Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

meta-file generation generates invalid url (".jmeta" instad of ".meta") when using cveUrlModified in pom.xml

See original GitHub issue

Describe the bug When using cveUrlModified / cveUrlBase to point to a local nvd mirror, downloading the meta file fails becuse the url is not created correctly: The resulting filename has a “j” prefixed, e.g. “nvdcve-1.1-modified.jmeta” instead of “.meta”

Version of dependency-check used 6.1.5

Log file

[ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.jmeta; received 404 – resource not found org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: >https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.jmeta; received 404 – resource not found at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile (NvdCveUpdater.java:351) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded (NvdCveUpdater.java:385) at org.owasp.dependencycheck.data.update.NvdCveUpdater.update (NvdCveUpdater.java:122)

To Reproduce Steps to reproduce the behavior:

  1. head over to nvd (https://nvd.nist.gov/vuln/data-feeds) and fetch the latest modified url from the feed
  2. in a project performing the dependency check, set these values in the pom: <cveUrlModified>https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.zip</cveUrlModified> <cveUrlBase>https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz</cveUrlBase>
  3. execute update-only

Expected behavior A “.meta” url instead of a “.jmeta” so the download succeeds.

Additional context The bug seems to reside in NvdCveUpdater.java, getMetaFile(String url): final String metaUrl = url.substring(0, url.length() - 7) + "meta"; Extracting this snippet into a main() and feeding it with “https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.zip”, results in a “.jmeta” url instead of “.meta”. I believe cutting off the last 7 chars is not a perfect solution, I’d suggest splitting at "."s for filename creation.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
jeremylongcommented, May 4, 2021

Yes a PR to make the CVE Modified URL option would be great. This would likely need to be done in the Maven Plugin, Ant Task, and the CLI. If you can do all three great - otherwise I can copy code as required into the maven and ant projects. Thanks!

0reactions
nhumblotcommented, May 24, 2021

I see two good things in keeping the two urls:

  1. If somehow, this interface change and a new url must be used (or the custom mirror has a different url), users of dependency-check will be able to configure it and have it working
  2. We keep backward compatibility

But as you said, we can improve how we handle these urls. Right now, we must set the two if we want to use this configuration, as stated in CliParser.java (from dependency-check-cli).

final String base = getStringArgument(ARGUMENT.CVE_BASE_URL);
final String modified = getStringArgument(ARGUMENT.CVE_MODIFIED_URL);
if ((base != null && modified == null) || (base == null && modified != null)) {
    final String msg = "If one of the CVE URLs is specified they must all be specified; please add the missing CVE URL.";
    throw new ParseException(msg);
}

We can make cveUrlModified optional, even when cveBaseUrl is set by applying the following rule:

GIVEN cveUrlBase is not null and set to '<url>/nvdcve-1.1-%d.json.gz'
AND cveUrlModified is null
WHEN settings are loaded
THEN cveUrlModified is set to '<url>/nvdcve-1.1-modified.json.gz'

If it’s ok for you, I can open a PR with these changes. Please do not hesitate to amend this proposal if you have another idea. 🙂

Read more comments on GitHub >

github_iconTop Results From Across the Web

meta-file generation generates invalid url (".jmeta" instad of ...
Describe the bug. When using cveUrlModified / cveUrlBase to point to a local nvd mirror, downloading the meta file fails becuse the url...
Read more >
6.3.2 Milestone - GitHub
meta-file generation generates invalid url (".jmeta" instad of ".meta") when using cveUrlModified in pom.xml bug.
Read more >
How to resolve proxy issue in owasp dependency check?
By creating a Maven Project and adding owasp dependency check dependency code in pom.xml, I was able to run owasp dependency check along ......
Read more >
dependency-check-maven – Goals - GitHub Pages
Property Description Default Value archiveAnalyzerEnabled Sets whether the Archive Analyzer will be used. true jarAnalyzerEnabled Sets whether Jar Analyzer will be used. true artifactoryAnalyzerEnabled Sets whether...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

NullPointerException

Next page

ExecutionException/NullPointer on Update