has the NVD Feeds URL nvd.nist.gov/feeds no offical stopped working and should i disable it in my config

[whiteninja76]

Just after some advice if the 'The National Vulnerability Database (NVD) ' - > https://nvd.nist.gov/feeds . has now official been turned of and if i should therefore disable the source ( but keep the new 'https://services.nvd.nist.gov/rest/json/cves/2.0' source enabled)

[nscuro]

The feeds are still up: https://nvd.nist.gov/vuln/data-feeds#JSON_FEED

[whiteninja76]

when i go to the old configured url ( https://nvd.nist.gov/feeds) i get page not found. has it moved or was it always like this? Just trying to narrow down why i'm now gettting
ERROR [NistApiMirrorTask] An unexpected error occurred while mirroring the contents of the National Vulnerability Database

[nscuro]

https://nvd.nist.gov/feeds is only the base URL which DT will use to discover the feed files, e.g. https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz. The base URL itself will give a 404 since there's nothing hosted on that particular URL.

As per your log you are already using the API-based mirroring. We released v4.11.5 yesterday which fixes issues with that: https://docs.dependencytrack.org/changelog/

This release primarily addresses an inability to mirror the NVD via its REST API. The NVD REST API recently experienced increased load, causing service disruptions. Dependency-Track users who opted into API mirroring will have seen symptoms of this as NvdApiException: NVD Returned Status Code: 503 errors in the logs.

To reduce load on their systems, NIST started to block requests with a certain User-Agent header, which Dependency-Track happens to use. Upgrading to v4.11.5 will allow Dependency-Track to no longer be subject to this block.

Users who can’t immediately update, yet are reliant on NVD data being current, can switch back to the feed file based mirroring by disabling Enable mirroring via API in the administration panel.