Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NVD API request failures #6149

Closed
Casperxian opened this issue Nov 27, 2023 · 61 comments
Closed

NVD API request failures #6149

Casperxian opened this issue Nov 27, 2023 · 61 comments
Labels
bug duplicate

Comments

@Casperxian
Copy link

Describe the bug
Fail to run DependencyCheckAnalyze, no status code thrown as I cancelled the build due to it being over 1 hour build time.

Version of dependency-check used
The problem occurs using version 9.0.1 gradle plugin

Log file

Task :dependencyCheckAnalyze
Verifying dependencies for project AccessCheck
Checking for updates and analyzing dependencies for vulnerabilities

NVD API request failures are occurring; retrying request for the 5 time
NVD API request failures are occurring; retrying request for the 6 time
NVD API request failures are occurring; retrying request for the 7 time
NVD API request failures are occurring; retrying request for the 8 time
NVD API request failures are occurring; retrying request for the 9 time
NVD API request failures are occurring; retrying request for the 10 time
NVD API request failures are occurring; retrying request for the 11 time
NVD API request failures are occurring; retrying request for the 5 time
NVD API request failures are occurring; retrying request for the 6 time
NVD API request failures are occurring; retrying request for the 7 time
NVD API request failures are occurring; retrying request for the 8 time
NVD API request failures are occurring; retrying request for the 9 time
NVD API request failures are occurring; retrying request for the 10 time
NVD API request failures are occurring; retrying request for the 11 time
NVD API request failures are occurring; retrying request for the 5 time
NVD API request failures are occurring; retrying request for the 6 time
NVD API request failures are occurring; retrying request for the 7 time
NVD API request failures are occurring; retrying request for the 8 time
NVD API request failures are occurring; retrying request for the 9 time
NVD API request failures are occurring; retrying request for the 10 time
NVD API request failures are occurring; retrying request for the 11 time

Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:338)
at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:110)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:904)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:709)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:635)
at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:100)
at [email protected]/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at [email protected]/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at [email protected]/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at [email protected]/java.lang.reflect.Method.invoke(Method.java:568)
at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:125)
at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:58)
at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:51)
at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:29)
at org.gradle.api.internal.tasks.execution.TaskExecution$3.run(TaskExecution.java:248)
at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
at org.gradle.api.internal.tasks.execution.TaskExecution.executeAction(TaskExecution.java:233)
at org.gradle.api.internal.tasks.execution.TaskExecution.executeActions(TaskExecution.java:216)
at org.gradle.api.internal.tasks.execution.TaskExecution.executeWithPreviousOutputFiles(TaskExecution.java:199)
at org.gradle.api.internal.tasks.execution.TaskExecution.execute(TaskExecution.java:166)
at org.gradle.internal.execution.steps.ExecuteStep.executeInternal(ExecuteStep.java:105)
at org.gradle.internal.execution.steps.ExecuteStep.access$000(ExecuteStep.java:44)
at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:59)
at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:56)
at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:56)
at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:44)
at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:67)
at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:37)
at org.gradle.internal.execution.steps.CancelExecutionStep.execute(CancelExecutionStep.java:41)
at org.gradle.internal.execution.steps.TimeoutStep.executeWithoutTimeout(TimeoutStep.java:74)
at org.gradle.internal.execution.steps.TimeoutStep.execute(TimeoutStep.java:55)
at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:50)
at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:28)
at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.executeDelegateBroadcastingChanges(CaptureStateAfterExecutionStep.java:100)
at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:72)
at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:50)
at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:40)
at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:29)
at org.gradle.internal.execution.steps.BuildCacheStep.executeWithoutCache(BuildCacheStep.java:179)
at org.gradle.internal.execution.steps.BuildCacheStep.lambda$execute$1(BuildCacheStep.java:70)
at org.gradle.internal.Either$Right.fold(Either.java:175)
at org.gradle.internal.execution.caching.CachingState.fold(CachingState.java:59)
at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:68)
at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:46)
at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:36)
at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:25)
at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:36)
at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:22)
at org.gradle.internal.execution.steps.SkipUpToDateStep.executeBecause(SkipUpToDateStep.java:91)
at org.gradle.internal.execution.steps.SkipUpToDateStep.lambda$execute$2(SkipUpToDateStep.java:55)
at [email protected]/java.util.Optional.orElseGet(Optional.java:364)
at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:55)
at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:37)
at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:65)
at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:36)
at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:37)
at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:27)
at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:77)
at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:38)
at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:94)
at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:49)
at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:71)
at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:45)
at org.gradle.internal.execution.steps.SkipEmptyWorkStep.executeWithNonEmptySources(SkipEmptyWorkStep.java:177)
at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:81)
at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:53)
at org.gradle.internal.execution.steps.RemoveUntrackedExecutionStateStep.execute(RemoveUntrackedExecutionStateStep.java:32)
at org.gradle.internal.execution.steps.RemoveUntrackedExecutionStateStep.execute(RemoveUntrackedExecutionStateStep.java:21)
at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsStartedStep.execute(MarkSnapshottingInputsStartedStep.java:38)
at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:36)
at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:23)
at org.gradle.internal.execution.steps.CleanupStaleOutputsStep.execute(CleanupStaleOutputsStep.java:75)
at org.gradle.internal.execution.steps.CleanupStaleOutputsStep.execute(CleanupStaleOutputsStep.java:41)
at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.lambda$execute$2(ExecuteWorkBuildOperationFiringStep.java:66)
at [email protected]/java.util.Optional.orElseGet(Optional.java:364)
at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:66)
at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:38)
at org.gradle.internal.execution.steps.AssignWorkspaceStep.lambda$execute$0(AssignWorkspaceStep.java:32)
at org.gradle.api.internal.tasks.execution.TaskExecution$4.withWorkspace(TaskExecution.java:293)
at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:30)
at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:21)
at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:37)
at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:27)
at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:47)
at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:34)
at org.gradle.internal.execution.impl.DefaultExecutionEngine$1.execute(DefaultExecutionEngine.java:64)
at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeIfValid(ExecuteActionsTaskExecuter.java:146)
at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:135)
at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46)
at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:51)
at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57)
at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:74)
at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36)
at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77)
at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55)
at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52)
at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52)
at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:42)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:331)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:318)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.lambda$execute$0(DefaultTaskExecutionGraph.java:314)
at org.gradle.internal.operations.CurrentBuildOperationRef.with(CurrentBuildOperationRef.java:80)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:314)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:303)
at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:463)
at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:380)
at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
at org.gradle.internal.concurrent.AbstractManagedExecutor$1.run(AbstractManagedExecutor.java:47)
at [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at [email protected]/java.lang.Thread.run(Thread.java:833)
Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: java.lang.InterruptedException: sleep interrupted
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:351)
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:356)
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:356)
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:356)
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:356)
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:356)
at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:317)
... 133 more
Caused by: java.lang.InterruptedException: sleep interrupted
at java.base/java.lang.Thread.sleep(Native Method)
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.getCompletedFuture(NvdCveClient.java:396)
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:315)
... 139 more
Failed to initialize the RetireJS repo
org.owasp.dependencycheck.data.update.exception.UpdateException: Failed to initialize the RetireJS repo
at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:141)
at org.owasp.dependencycheck.data.update.RetireJSDataSource.update(RetireJSDataSource.java:89)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:904)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:709)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:635)
at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:100)
at [email protected]/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at [email protected]/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at [email protected]/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at [email protected]/java.lang.reflect.Method.invoke(Method.java:568)
at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:125)
at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:58)
at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:51)
at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:29)
at org.gradle.api.internal.tasks.execution.TaskExecution$3.run(TaskExecution.java:248)
at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
at org.gradle.api.internal.tasks.execution.TaskExecution.executeAction(TaskExecution.java:233)
at org.gradle.api.internal.tasks.execution.TaskExecution.executeActions(TaskExecution.java:216)
at org.gradle.api.internal.tasks.execution.TaskExecution.executeWithPreviousOutputFiles(TaskExecution.java:199)
at org.gradle.api.internal.tasks.execution.TaskExecution.execute(TaskExecution.java:166)
at org.gradle.internal.execution.steps.ExecuteStep.executeInternal(ExecuteStep.java:105)
at org.gradle.internal.execution.steps.ExecuteStep.access$000(ExecuteStep.java:44)
at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:59)
at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:56)
at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:56)
at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:44)
at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:67)
at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:37)
at org.gradle.internal.execution.steps.CancelExecutionStep.execute(CancelExecutionStep.java:41)
at org.gradle.internal.execution.steps.TimeoutStep.executeWithoutTimeout(TimeoutStep.java:74)
at org.gradle.internal.execution.steps.TimeoutStep.execute(TimeoutStep.java:55)
at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:50)
at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:28)
at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.executeDelegateBroadcastingChanges(CaptureStateAfterExecutionStep.java:100)
at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:72)
at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:50)
at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:40)
at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:29)
at org.gradle.internal.execution.steps.BuildCacheStep.executeWithoutCache(BuildCacheStep.java:179)
at org.gradle.internal.execution.steps.BuildCacheStep.lambda$execute$1(BuildCacheStep.java:70)
at org.gradle.internal.Either$Right.fold(Either.java:175)
at org.gradle.internal.execution.caching.CachingState.fold(CachingState.java:59)
at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:68)
at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:46)
at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:36)
at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:25)
at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:36)
at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:22)
at org.gradle.internal.execution.steps.SkipUpToDateStep.executeBecause(SkipUpToDateStep.java:91)
at org.gradle.internal.execution.steps.SkipUpToDateStep.lambda$execute$2(SkipUpToDateStep.java:55)
at [email protected]/java.util.Optional.orElseGet(Optional.java:364)
at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:55)
at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:37)
at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:65)
at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:36)
at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:37)
at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:27)
at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:77)
at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:38)
at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:94)
at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:49)
at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:71)
at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:45)
at org.gradle.internal.execution.steps.SkipEmptyWorkStep.executeWithNonEmptySources(SkipEmptyWorkStep.java:177)
at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:81)
at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:53)
at org.gradle.internal.execution.steps.RemoveUntrackedExecutionStateStep.execute(RemoveUntrackedExecutionStateStep.java:32)
at org.gradle.internal.execution.steps.RemoveUntrackedExecutionStateStep.execute(RemoveUntrackedExecutionStateStep.java:21)
at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsStartedStep.execute(MarkSnapshottingInputsStartedStep.java:38)
at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:36)
at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:23)
at org.gradle.internal.execution.steps.CleanupStaleOutputsStep.execute(CleanupStaleOutputsStep.java:75)
at org.gradle.internal.execution.steps.CleanupStaleOutputsStep.execute(CleanupStaleOutputsStep.java:41)
at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.lambda$execute$2(ExecuteWorkBuildOperationFiringStep.java:66)
at [email protected]/java.util.Optional.orElseGet(Optional.java:364)
at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:66)
at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:38)
at org.gradle.internal.execution.steps.AssignWorkspaceStep.lambda$execute$0(AssignWorkspaceStep.java:32)
at org.gradle.api.internal.tasks.execution.TaskExecution$4.withWorkspace(TaskExecution.java:293)
at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:30)
at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:21)
at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:37)
at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:27)
at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:47)
at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:34)
at org.gradle.internal.execution.impl.DefaultExecutionEngine$1.execute(DefaultExecutionEngine.java:64)
at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeIfValid(ExecuteActionsTaskExecuter.java:146)
at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:135)
at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46)
at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:51)
at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57)
at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:74)
at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36)
at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77)
at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55)
at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52)
at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52)
at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:42)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:331)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:318)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.lambda$execute$0(DefaultTaskExecutionGraph.java:314)
at org.gradle.internal.operations.CurrentBuildOperationRef.with(CurrentBuildOperationRef.java:80)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:314)
at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:303)
at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:463)
at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:380)
at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
at org.gradle.internal.concurrent.AbstractManagedExecutor$1.run(AbstractManagedExecutor.java:47)
at [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at [email protected]/java.lang.Thread.run(Thread.java:833)
Caused by: org.owasp.dependencycheck.exception.WriteLockException: Unable to obtain the update lock, skipping the database update. Skipping the database update.
at org.owasp.dependencycheck.utils.WriteLock.lock(WriteLock.java:199)
at org.owasp.dependencycheck.utils.WriteLock.(WriteLock.java:134)
at org.owasp.dependencycheck.data.update.RetireJSDataSource.initializeRetireJsRepo(RetireJSDataSource.java:136)
... 133 more
Unable to continue dependency-check analysis.

  • What went wrong:
    Execution failed for task ':dependencyCheckAnalyze'.

To Reproduce
Steps to reproduce the behavior:
Run: "./gradlew dependencyCheckAnalyze"

Expected behavior
CVE Report generated

Additional context
I have tried disabling my proxy and also commenting out jdk.http.auth.tunneling.disabledSchemes=Basic in java .net.properties but so far it does not work for me, i do get status code 407 when I enabled both proxy and uncomment dk.http.auth.tunneling.disabledSchemes but also the get the same issue as above sometimes.
@Casperxian Casperxian added the bug label Nov 27, 2023
@Sjoerd97
Copy link

Can you share your the gradle configuration where you configure the dependencyCheck plugin?

@Casperxian
Copy link
Author

here it is

extensions.findByType(org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension::class.java)?.apply {
format = "JSON"
failOnError = false
nvd.apiKey = "########-####-####-####-###########
nvd.validForHours = 24
}

@ccerrillo
Copy link

ccerrillo commented Nov 27, 2023
edited
Loading

I can confirm the same issue using Maven.
And this is also related #6147

@NathanDotTo
Copy link

Same issue here. My build for a project called "appsensor" is encapsulated in Docker files here: https://github.com/NathanDotTo/appsensor

@jeremylong
Copy link
Owner

are you behind a proxy?

@NathanDotTo
Copy link

NathanDotTo commented Nov 27, 2023 via email

@jeremylong
Copy link
Owner

great... the the 407 is actually coming from the NVD somehow? That is going to cause some confusion for those that are actually behind a proxy...

@JasonShuyinta
Copy link

I'm having the same issue I guess, these are some of the logs if it could help:
I'm using home network as well, so I'm not behind a proxy.

Task :dependencyCheckAnalyze
Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:338)
at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:110)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:904)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:709)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:635)
[....]
Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 504
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:346)
at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:317)
... 127 more

@NathanDotTo
Copy link

NathanDotTo commented Nov 27, 2023 via email

@jeremylong
Copy link
Owner

@JasonShuyinta that is a different status code. The 504 should be handled in the next release.

@echalone
Copy link
Contributor

We had the 504 error today but then sometimes that works and then we get endless "NVD API request failures are occurring; retrying request for the x time" error as well now

@codecutr
Copy link

@jeremylong Is the 504 issue still unresolved? I am experiencing the same error as @JasonShuyinta.

@thisjustin816
Copy link

I tried adding an api key in azure pipelines to get around the 504 issue and now just get 404s

@Casperxian
Copy link
Author

Even without proxy it will not complete a run even after waiting an hour. curling to NVD NIST works for me on terminal so Im not sure what is the issue for the build to not be completed with many retries.

The link of the curl: https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2019-1010218

@ccerrillo
Copy link

NVD has put a temporary block #6107 (comment)

@jeremylong jeremylong changed the title NVD API request failure constantly with status 407 code thrown sometimes NVD API request failures Nov 28, 2023
This was referenced Nov 28, 2023
Closed
Closed
Closed
Closed
Closed
@mucst
Copy link

mucst commented Nov 28, 2023

Also got 403 with plugin version 9.0.1.
Earlier with 9.0.0 I got "database is closed", 503 error.

config:

dependencyCheck {

    // exclude the following configurations as they are not relevant for the resulting artifact
    scanConfigurations = ['runtime', 'runtimeClasspath', 'runtimeElements', 'runtimeOnly']

    analyzers {
        assemblyEnabled = false
    }

    failOnError = false
    format = isCiServer ? 'XML': 'HTML'
    outputDirectory = file("$buildDir/reports/dependency-check")

    hintsFile = dependencyCheckHintsFile
    suppressionFiles += dependencyCheckSuppressionFile
}

Downgrading to latest of 8.x (8.4.3 today) fixed it.

@Sjoerd97
Copy link

Down grading should never be the fix. Beside 8.4.3 will stop working.

@echalone
Copy link
Contributor

echalone commented Nov 28, 2023
edited
Loading

Yeah well the problem is 9.x never started working for many of us.
We're still using 8.4.3 as this works

@pnsag
Copy link

pnsag commented Nov 28, 2023

Hopefully we can overcome that situation very soon, as this is blocking.

@stephan-uhlmann
Copy link

stephan-uhlmann commented Nov 28, 2023
edited
Loading

Can confirm that with version 9.0.1 and 9.0.0 download of the NVD database is not working, while with 8.4.3 it still is working. (//edit: typo, 9.x is not working.)
@Sjoerd97 What's the reason why 8.4.3 will stop working?

@norrisjeremy
Copy link

Can confirm that with version 9.0.1 and 9.0.0 download of the NVD database is working, while with 8.4.3 it still is working. @Sjoerd97 What's the reason why 8.4.3 will stop working?

Maybe try reading the notice on the main page?

@thisjustin816
Copy link

Can confirm that with version 9.0.1 and 9.0.0 download of the NVD database is working, while with 8.4.3 it still is working.

@Sjoerd97 What's the reason why 8.4.3 will stop working?

Did you mean not working? I'm still getting a 403.

@pnsag
Copy link

pnsag commented Nov 28, 2023
edited
Loading

Can confirm that with version 9.0.1 and 9.0.0 download of the NVD database is working

How did you managed that permanently. I had it working at the weekend only, than stopped again.

@The28AWG
Copy link

The28AWG commented Dec 1, 2023

Thanks!

@jeremylong jeremylong mentioned this issue Dec 1, 2023
Closed
@JaroslavMajera JaroslavMajera mentioned this issue Dec 1, 2023
Closed
@marcelhdl
Copy link

@jeremylong Works for me ! Thx for your great work!

@OrangeDog
Copy link
Contributor

9.0.2 is working! No retries logged. Took ~10 minutes.

@jeremylong
Copy link
Owner

If you receive a 403 response - your API key is likely invalid/incorrect. See https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#api-key-is-used-and-a-403-or-404-error-occurs

@pnsag
Copy link

pnsag commented Dec 1, 2023

9.0.2 worked even though updating took around 1,5 hours using apiKey

@jeremylong
Copy link
Owner

I just completed an update and the entire update took ~10 minutes.

@gbrinkmann
Copy link

I just completed an update and the entire update took ~10 minutes.

Initial downloads (first time user of 9.x) may take a while (currently about 60% in about 30min on dev notebook, full sonar3 build including your 9.0.2). No API key or other custom params. Okay for me since this is just a test. I don't mind durations in Bamboo sonar3 builds, initial build may be slow here too and updates may be slower than before 9.0.0 - would be okay for me.

Maybe we'll request an API Key - maybe not - we'll see :)

Thanks for your quick update!

@jeremylong
Copy link
Owner

All - if you are using the report format ALL or GitLab you may run into #6187. Sorry about that, expect a patch early next week (and please no need to "me too" on this issue).

@jeremylong
Copy link
Owner

Closing this issue as I believe the root of this problem is resolved now. Pending fixes in the 9.0.0 release are:

  1. Proxy authentication (NVD API & Proxy Issues #6127)
  2. report format ALL/GitLab (Gradle Plugin: NullPointerException in ReportTool #6187)

@pnsag
Copy link

pnsag commented Dec 1, 2023

.2 worked even though updating took around 1,5 hours using apiKey

Trapped myself with extended nvdApiDelay. Sorry for bothering.

@carloreggiani
Copy link

carloreggiani commented Dec 1, 2023 via email

@thisjustin816
Copy link

I'm still getting a 404 with the azure pipelines task. I generated a new API key and confirmed that it's working with the curl command.

az pipelines

2023-12-01T16:19:48.5157124Z Starting Dependency Check...
2023-12-01T16:19:48.6599596Z Setting report directory to D:\a\1\TestResults\dependency-check
2023-12-01T16:19:48.6601074Z Creating report directory at D:\a\1\TestResults\dependency-check
2023-12-01T16:19:48.6609730Z Downloading Dependency Check latest installer from GitHub..
2023-12-01T16:19:49.1220782Z Downloading ZIP from "https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.2/dependency-check-9.0.2-release.zip"...
2023-12-01T16:19:49.9698440Z Dependency Check script set to D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.1.3\dependency-check\bin\dependency-check.bat
2023-12-01T16:19:49.9700560Z Invoking Dependency Check...
2023-12-01T16:19:49.9701847Z Path: D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.1.3\dependency-check\bin\dependency-check.bat
2023-12-01T16:19:49.9705551Z Arguments: --project "Update" --out "D:\a\1\TestResults\dependency-check" --scan "D:\a\1" --format HTML --data "D:\a\1/owasp-dependency-check-data" --nvdApiKey *** --ossIndexUsername *** --ossIndexPassword *** --updateonly
2023-12-01T16:19:49.9746430Z [command]C:\Windows\system32\cmd.exe /D /S /C "D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.1.3\dependency-check\bin\dependency-check.bat --version"
2023-12-01T16:19:59.7260507Z Dependency-Check Core version 9.0.2
2023-12-01T16:19:59.7773877Z 
2023-12-01T16:19:59.7796034Z Searching for left over lock files...
2023-12-01T16:19:59.8107971Z found no left over lock files, continuing...
2023-12-01T16:19:59.8147012Z [command]C:\Windows\system32\cmd.exe /D /S /C "D:\a\_tasks\dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72\6.1.3\dependency-check\bin\dependency-check.bat --project Update --out D:\a\1\TestResults\dependency-check --scan D:\a\1 --format HTML --data D:\a\1/owasp-dependency-check-data --nvdApiKey *** --ossIndexUsername *** --ossIndexPassword *** --updateonly"
2023-12-01T16:20:02.0973011Z [WARN] ossIndexPassword used on the command line, consider moving the password to a properties file using the key `analyzer.ossindex.password` and using the --propertyfile argument instead
2023-12-01T16:20:07.4109445Z [INFO] Checking for updates
2023-12-01T16:20:19.3899855Z [ERROR] Error updating the NVD Data
2023-12-01T16:20:19.3901382Z org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
2023-12-01T16:20:19.3903366Z 	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:340)
2023-12-01T16:20:19.3905279Z 	at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:110)
2023-12-01T16:20:19.3906767Z 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
2023-12-01T16:20:19.3907940Z 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:878)
2023-12-01T16:20:19.3909090Z 	at org.owasp.dependencycheck.App.runUpdateOnly(App.java:427)
2023-12-01T16:20:19.3910097Z 	at org.owasp.dependencycheck.App.run(App.java:172)
2023-12-01T16:20:19.3911040Z 	at org.owasp.dependencycheck.App.main(App.java:89)
2023-12-01T16:20:19.3912503Z Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 404
2023-12-01T16:20:19.3918273Z 	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:346)
2023-12-01T16:20:19.3919510Z 	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:319)
2023-12-01T16:20:19.3920447Z 	... 6 common frames omitted
2023-12-01T16:20:19.9733228Z [INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
2023-12-01T16:20:20.4894647Z [ERROR] Error reading CISA Known Exploited Vulnerabilities JSON data
2023-12-01T16:20:20.5145157Z [ERROR] Unable to find the CISA Known Exploited Vulnerabilities file to parse
2023-12-01T16:20:20.5147364Z org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse
2023-12-01T16:20:20.5149335Z 	at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:84)
2023-12-01T16:20:20.5150954Z 	at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update(KnownExploitedDataSource.java:82)
2023-12-01T16:20:20.5152026Z 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
2023-12-01T16:20:20.5152734Z 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:878)
2023-12-01T16:20:20.5153442Z 	at org.owasp.dependencycheck.App.runUpdateOnly(App.java:427)
2023-12-01T16:20:20.5154069Z 	at org.owasp.dependencycheck.App.run(App.java:172)
2023-12-01T16:20:20.5154606Z 	at org.owasp.dependencycheck.App.main(App.java:89)
2023-12-01T16:20:20.5158686Z Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
2023-12-01T16:20:20.5163232Z  at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
2023-12-01T16:20:20.5165401Z 	at com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:67)
2023-12-01T16:20:20.5166781Z 	at com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:1958)
2023-12-01T16:20:20.5168527Z 	at com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue(DeserializationContext.java:1245)
2023-12-01T16:20:20.5169850Z 	at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1362)
2023-12-01T16:20:20.5171026Z 	at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1304)
2023-12-01T16:20:20.5172380Z 	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate(DateDeserializers.java:201)
2023-12-01T16:20:20.5173870Z 	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:303)
2023-12-01T16:20:20.5175340Z 	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:281)
2023-12-01T16:20:20.5176929Z 	at com.fasterxml.jackson.module.afterburner.deser.SettableObjectMethodProperty.deserializeAndSet(SettableObjectMethodProperty.java:47)
2023-12-01T16:20:20.5178588Z 	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:273)
2023-12-01T16:20:20.5180051Z 	at com.fasterxml.jackson.module.afterburner.deser.SuperSonicBeanDeserializer.deserialize(SuperSonicBeanDeserializer.java:155)
2023-12-01T16:20:20.5181705Z 	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
2023-12-01T16:20:20.5183008Z 	at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:2099)
2023-12-01T16:20:20.5184915Z 	at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1249)
2023-12-01T16:20:20.5186347Z 	at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:77)
2023-12-01T16:20:20.5187505Z 	... 6 common frames omitted
2023-12-01T16:20:20.5446015Z [ERROR] Unable to find the CISA Known Exploited Vulnerabilities file to parse
2023-12-01T16:20:20.5447465Z org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse
2023-12-01T16:20:20.5449225Z 	at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:84)
2023-12-01T16:20:20.5452269Z 	at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update(KnownExploitedDataSource.java:82)
2023-12-01T16:20:20.5453539Z 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
2023-12-01T16:20:20.5454258Z 	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:878)
2023-12-01T16:20:20.5454967Z 	at org.owasp.dependencycheck.App.runUpdateOnly(App.java:427)
2023-12-01T16:20:20.5458091Z 	at org.owasp.dependencycheck.App.run(App.java:172)
2023-12-01T16:20:20.5458774Z 	at org.owasp.dependencycheck.App.main(App.java:89)
2023-12-01T16:20:20.5462326Z Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
2023-12-01T16:20:20.5466739Z  at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
2023-12-01T16:20:20.5469236Z 	at com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:67)
2023-12-01T16:20:20.5471029Z 	at com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:1958)
2023-12-01T16:20:20.5472780Z 	at com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue(DeserializationContext.java:1245)
2023-12-01T16:20:20.5475087Z 	at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1362)
2023-12-01T16:20:20.5476389Z 	at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1304)
2023-12-01T16:20:20.5477852Z 	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate(DateDeserializers.java:201)
2023-12-01T16:20:20.5479482Z 	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:303)
2023-12-01T16:20:20.5481050Z 	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:281)
2023-12-01T16:20:20.5482790Z 	at com.fasterxml.jackson.module.afterburner.deser.SettableObjectMethodProperty.deserializeAndSet(SettableObjectMethodProperty.java:47)
2023-12-01T16:20:20.5484339Z 	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:273)
2023-12-01T16:20:20.5485807Z 	at com.fasterxml.jackson.module.afterburner.deser.SuperSonicBeanDeserializer.deserialize(SuperSonicBeanDeserializer.java:155)
2023-12-01T16:20:20.5487484Z 	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
2023-12-01T16:20:20.5488761Z 	at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:2099)
2023-12-01T16:20:20.5489726Z 	at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1249)
2023-12-01T16:20:20.5491099Z 	at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:77)
2023-12-01T16:20:20.5492377Z 	... 6 common frames omitted
2023-12-01T16:20:20.5721075Z 
2023-12-01T16:20:20.5736340Z Dependency Check completed with exit code 8.
2023-12-01T16:20:20.5738029Z Dependency Check reports:
2023-12-01T16:20:20.5764689Z []
2023-12-01T16:20:20.5765800Z Dependency Check failed with message "Dependency Check exited with an error code (exit code: 8)."
2023-12-01T16:20:20.5810521Z ##[error]Depen***it code: 8).
2023-12-01T16:20:20.5827399Z Ending Dependency Check...

curl command using the same key

$ curl -H "Accept: application/json" -H "apiKey: ***" -v https://services.nvd.nist.gov/rest/json/cves/2.0\?cpeName\=cpe:2.3:o:microsoft:windows_10:1607:\*:\*:\*:\*:\*:\*:\*
* processing: https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
*   Trying 54.85.30.225:443...
* Connected to services.nvd.nist.gov (54.85.30.225) port 443
* schannel: disabled automatic use of client certificate
* using HTTP/1.x
> GET /rest/json/cves/2.0?cpeName=cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:* HTTP/1.1
> Host: services.nvd.nist.gov
> User-Agent: curl/8.2.1
> Accept: application/json
> apiKey: ***
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
< HTTP/1.1 200 OK
< content-type: application/json
< x-frame-options: SAMEORIGIN
< access-control-allow-origin: *
< access-control-allow-headers: accept, apiKey, content-type, origin, x-requested-with
< access-control-allow-methods: GET, HEAD, OPTIONS
< access-control-allow-credentials: false
< date: Fri, 01 Dec 2023 16:29:52 GMT
< content-length: 9599473
< apikey: Yes
< strict-transport-security: max-age=31536000
<
{"resultsPerPage":2000,"startIndex":0,"totalResults":2576,"format":"NVD_CVE","version":"2.0","timestamp":"2023-12-01T16:29:45.460"...

@thisjustin816
Copy link

thisjustin816 commented Dec 1, 2023
edited
Loading

I'm still getting a 404 with the azure pipelines task. I generated a new API key and confirmed that it's working with the curl command.

Looks like it's the way pipelines handles secret variables. It worked when I hardcoded the key

@thisjustin816
Copy link

thisjustin816 commented Dec 1, 2023
edited
Loading

Ok, now I'm getting a CISA error. Is this related or should I open a new bug? Don't want to create even more dupes.

[INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
[ERROR] Error reading CISA Known Exploited Vulnerabilities JSON data
[ERROR] Unable to find the CISA Known Exploited Vulnerabilities file to parse
org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse
	at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:84)
	at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update(KnownExploitedDataSource.java:82)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:878)
	at org.owasp.dependencycheck.App.runUpdateOnly(App.java:427)
	at org.owasp.dependencycheck.App.run(App.java:172)
	at org.owasp.dependencycheck.App.main(App.java:89)
Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
	at com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:67)
	at com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:1958)
	at com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue(DeserializationContext.java:1245)
	at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1362)
	at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1304)
	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate(DateDeserializers.java:201)
	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:303)
	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:281)
	at com.fasterxml.jackson.module.afterburner.deser.SettableObjectMethodProperty.deserializeAndSet(SettableObjectMethodProperty.java:47)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:273)
	at com.fasterxml.jackson.module.afterburner.deser.SuperSonicBeanDeserializer.deserialize(SuperSonicBeanDeserializer.java:155)
	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
	at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:2099)
	at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1249)
	at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:77)
	... 6 common frames omitted
[INFO] Begin database defrag
[INFO] End database defrag (5376 ms)
[ERROR] Unable to find the CISA Known Exploited Vulnerabilities file to parse
org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse
	at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:84)
	at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update(KnownExploitedDataSource.java:82)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:878)
	at org.owasp.dependencycheck.App.runUpdateOnly(App.java:427)
	at org.owasp.dependencycheck.App.run(App.java:172)
	at org.owasp.dependencycheck.App.main(App.java:89)
Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
	at com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:67)
	at com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:1958)
	at com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue(DeserializationContext.java:1245)
	at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1362)
	at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1304)
	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate(DateDeserializers.java:201)
	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:303)
	at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:281)
	at com.fasterxml.jackson.module.afterburner.deser.SettableObjectMethodProperty.deserializeAndSet(SettableObjectMethodProperty.java:47)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:273)
	at com.fasterxml.jackson.module.afterburner.deser.SuperSonicBeanDeserializer.deserialize(SuperSonicBeanDeserializer.java:155)
	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
	at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:2099)
	at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1249)
	at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:77)
	... 6 common frames omitted

Dependency Check completed with exit code 8.
Dependency Check reports:
[]
Dependency Check failed with message "Dependency Check exited with an error code (exit code: 8)."
##[error]Dependency Check exited with an error code (exit code: 8).

@pennello
Copy link

pennello commented Dec 1, 2023

Ok, now I'm getting a CISA error. Is this related or should I open a new bug? Don't want to create even more dupes.

We too are seeing this failure after a flurry of connection closed errors.

10:32:12  [INFO] Checking for updates
10:32:12  [INFO] Recoverable I/O exception (org.apache.hc.core5.http.ConnectionClosedException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
10:32:12  [INFO] Recoverable I/O exception (org.apache.hc.core5.http.ConnectionClosedException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
10:32:12  [INFO] Recoverable I/O exception (org.apache.hc.core5.http.ConnectionClosedException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
10:32:13  [INFO] Recoverable I/O exception (org.apache.hc.core5.http.ConnectionClosedException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
10:32:13  [WARNING] NVD API request failures are occurring; retrying request for the 5 time
10:32:13  [INFO] Recoverable I/O exception (org.apache.hc.core5.http.ConnectionClosedException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
10:32:13  [WARNING] NVD API request failures are occurring; retrying request for the 6 time

# … happens many more times.

10:32:26  [ERROR] Error updating the NVD Data
10:32:26  org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
10:32:26      at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi (NvdApiDataSource.java:338)
10:32:26      at org.owasp.dependencycheck.data.update.NvdApiDataSource.update (NvdApiDataSource.java:110)
10:32:26      at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:904)
10:32:26      at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:876)
10:32:26      at org.owasp.dependencycheck.maven.UpdateMojo.runCheck (UpdateMojo.java:78)
10:32:26      at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1124)
10:32:26      at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
10:32:26      at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
10:32:26      at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
10:32:26      at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
10:32:26      at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
10:32:26      at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
10:32:26      at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
10:32:26      at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
10:32:26      at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
10:32:26      at org.apache.maven.cli.MavenCli.execute (MavenCli.java:906)
10:32:26      at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:283)
10:32:26      at org.apache.maven.cli.MavenCli.main (MavenCli.java:206)
10:32:26      at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:103)
10:32:26      at java.lang.reflect.Method.invoke (Method.java:580)
10:32:26      at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:283)
10:32:26      at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:226)
10:32:26      at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:407)
10:32:26      at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:348)
10:32:26  Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 403
10:32:26      at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next (NvdCveClient.java:346)
10:32:26      at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next (NvdCveClient.java:356)
10:32:26      at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next (NvdCveClient.java:356)
10:32:26      at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next (NvdCveClient.java:356)
10:32:26      at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next (NvdCveClient.java:356)
10:32:26      at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi (NvdApiDataSource.java:317)
10:32:26      at org.owasp.dependencycheck.data.update.NvdApiDataSource.update (NvdApiDataSource.java:110)
10:32:26      at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:904)
10:32:26      at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:876)
10:32:26      at org.owasp.dependencycheck.maven.UpdateMojo.runCheck (UpdateMojo.java:78)
10:32:26      at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1124)
10:32:26      at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
10:32:26      at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
10:32:26      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
10:32:26      at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
10:32:26      at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
10:32:26      at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
10:32:26      at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
10:32:26      at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
10:32:26      at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
10:32:26      at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
10:32:26      at org.apache.maven.cli.MavenCli.execute (MavenCli.java:906)
10:32:26      at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:283)
10:32:26      at org.apache.maven.cli.MavenCli.main (MavenCli.java:206)
10:32:26      at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:103)
10:32:26      at java.lang.reflect.Method.invoke (Method.java:580)
10:32:26      at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:283)
10:32:26      at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:226)
10:32:26      at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:407)
10:32:26      at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:348)
10:32:28  [INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
10:32:28  [ERROR] Error reading CISA Known Exploited Vulnerabilities JSON data
10:32:28  [ERROR] Unable to find the CISA Known Exploited Vulnerabilities file to parse
10:32:28  org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse
10:32:28      at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse (KnownExploitedVulnerabilityParser.java:84)
10:32:28      at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update (KnownExploitedDataSource.java:82)
10:32:28      at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:904)
10:32:28      at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:876)
10:32:28      at org.owasp.dependencycheck.maven.UpdateMojo.runCheck (UpdateMojo.java:78)
10:32:28      at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1124)
10:32:28      at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
10:32:28      at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
10:32:28      at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
10:32:28      at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
10:32:28      at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
10:32:28      at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
10:32:28      at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
10:32:28      at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
10:32:28      at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
10:32:28      at org.apache.maven.cli.MavenCli.execute (MavenCli.java:906)
10:32:28      at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:283)
10:32:28      at org.apache.maven.cli.MavenCli.main (MavenCli.java:206)
10:32:28      at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:103)
10:32:28      at java.lang.reflect.Method.invoke (Method.java:580)
10:32:28      at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:283)
10:32:28      at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:226)
10:32:28      at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:407)
10:32:28      at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:348)
10:32:28  Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
10:32:28   at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
10:32:28      at com.fasterxml.jackson.databind.exc.InvalidFormatException.from (InvalidFormatException.java:67)
10:32:28      at com.fasterxml.jackson.databind.DeserializationContext.weirdStringException (DeserializationContext.java:1958)
10:32:28      at com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue (DeserializationContext.java:1245)
10:32:28      at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate (StdDeserializer.java:1362)
10:32:28      at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate (StdDeserializer.java:1304)
10:32:28      at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate (DateDeserializers.java:201)
10:32:28      at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize (DateDeserializers.java:303)
10:32:28      at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize (DateDeserializers.java:281)
10:32:28      at com.fasterxml.jackson.module.blackbird.deser.SettableObjectProperty.deserializeAndSet (SettableObjectProperty.java:44)
10:32:28      at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize (BeanDeserializer.java:273)
10:32:28      at com.fasterxml.jackson.module.blackbird.deser.SuperSonicBeanDeserializer.deserialize (SuperSonicBeanDeserializer.java:155)
10:32:28      at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue (DefaultDeserializationContext.java:342)
10:32:28      at com.fasterxml.jackson.databind.ObjectReader._bind (ObjectReader.java:2099)
10:32:28      at com.fasterxml.jackson.databind.ObjectReader.readValue (ObjectReader.java:1249)
10:32:28      at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse (KnownExploitedVulnerabilityParser.java:77)
10:32:28      at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update (KnownExploitedDataSource.java:82)
10:32:28      at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:904)
10:32:28      at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:876)
10:32:28      at org.owasp.dependencycheck.maven.UpdateMojo.runCheck (UpdateMojo.java:78)
10:32:28      at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1124)
10:32:28      at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
10:32:28      at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
10:32:28      at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
10:32:28      at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
10:32:28      at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
10:32:28      at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
10:32:28      at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
10:32:28      at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
10:32:28      at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
10:32:28      at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
10:32:28      at org.apache.maven.cli.MavenCli.execute (MavenCli.java:906)
10:32:28      at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:283)
10:32:28      at org.apache.maven.cli.MavenCli.main (MavenCli.java:206)
10:32:28      at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:103)
10:32:28      at java.lang.reflect.Method.invoke (Method.java:580)
10:32:28      at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:283)
10:32:28      at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:226)
10:32:28      at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:407)
10:32:28      at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:348)

@thisjustin816
Copy link

Ok, now I'm getting a CISA error. Is this related or should I open a new bug? Don't want to create even more dupes.

We too are seeing this failure after a flurry of connection closed errors.

I can download it fine on the same machine, but it's not clear how to cache it locally since I only see a --kevURL cli argument that needs a URL.

@aarongoldenthal aarongoldenthal mentioned this issue Dec 2, 2023
Closed
@ultramaks
Copy link

ultramaks commented Dec 4, 2023
edited
Loading

Tried to use 9.0.2 version (linux)
And got errors
I run it using gitlab ci/cd
~/dependency-check/bin/dependency-check.sh --project blah_blah_blah --out ~/dependency_check_results/ --proxyserver x.x.x.x --proxyport 9090 --format JSON --format HTML --scan $CI_PROJECT_DIR || true
and got multiple errors
[INFO] Checking for updates
[WARN] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key
[INFO] Recoverable I/O exception (org.apache.hc.client5.http.HttpHostConnectException) caught when processing request to {s}->https://services.nvd.nist.gov:443
[INFO] Recoverable I/O exception (org.apache.hc.client5.http.HttpHostConnectException) caught when processing request to {s}->https://services.nvd.nist.gov:443
[INFO] Recoverable I/O exception (org.apache.hc.client5.http.HttpHostConnectException) caught when processing request to {s}->https://services.nvd.nist.gov:443

The old version works fine with the same command (btw - how to check the version of the old dependency check?)

@giacgbj
Copy link

giacgbj commented Dec 4, 2023

@ultramaks, please look at #6127.

@ultramaks
Copy link

@ultramaks, please look at #6127.

Thanks, setting JAVA_TOOL_OPTIONS did the trick!

@ultramaks ultramaks mentioned this issue Dec 5, 2023
Closed
@vemv vemv mentioned this issue Dec 5, 2023
Closed
2 tasks
@echalone
Copy link
Contributor

echalone commented Dec 6, 2023

fyi: after I've watched it for a day or two I'm pleased to say that everything works fine now for us as well :) Thanks so much for the great work!

@readonlyuser1 readonlyuser1 mentioned this issue Dec 7, 2023
Closed
@hlship hlship mentioned this issue Dec 8, 2023
Closed
@khshanovskyi khshanovskyi mentioned this issue Dec 20, 2023
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests