NIST Feeds Moved?
See original GitHub issueIt seems that my mvn dependency-check:check
goal started failing today:
The root cause seems to be that https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz now returns a 404 response:
[DEBUG] Checking for updates from: https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
[DEBUG] Available Protocols:
[DEBUG] SSLv2Hello
[DEBUG] SSLv3
[DEBUG] TLSv1
[DEBUG] TLSv1.1
[DEBUG] TLSv1.2
[ERROR] IO Exception: HEAD request returned a non-200 status code
[DEBUG] Exception details
org.owasp.dependencycheck.utils.DownloadFailedException: HEAD request returned a non-200 status code
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:266)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:228)
at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:101)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:348)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:267)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:87)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:683)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:490)
at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:97)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:494)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
[WARNING] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[WARNING] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[DEBUG] Update Error
org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download the NVD CVE data.
at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:102)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:683)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:490)
at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:97)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:494)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP GET request.
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:286)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:281)
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:228)
at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:101)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:348)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:267)
at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:87)
... 26 more
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: GET request returned a non-200 status code
at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:266)
... 32 more
I think NIST must have moved their feeds around or something.
https://nvd.nist.gov/vuln/data-feeds suggests that the URL in question should be something like:
https://static.nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (2 by maintainers)
Top Results From Across the Web
NVD - News - National Institute of Standards and Technology
The National Vulnerability Database upgraded to version 2.0. NIST Checklist Program moved within NVD. Plans for the 3rd Annual Security Automation Conference ...
Read more >API Transition Guide - NVD
Your guide to moving from API 1.0 to API 2.0 ... Approximately 12 months after this release the NVD will retire all legacy...
Read more >CVE-2022-33745 Detail - NVD
To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old...
Read more >CVE-2022-22249 Detail - NVD
When there is a continuous mac move a memory corruption causes one or more FPCs to crash and reboot. ... Nist CVSS score...
Read more >CVE-2022-41604 Detail - NVD
This can be leveraged to perform an arbitrary file move as NT ... By selecting these links, you will be leaving NIST webspace....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I confirmed the outage. It appears the feed is available again though. I recommend setting up an internal mirror of the NVD and update it daily, that way your scans are not affected by outages. My org does this globally and we run hundreds of scans a day and are never affected. Worst case scenario is that the mirror isn’t updated for a day if/when NVD has issues.
https://github.com/stevespringett/nist-data-mirror
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.