DependencyCheck 11 Gradle plugin cannot download non-NVD data from mirrors that require authentication

[volkert-fastned]

Describe the bug
Dependency Check 11 now depends on a version of Apache HttpClient 5, which forbids the use of a userinfo component in URLs for basic authentication.

An exception is thrown with the following error message:

Request URI authority contains deprecated userinfo component

Unfortunately, as far as I could find in the documentation, the Gradle plugin only allows authentication credentials to be set for the NVD mirror. But there is currently no way to configure basic authentication to mirror the following additional files:

• analyzers.retirejs.retireJsUrl (jsrepository.json)
• analyzers.knownExploitedURL (known_exploited_vulnerabilities.json)
• hostedSuppressions.url (publishedSuppressions.xml)

We're trying to be good netizens and so we're caching all downloadable vulnerability data in a private repository, but we don't want that repository to be publicly accessible without authentication credentials. This works for NVD data, but not with the non-NVD data above.

Dependency Check version 11 (at least the Gradle plugin) is basically forcing us to regularly download these files from upstream from all our development environments, as well as our CI/CD pipelines.

I tried a workaround by configuring a task that would configure a HttpClientContext, but I couldn't get that to work, at least not with the few minutes that I wanted to spend on that. Also, a workaround like this would tightly couple our Gradle build configurations with the implementation layer of the Dependency Check plugin. What if the plugin switches from Apache HttpClient to some other library for HTTP downloads at some point?

Version of dependency-check used
The problem occurs using version 11.1.0 of the gradle plugin

To Reproduce
Steps to reproduce the behavior:

1. Configure mirror URLs in analyzers.retirejs.retireJsUrl, analyzers.knownExploitedURL and/or hostedSuppressions.url in the plugin in build.gradle(.kts)
2. Use HTTP(S) URLs with a so-called userinfo component, for instance https://username:[email protected]
3. Run ./gradlew dependencyCheckUpdate
4. See error

Expected behavior
Mirror URLs that require authentication should somehow be supported. Embeding the username and password in the URL through use of a userinfo component is indeed not ideal from a security perspective, but until now, this was the only way to get the plugin to download the non-NVD data from mirrors that require authentication. As of version 11 of the Dependencycheck Gradle plugin, there apparently there is no way to configure this at all.

Additional context
This does not apply to the NVD mirror, since the plugin already allows authentication to be explicitly configured for that, using the nvd.datafeedUser and nvd.datafeedPassword properties. It would be nice to be able to do the same for the other downloads.

[volkert-fastned]

@jeremylong Any update on this? I guess we could remove the mirror links for jsrepository.json, known_exploited_vulnerabilities.json and publishedSuppressions.xml, but then GitHub would be getting a lot more traffic on each DependencyCheck update (both local and in CI/CD) again.

I guess it's just a matter of adding extra configuration fields for usernames and passwords for these mirror links to the plugin settings, right? I guess I could try creating an MR for it, if that helps. Thanks.