Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error updating the NVD Data: NVD Returned Status Code: 404 #141

Closed
PAKalucki opened this issue Nov 23, 2023 · 4 comments
Closed

Error updating the NVD Data: NVD Returned Status Code: 404 #141

PAKalucki opened this issue Nov 23, 2023 · 4 comments

Comments

@PAKalucki
Copy link

Azure DevOps OWASP Dependency Check started failing in pipeline with following error:

[ERROR] Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:336)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:110)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:902)
	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:707)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:633)
	at org.owasp.dependencycheck.App.runScan(App.java:260)
	at org.owasp.dependencycheck.App.run(App.java:192)
	at org.owasp.dependencycheck.App.main(App.java:87)
Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 404
	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:327)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:315)
	... 7 common frames omitted

I'm running on Azure hosted agents.

My pipeline:

      - task: dependency-check.dependencycheck.dependency-check-build-task.dependency-check-build-task@6
        continueOnError: true
        displayName: 'OWASP Dependency Check'
        inputs:
          projectName: ${{ parameters.project_name }}
          scanPath: '**/*.csproj'
          format: 'HTML,JSON'
          failOnCVSS: false
          reportsDirectory: ./owasp
          additionalArguments: '--nvdApiKey xyz'

Full log:
owasp.log
@mastermc0
Copy link

See jeremylong/DependencyCheck#6107

@mastermc0
Copy link

You can add dependencyCheckVersion: 8.4.3 to work around this until the NVD API is working as expected. Just make sure to remove the additionalArguments with your API key. See below.

Please note though that this will only work as long as the JSON feeds are up which are due to be retired on the 15th December.

# Latest Dependency Check CLI Doesn't Work due to NVD API Issues
# - task: dependency-check-build-task@6
#   inputs:
#     projectName: 'Test'
#     scanPath: '**'
#     format: 'HTML'
#     additionalArguments: '--nvdApiKey ********-****-****-****-************'
#   displayName: Get OWASP Vulnerabilities Files

# Pin to 8.4.3 to workaround this
- task: dependency-check-build-task@6
  inputs:
    dependencyCheckVersion: 8.4.3
    projectName: 'Test'
    scanPath: '**'
    format: 'HTML'
  displayName: Get OWASP Vulnerabilities Files

@venkatest
Copy link

Did any one test it in new version 9.0.1 [ reference : https://github.com/jeremylong/DependencyCheck/issues/6107] ? I am getting below error [WARN] NVD API request failures are occurring; retrying request for the 5 time
[INFO] NVD API has 171,546 records in this update
[WARN] NVD API request failures are occurring; retrying request for the 5 time
[WARN] NVD API request failures are occurring; retrying request for the 5 time
[WARN] NVD API request failures are occurring; retrying request for the 5 time
[WARN] NVD API request failures are occurring; retrying request for the 5 time
[WARN] NVD API request failures are occurring; retrying request for the 6 time
[WARN] NVD API request failures are occurring; retrying request for the 6 time
[WARN] NVD API request failures are occurring; retrying request for the 6 time
[WARN] NVD API request failures are occurring; retrying request for the 6 time
[ERROR] Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:338)
at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:110)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:904)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:709)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:635)
at org.owasp.dependencycheck.App.runScan(App.java:261)
at org.owasp.dependencycheck.App.run(App.java:193)
at org.owasp.dependencycheck.App.main(App.java:88)
Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 502
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:346)
at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:317)
... 7 common frames omitted

@shehanWeer shehanWeer mentioned this issue Nov 27, 2023
Closed
@pippolino
Copy link
Collaborator

The issue has been resolved with version 9.0.2 of DependencyCheck. The task automatically use the latest version of the DependencyCheck tool.

From version 9.0.0 of DependencyCheck you need to use --nvdApiKey to indicate the NVD API Key, see https://nvd.nist.gov/developers/request-an-api-key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pippolino @PAKalucki @mastermc0 @venkatest