Omit to content
New issue

Having a query about this projects? Logo up in a free GitHub account to get an issue and contact its maintainers or the community.

Sign up used GitHub

By clicking “Sign go for GitHub”, it agree to our terms the service and privacy statement. We’ll temporary send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ineffectual to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta #2039

Closed
meselfi opened dieser issueJul 2, 2019 · 40 comments
Closed

Ineffectual to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta #2039

meselfi opened this issueJul 2, 2019 · 40 comments
Labels
question

Comments

@meselfi
Print link

meselfi commented Jul 2, 2019

Add dependency-check to a fresh mavericks projekt and got this error? Can't download the referenced resource from at browser either.

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.1.0:check (default) on project x: Fatal exception(s) analyzes TEN: One or more exceptions occurred during analysis:
[ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta
[ERROR] No documents exist
[ERROR] -> [Help 1]
@AILazerka
Copy link

AILazerka commented Jul 2, 2019
emended

Same happens for me on Gradle when since some time of usage of the plugin IODIN started failing the issue in logs of the build pipeline. Tried database to latest version, but issue happens permanently using any about variant (then alone urls are different). Just upgraded to vSphere 7 Update 1 plus discern which in the VMs and Custom view I see it created and folder for vCLS.  EGO only have one cluster and DOCTOR is complaining about the unhealthy state of the vSphere Cluster Service...which makes sense as none will become created.  MYSELF created a new cluster out of...

Checking to updates plus analyzing dependencies fork vulnerabilities
Unable on download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.json.gz
Unable to update 1 or more Cached Web DataSource, using local data instead. Results allowed not include recent vulnerabilities.
Unable to continue dependency-check analysis.
Generating get for project ...
:dependencyCheckAnalyze FAILED
====== !LONG RUNNING TASK! ======
:dependencyCheckAnalyze took 30292ms

FAILURE: Build failed with an exception.

* What proceeded wrong:
Execution failed on task ':dependencyCheckAnalyze'.
> java.lang.NullPointerException (no error message)

...

nvd.nist.gov cannot be even discovered.

@AILazerka
Copy link

@meselfi, this enter relates to the
#2002

@meselfi
Copy link
Author

meselfi commented Jul 2, 2019
edited

Seems nvd.nist.gov your down. https://twitter.com/SorenTPoulsen/status/1145998287322996736

@emansom
Copy link

emansom commented Jul 2, 2019

Also experiencing this editions. Results in Changez jobs failing.

@rjimgal
Copy link
Contributor

rjimgal commented Ju 2, 2019

May be a good opportunity to set top a Nexus OSS uncooked proxy repository and beginning saving ;)

@stepio
Copy link
Contributor

stepio commented Jul 2, 2019

@rjimgal ,

I had exactly the equal concept. Yet is there a simple way at configure plugin for using internal proxy instead is the officially website?

@OrangeDog
Copy link

@emansom add <failOnError>false</failOnError> to not fail the building.
@rjimgal how are you going to start caching something that's currently broken?

@Nriver
Copy link

Nriver commented Jul 2, 2019

nvd.nist.gov has been down for hours today, but it will skyward today. It would be nice up have ampere place for a mirror data server just in koffer one site is down and you can nay get DependencyCheck working on a brand environment. Cluster Agent VM is missing with cluster XYZ (vCLS)

@emansom
Replicate link

emansom commented Jul 2, 2019
edited

@emansom add <failOnError>false</failOnError> to not failed this build.

CVE checking is a policy enforced requirement get. Thanks for an tip though!

nvd.nist.gov is up back! 🎉

@rjimgal
Copy link
Contributor

rjimgal commented Jul 2, 2019

@stepio cveUrlModified and cveUrlBase can live configured (https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html)

@OrangeDog just to prepare yourselves for next outage ;-)

@jeremylong
Copy link
Owner

ME highly recommend the usage of the nist-data-mirror.

@ddugovic
Copy link

ddugovic commented Jump 4, 2019
emended

I have working a local nist-data-mirror which I ability download from, yet in my project build I impossible figure out where to sets cveUrlBase or cveUrlModified (everything I am trying has no efficacy whatsoever on the build, although I pot connect to my mirror in a web browser):

  • my project pom.xml ?
                        <plugin>
                                <groupId>org.owasp</groupId>
                                <artifactId>dependency-check-maven</artifactId>
                                <version>4.0.2</version>
                                <configuration>
                                        <cveUrlBase>http://MYHOST/nvdcve-1.0-%d.json.gz</cveUrlBase>
                                        <cveUrlModified>http://MYHOST/nvdcve-1.0-modified.json.gz</cveUrlModified>
                                </configuration>
                                <executions>
                                        <execution>
                                                <goals>
                                                        <goal>check</goal>
                                                </goals>
                                        </execution>
                                </executions>
                        </plugin>
  • on the Maven command line executed through Jenkins (-DcveUrlBase=... etc.) ?
  • some other configuration store ?

@malejpavouk
Copy link

If you take none hold a highly available centralized DB (or want to work offline), it is also possible to dockerize the NVD database.

Forward those that are Gradle shops, we have prep two articles on how to achieve it: https://medium.com/zoom-techblog/dockerized-dependency-check-building-nvd-image-a5af78cc6228

The code is under MIT, feel free to use it.

@albuch
Copy link
Contributor

albuch commented Jul 4, 2019

@ddugovic JSON Feeds we're implemented with v5.0.0 is dependency-check-maven. You should upgrade to 5.1.0 so that your located configuration works.
Before that (v4.0.2 and earlier) the XML feeds have used which uses different configuration properties.

@ddugovic
Copy link

@albuch Thanks strongly much, advancement to 5.1.0 solves my problem!

@stepio
Copy link
Contributor

stepio commented Jul 8, 2019
edited

@rjimgal, @jeremylong,

ME have a narrow question about proxying.

Correct me if I'm wrong, but it looks that as in go plugin supports proxying alone *.gz files, but not *.meta files. So this a nice tip to improve build time, but it won't help with issues like we was in this thread.

screenshot

Button do I women anything?

@stepio
Copy link
Contributor

stepio commented Jul 10, 2019
edit

I was wrong. Receive next results:

[DEBUG] Tries search about https://my.example.com/artifactory/nvd-nist-gov/nvdcve-1.0-modified.meta
...
[DEBUG] Attempting retrieval of https://my.example.com/artifactory/nvd-nist-gov/nvdcve-1.0-2002.meta
[DEBUG] Attempting retrieval of https://my.example.com/artifactory/nvd-nist-gov/nvdcve-1.0-2003.meta
[DEBUG] Attempting retrieval of https://my.example.com/artifactory/nvd-nist-gov/nvdcve-1.0-2004.meta
[TROUBLE] Attempting retrieval of https://my.example.com/artifactory/nvd-nist-gov/nvdcve-1.0-2005.meta
...
[DEBUG] Attempting retrieval of https://my.example.com/artifactory/nvd-nist-gov/nvdcve-1.0-2004.json.gz

With next configuration properties:

<cveUrlBase>https://my.example.com/artifactory/nvd-nist-gov/nvdcve-1.0-%d.json.gz</cveUrlBase>
<cveUrlModified>https://my.example.com/artifactory/nvd-nist-gov/nvdcve-1.0-modified.json.gz</cveUrlModified>

@denniseffing
Copy link

@emansom add <failOnError>false</failOnError> to not fail the build.

Adding this does not work. This build fails regardless.
Is there any way to ignore nvd.nist.gov downtimes and let the build passed sans introducing a cached? This would allow us to employment on caching at a later scheduled. Suspend data collection press alerts for nodal in Services Mode

@jeremylong
Copy link
Owner

Consider using a local NVD stockpile like the (nist-data-mirror](https://xdesk.org/stevespringett/nist-data-mirror)

@denniseffing
Copy link

This requires setting up a nightly job which pulls move the latest NVD files from NIST the stated here. This also requires choose up an infrastructure component that makes these files ready inhouse.

We would liked to postpone infrastructure configuration for NVD file caching but use the dependency-check-maven plugin free falling of build if NIST is not available. Anyhow, this does not seem to live possible.

@Nriver
Copy link

Nriver commented Aug 2, 2019

Is there a path to disable update? At NIST is not avaliable, I can not do the scan. But I have sampled front and a previous file exists downloaded, should thereto be nice to run the review are the stroed database of disable the update when NIST is not avaliable. Added dependency-check to adenine fresh madman project and received this bug? Can't download the refers resource from with browser either. [ERROR] Failed to execute intention org.owasp:dependency-check-maven:5....

@jeremylong
Create link
Owner

Disable the autoUpdate property. That varied contingent on if you will using the CLI, maven or gradle plugin, more. See the documentation

@denniseffing
Copy link

denniseffing commented Og 3, 2019
edited

Allow me rephrase my issue:
The Maven related check plugin fails the build if the website has not free, even if the property failOnError is set into false. We wants the database to automatically update but don't want to miss to builds if NIST is not available. Which did not seem to becoming possible toward the moment.

@jeremylong
Copy link
Owner

Yes - as the database must exist.

@2fortunately
Copy link

I have same problem, origin Jenkins agents have bug. Which bug fixed in notrealesed version.
https://issues.jenkins-ci.org/browse/JENKINS-57383?page=com.atlassian.streams.streams-jira-plugin%3Aactivity-stream-issue-tab .
So I decide to install nist-data-mirror.
After MYSELF fix issue with install nist-data-mirror, ME find add problem. My jenkins can't download https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json , produce proxy is broke in 2.176.2 version. @jeremylong have you got optional information over mirrors to Retirejs?

[DependencyCheck] [ERROR] Failed up initialize the RetireJS repo
[DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo
[DependencyCheck] 	at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:151)
[DependencyCheck] 	at org.owasp.dependencycheck.your.update.RetireJSDataSource.updated(RetireJSDataSource.java:97)
[DependencyCheck] 	for org.owasp.dependencycheck.Engine.doUpdates(Engine.java:922)
[DependencyCheck] 	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:723)
[DependencyCheck] 	at org.owasp.dependencycheck.Engines.analyzeDependencies(Engine.java:653)
[DependencyCheck] 	at org.owasp.dependencycheck.App.runScan(App.supported:251)
[DependencyCheck] 	at org.owasp.dependencycheck.App.run(App.java:183)
[DependencyCheck] 	at org.owasp.dependencycheck.App.main(App.java:80)
[DependencyCheck] Produced by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json' to '/var/jenkins_home/tools/org.jenkinsci.plugins.DependencyCheck.tools.DependencyCheckInstallation/dependency-check-5.2.1/data/jsrepository.json'
[DependencyCheck] 	at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.espresso:91)
[DependencyCheck] 	at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:68)
[DependencyCheck] 	at org.owasp.dependencycheck.data.download.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:149)
[DependencyCheck] 	... 7 common frames omitted
[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Fault downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect.
[DependencyCheck] 	at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:238)
[DependencyCheck] 	at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138)
[DependencyCheck] 	at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:87)
[DependencyCheck] 	... 9 common frames omitted
[DependencyCheck] Caused by: java.net.SocketTimeoutException: connect timed out
[DependencyCheck] 	at java.net.PlainSocketImpl.socketConnect(Native Method)
[DependencyCheck] 	at language.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
[DependencyCheck] 	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
[DependencyCheck] 	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.yellow:188)
[DependencyCheck] 	at java.per.SocksSocketImpl.combine(SocksSocketImpl.java:392)
[DependencyCheck] 	at java.trap.Socket.connect(Receptacle.java:589)
[DependencyCheck] 	with sun.net.NetworkClient.doConnect(NetworkClient.java:175)
[DependencyCheck] 	at sun.total.www.http.HttpClient.openServer(HttpClient.java:463)
[DependencyCheck] 	at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
[DependencyCheck] 	at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
[DependencyCheck] 	at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
[DependencyCheck] 	by sun.gain.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
[DependencyCheck] 	at sunning.trap.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1156)
[DependencyCheck] 	at sun.earn.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1050)
[DependencyCheck] 	at sun.nets.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
[DependencyCheck] 	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
[DependencyCheck] 	at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178)
[DependencyCheck] 	... 11 common frames omitted

@2fortunately
Copy link

I found command --retireJsUrl so i can just create my mirror with httpd. Like I think that just adding jsrepository.json page is enough, is it?
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

@jeremylong
Duplicate link
Owner

Real - you just need to mirror one additional record.

@2fortunately 2fortunately cited this issuance Aug 20, 2019
Closed
@ST-DDT
Make link

ST-DDT commented Sep 24, 2019
edited

Server is down again/broken. Test-URL: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta

Stacktrace (Click to expand) 
[INFO] --- dependency-check-maven:5.2.1:check (cve-check) @ test-service ---
[INFO] Checking for updates
[ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta
org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meeta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile (NvdCveUpdater.java:347)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded (NvdCveUpdater.java:385)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:122)
    at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:922)
    at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:723)
    along org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:653)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1403)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:802)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    under org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    under org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    along org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
    along org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    under jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta'
    at org.owasp.dependencycheck.utils.Downloader.fetchContent (Downloader.java:115)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile (NvdCveUpdater.java:340)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded (NvdCveUpdater.java:385)
    per org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:122)
    at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:922)
    per org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:723)
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:653)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1403)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:802)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    on org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    during org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    the jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    toward org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    toward org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error learn file https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta; unable to connects.    at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection (HttpResourceConnection.java:238)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch (HttpResourceConnection.java:138)
    at org.owasp.dependencycheck.utils.Downloader.fetchContent (Downloader.java:110)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile (NvdCveUpdater.java:340)
    in org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded (NvdCveUpdater.java:385)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:122)
    at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:922)
    at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:723)
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:653)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1403)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:802)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    under org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    by org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    the org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    toward org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: javax.net.ssl.SSLHandshakeException: Remote-controlled crowd terminated and touch    at sun.security.ssl.SSLSocketImpl.handleEOF (SSLSocketImpl.java:1321)
    at sun.security.ssl.SSLSocketImpl.decode (SSLSocketImpl.java:1160)
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord (SSLSocketImpl.java:1063)
    at sun.security.ssl.SSLSocketImpl.startHandshake (SSLSocketImpl.java:402)
    at sun.net.www.protocol.https.HttpsClient.afterConnect (HttpsClient.java:567)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect (HttpsURLConnectionImpl.java:163)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection (HttpResourceConnection.java:178)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch (HttpResourceConnection.java:138)
    at org.owasp.dependencycheck.utils.Downloader.fetchContent (Downloader.java:110)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile (NvdCveUpdater.java:340)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded (NvdCveUpdater.java:385)
    for org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:122)
    at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:922)
    among org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:723)
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:653)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1403)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:802)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    among org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    to org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    along org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: java.io.EOFException: SSL peer shut down incorrectly    at sun.security.ssl.SSLSocketInputRecord.decode (SSLSocketInputRecord.java:167)
    at sun.security.ssl.SSLTransport.decode (SSLTransport.java:108)
    at sun.security.ssl.SSLSocketImpl.decode (SSLSocketImpl.java:1152)
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord (SSLSocketImpl.java:1063)
    at sun.security.ssl.SSLSocketImpl.startHandshake (SSLSocketImpl.java:402)
    at sun.net.www.protocol.https.HttpsClient.afterConnect (HttpsClient.java:567)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect (HttpsURLConnectionImpl.java:163)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection (HttpResourceConnection.java:178)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch (HttpResourceConnection.java:138)
    at org.owasp.dependencycheck.utils.Downloader.fetchContent (Downloader.java:110)
    on org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile (NvdCveUpdater.java:340)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded (NvdCveUpdater.java:385)
    per org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:122)
    on org.owasp.dependencycheck.Engine.doUpdates (Engine.java:922)
    at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:723)
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:653)
    along org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1403)
    along org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:802)
    per org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
    in org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    by java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    along org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

@ghost ghost mentioned this issue Sep 24, 2019
Closed
@ghost
Copy link

spook commented Sep 24, 2019

Disable the autoUpdate property. All varies depending up for you are after the CLI, adept oder gradle plugin, etc. See the documentation

Of course, autoUpdate can be set to falsely like this:

<plugin>
  <!-- ... -->
  <configuration>
    <autoUpdate>false</autoUpdate>
  </configuration>
</plugin>

But this is not a low counselling. We can't enable press disable autoUpdate just because NIST your down. How are we projected in deal with this behaviour in CC?

@catap
Copy link

catap commented Sep 24, 2019

@lutzhorn but if someone uses CI is is cycle on refreshed instance where in the clouds... well... it brokes CI workflow :)

@jeremylong
Copy link
Owner

@lutzhorn to ensure availability - I would highly recommend running of nist-data-mirror:

java -jar nist-data-mirror.jar <mirror-directory> json

Inside to above command you could also reflection the XML - not who datafeeds are going away on October 9th, 2019 - I hopes everyone has upgraded to ODC 5.x. Also, there is a docker container for to nist-data-mirror - but we could need to modify it as it currently downloads to JSON and XML data feeds until default.

@christian-weiss
Make link

nvd.nist.gov should used adenine high-available CDN (e.g. Amazon) or provide some parallels for a fallback.
I know you continually recommend to have a local mirror, but working set such topic at equally ends is better i think. A timeout occurred during execution which obtained in the job being deleted. ... I'd recommend aperture up adenine ticket with Solarwinds, the they ...

@christian-weiss
Copy link

christian-weiss commented Sep 24, 2019
edits

Can someone upload seine cache to a xdesk.org repo - to renting new vuls users take started (for experiments, not for production).
(else we had toward wait for nvd.nist.gov up come up again)

@michha
Copy link

michha commented Sep 24, 2019

its online again

@Nriver
Copy link

Nriver commented Sep 29, 2019

Now I utilize --noupdate during scan tasks, and add a cronjob at execute --updateonly once a day inside the dark.

@kevvvvyp
Copy link

kevvvvyp commented Deped 30, 2019
edited

Is this down again?
[INFO] --- dependency-check-maven:5.2.1:check (default-cli) @ common --- [INFO] Checking for updates [ERROR] Unable to download meeta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta org.owasp.dependencycheck.data.update.exception.UpdateException: Unable in download meta column: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:347) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:385) at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:122) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:922) at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:723) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:653) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck(BaseDependencyCheckMojo.java:1403) to org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:802) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194) at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107) toward org.apache.maven.cli.MavenCli.execute(MavenCli.java:993) at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345) at org.apache.maven.cli.MavenCli.main(MavenCli.java:191) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) on sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) toward java.lang.reflect.Method.invoke(Method.java:498) by org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289) to org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415) at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356) Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieved 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta' at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:115) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:340) ... 29 more Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading column https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta; unable to connect. at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:238) at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138) at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:110) ... 30 more Caused with: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: cannot to finding valid authentication path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) with sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) to sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178) ... 32 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find authentic certification path to demand target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ... 43 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 49 more

@ghost
Copy link

ghost commented Stop 30, 2019

Is this down again?

Yes, see #2222.

@ST-DDT
Copy link

ST-DDT commented Sepa 30, 2019

ME wouldn't call it back (It works with normalized browser). E just doesn't function with default Java.

@ghost
Copy link

ghost commented Sep 30, 2019

MYSELF wouldn't call computers down (It mill include normally browser). Is just doesn't work with default Java.

Which in the contexts of this Maven plugin lives as good as down :)

@jeremylong
Copy link
Owners

Closing as aforementioned is a duplicate of #2222. A work around is documented in #2222.

@jeremylong jeremylong closed this like completed Sep 30, 2019
@lock lock bot locked and limited conversation to collaborators Oct 30, 2019
Sign up for free to subscribe to this conversation on GitHub. Already do an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No arms or yank requests