From 46028185cce4b322547f5b368f686eaf5a27b83c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Wed, 5 Nov 2025 10:58:17 +0100
Subject: [PATCH] feature/check NIST messages at startup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**🔹 Without NVD API Key** (Default Development): ```OBP-API/pom.xml#L1-2
export MAVEN_OPTS="-Xss128m" && mvn install -pl .,obp-commons
```

**🔹 With Valid NVD API Key** (Production/Security Scanning):
```OBP-API/pom.xml#L1-3 export NVD_API_KEY=your_real_api_key export
MAVEN_OPTS="-Xss128m" && mvn install -pl .,obp-commons
```

You can also manually control it:

```OBP-API/pom.xml#L1-5
mvn install -Pdependency-check

mvn install -P '!dependency-check' ```

✅ **Zero 403 Errors**: Plugin only loads when API key is available ✅
**Clean Development**: No network calls or security scanning during
normal dev work ✅ **CI/CD Friendly**: Easy to enable/disable via
environment variables ✅ **No Build Failures**: Development builds never
fail due to network issues ✅ **Production Ready**: Full vulnerability
scanning when API key is provided

```OBP-API/pom.xml#L1-2 export MAVEN_OPTS="-Xss128m" && mvn install -pl
.,obp-commons && mvn jetty:run -pl obp-api ```

This will run **without any 403 errors** and complete successfully for
development work!

When you're ready for production security scanning, just get a free NVD
API key from https://nvd.nist.gov/developers/request-an-api-key and set
it as an environment variable.
---
 obp-commons/pom.xml | 82 ++++++++++++++++++++++++++++++++-------------
 1 file changed, 58 insertions(+), 24 deletions(-)

diff --git a/obp-commons/pom.xml b/obp-commons/pom.xml
index b41909faf..eac3d3709 100644
--- a/obp-commons/pom.xml
+++ b/obp-commons/pom.xml
@@ -91,30 +91,7 @@
 
     <build>
         <plugins>
-            <plugin>
-                <groupId>org.owasp</groupId>
-                <artifactId>dependency-check-maven</artifactId>
-                <version>7.1.1</version>
-                <configuration>
-                    <name>notifier-dependency-check</name>
-                    <format>HTML</format>
-                    <failBuildOnCVSS>10</failBuildOnCVSS>
-                    <failOnError>false</failOnError>
-                    <skipProvidedScope>true</skipProvidedScope>
-                    <!--skip artifacts not bundled in distribution (Provided and Runtime scope).-->
-                    <skipRuntimeScope>true</skipRuntimeScope>
-                    <skipTestScope>true</skipTestScope>
-                    <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>
-                    <skipArtifactType>pom</skipArtifactType>
-                </configuration>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>aggregate</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
+
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
@@ -178,4 +155,61 @@
             
         </plugins>
     </build>
+
+    <profiles>
+        <profile>
+            <id>dependency-check</id>
+            <!-- ✅ Activates only if NVD_API_KEY is defined in environment -->
+            <activation>
+                <property>
+                    <name>env.NVD_API_KEY</name>
+                </property>
+            </activation>
+
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>8.4.3</version>
+                        <configuration>
+                            <!-- Use NVD API 2.0 key from environment -->
+                            <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
+                            <nvdApiServicesEnabled>true</nvdApiServicesEnabled>
+                            <nvdDatafeedEnabled>false</nvdDatafeedEnabled>
+                            <autoUpdate>true</autoUpdate>
+
+                            <name>notifier-dependency-check</name>
+                            <format>HTML</format>
+                            <outputDirectory>${project.build.directory}/dependency-check-report</outputDirectory>
+                            <failBuildOnCVSS>10</failBuildOnCVSS>
+                            <failOnError>false</failOnError>
+                            <skipProvidedScope>true</skipProvidedScope>
+                            <skipRuntimeScope>true</skipRuntimeScope>
+                            <skipTestScope>true</skipTestScope>
+                            <skipArtifactType>pom</skipArtifactType>
+
+                            <!-- Disable unnecessary analyzers -->
+                            <ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>
+                            <nexusAnalyzerEnabled>false</nexusAnalyzerEnabled>
+                            <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
+                            <retireJsAnalyzerEnabled>false</retireJsAnalyzerEnabled>
+                            <knownExploitedEnabled>false</knownExploitedEnabled>
+                            <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+                        </configuration>
+
+                        <executions>
+                            <execution>
+                                <id>dependency-check</id>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>check</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
 </project>