GHSA-qqhq-8r2c-c3f5 isn't resolved; 9.0.6 still logs nvdApiKey; see the advisory for more details.

@hott-box the documentation is being updated indicating that if specific configuration options are used maven debug logging could expose them. See jeremylong/DependencyCheck#6315.

This is how maven works - the configuration is presented in the debug output.

@hott-box if you have put the credential clear text in the build file - it is already exposed. Allowing maven to write this back to the debug logging is not making it any less exposed.

@jeremylong , FYI, while I don't really see this as a huge issue myself, I am passing in the API credential through environment variables, so it is possible for it to be exposed only through the debug logs.

@zodac it all depends on how you are passing it in via env variable - and whether or not you are using a CI env that will mask the secrets printed to the console. GH Secrets as an ENV variable would likely mask the possible exposure; the same with Jenkins withCredential.

and I 100% agree - this is not a very impactful issue if the secret exposure occurs.