Merge branch 'master' into java-17-upgrade

Michael1142 · Michael1142 · commit 2f754569c414 · 2026-03-03T16:27:16.000Z
diff --git a/README.md b/README.md
@@ -53,17 +53,29 @@ It only scans runtime configurations by default.  This can be overridden in proj
 
 ### Usage
 
-`./gradlew dependencyCheckAggregate`
+You can request a [NVD API key](https://nvd.nist.gov/developers/request-an-api-key) to improve Dependency Check performance and avoid NVD rate limiting.
+
+It can be provided via an environment variable:
+
+```bash
+export NVD_API_KEY=YOUR_KEY
+```
+
+Or via a Gradle property:
+
+```bash
+./gradlew dependencyCheckAggregate -PPdependencyCheck.nvd.apiKey=YOUR_KEY
+```
 
 ### Suppressions
 
-Due to the way the dependency checker works, false positives are an [expected occurence.](https://jeremylong.github.io/DependencyCheck/general/suppression.html)
+Due to the way the dependency checker works, false positives are an [expected occurrence.](https://jeremylong.github.io/DependencyCheck/general/suppression.html)
 
 Provide the dependency checker with the path to your [suppression file](https://jeremylong.github.io/DependencyCheck/general/suppression.html):
 
 ```groovy
 dependencyCheck {
-  suppressionFile = 'path/to/supression.xml'
+  suppressionFile = 'path/to/suppressions.xml'
 }
 ```
 
diff --git a/build.gradle b/build.gradle
@@ -2,15 +2,16 @@ plugins {
     id 'java-gradle-plugin'
     id 'groovy'
     id 'com.gradle.plugin-publish' version '1.3.1'
-    id "uk.gov.hmcts.java" version "0.12.66"
+    id "uk.gov.hmcts.java" version "0.12.67"
 }
 
 repositories {
     mavenCentral()
+    maven { url "https://plugins.gradle.org/m2/" }
 }
 
 dependencies {
-    implementation 'org.owasp:dependency-check-gradle:10.0.3'
+    implementation 'org.owasp:dependency-check-gradle:12.2.0'
     implementation 'org.apache.maven:maven-artifact:3.9.10'
     compileOnly 'org.projectlombok:lombok:1.18.38'
     annotationProcessor 'org.projectlombok:lombok:1.18.38'
@@ -30,10 +31,8 @@ compileJava {
     options.compilerArgs += ["-Werror"]
 }
 
-def version = System.getenv("RELEASE_VERSION")?.replace("refs/tags/", "") ?: "DEV-SNAPSHOT"
-
 group = 'uk.gov.hmcts.reform'
-project.version = version
+project.version = System.getenv("RELEASE_VERSION")?.replace("refs/tags/", "") ?: "DEV-SNAPSHOT"
 
 gradlePlugin {
     // Define the plugin
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.14-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.4-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
diff --git a/src/main/java/uk/gov/hmcts/tools/DependencyCheckSetup.java b/src/main/java/uk/gov/hmcts/tools/DependencyCheckSetup.java
@@ -36,6 +36,26 @@ public static void apply(Project project) {
         project.getPlugins().apply(DependencyCheckPlugin.class);
 
         DependencyCheckExtension extension = project.getExtensions().getByType(DependencyCheckExtension.class);
+
+        Project root = project.getRootProject();
+
+        // Gradle property: -PdependencyCheck.nvd.apiKey=...
+        String apiKey = (String) root.findProperty("dependencyCheck.nvd.apiKey");
+
+        // JVM system property: -DdependencyCheck.nvd.apiKey=...
+        if (apiKey == null || apiKey.isBlank()) {
+            apiKey = System.getProperty("dependencyCheck.nvd.apiKey");
+        }
+
+        // Environment variable
+        if (apiKey == null || apiKey.isBlank()) {
+            apiKey = System.getenv("NVD_API_KEY");
+        }
+
+        if (apiKey != null && !apiKey.isBlank()) {
+            extension.getNvd().setApiKey(apiKey);
+        }
+
         extension.setFailBuildOnCVSS(0f);
 
         // Match the CNP pipeline which disables these checks
