHub admin to add
this secret. They will probably suggest that you create an INFRA JIRA and tell
you where to send the API Key.
Alternatively this is something that is ASF wide and
security-disc...@apache.org might be the place to discuss.
Best,
Dave
>
> -Lari
