Scan is not working for newer NVD JSON feeds
See original GitHub issueCurrent Behavior:
The NVD scan is not working for newer NVD JSON feeds because the children field is empty. This leads that DT scans result with zero findings.
Steps to Reproduce:
- Set up a new instance of DT to make sure the JSON files are newly pulled
- Add component with following CPE:
cpe:2.3:a:sqlite:sqlite:3.19.2:*:*:*:*:*:*:*
- Start scan
Expected Behavior:
18 findings
Environment:
- Dependency-Track Version: All
- Distribution: All
- BOM Format & Version: CycloneDX
- Database Server: All
- Browser: All
Additional Details:
With newer JSON feeds the children field is always existing, thus a change in the code is required. The fix is to additionally check if the children field is not empty (or size of childrens JsonArray is >0) in NvdParser.java (see line 174). Please verify and implement this fix ASAP because it makes all scans fail!
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Data Feeds - NVD
JSON Feeds. These data feeds includes both previously offered and new NVD data points in an updated JSON format. The "year" feeds are...
Read more >Working with NVD's JSON Download Feed - Grumblesoft
NIST's National Vulnerability Database site maintains a collection of json files that comprise the entire historical repository of CVEs from ...
Read more >Add new NVD data feeds (Prior to v13.0) - ServiceNow Docs
Before creating an NVD feed, check the size of the files in the JSON .zip file and change the system property to 250...
Read more >Downloading and analyzing NVD CVE feed
Let's see what data it contains, how to download and analyse it. First of all, we need to download all files with CVEs...
Read more >CVE Binary Tool quick start / README - Read the Docs
To scan a comma-delimited (CSV) or JSON file which lists dependencies and versions: ... Support for new checkers can be requested via GitHub...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Resolved in v4.2.2
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.