Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

NIST Feeds Moved?

See original GitHub issue

It seems that my mvn dependency-check:check goal started failing today:

The root cause seems to be that https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz now returns a 404 response:

[DEBUG] Checking for updates from: https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
[DEBUG] Available Protocols:
[DEBUG] SSLv2Hello
[DEBUG] SSLv3
[DEBUG] TLSv1
[DEBUG] TLSv1.1
[DEBUG] TLSv1.2
[ERROR] IO Exception: HEAD request returned a non-200 status code
[DEBUG] Exception details
org.owasp.dependencycheck.utils.DownloadFailedException: HEAD request returned a non-200 status code
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:266)
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:228)
        at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:101)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:348)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:267)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:87)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:683)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:490)
        at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:97)
        at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:494)
        at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
        at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
        at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
        at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
        at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
        at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
        at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)

[WARNING] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[WARNING] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[DEBUG] Update Error
org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download the NVD CVE data.
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:102)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:683)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:490)
        at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:97)
        at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:494)
        at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
        at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
        at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
        at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
        at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
        at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
        at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
        at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
        at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
        at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP GET request.
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:286)
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:281)
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:228)
        at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:101)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:348)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:267)
        at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:87)
        ... 26 more
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: GET request returned a non-200 status code
        at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:266)
        ... 32 more

I think NIST must have moved their feeds around or something.

https://nvd.nist.gov/vuln/data-feeds suggests that the URL in question should be something like:

https://static.nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz

Issue Analytics

State:
Created 6 years ago
Comments:10 (2 by maintainers)

Top GitHub Comments

1reaction

stevespringettcommented, Jun 26, 2017

I confirmed the outage. It appears the feed is available again though. I recommend setting up an internal mirror of the NVD and update it daily, that way your scans are not affected by outages. My org does this globally and we run hundreds of scans a day and are never affected. Worst case scenario is that the mirror isn’t updated for a day if/when NVD has issues.

https://github.com/stevespringett/nist-data-mirror

0reactions

lock[bot]commented, Sep 27, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Top Results From Across the Web

NVD - News - National Institute of Standards and Technology

The National Vulnerability Database upgraded to version 2.0. NIST Checklist Program moved within NVD. Plans for the 3rd Annual Security Automation Conference ...

API Transition Guide - NVD

Your guide to moving from API 1.0 to API 2.0 ... Approximately 12 months after this release the NVD will retire all legacy...

CVE-2022-33745 Detail - NVD

To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old...

CVE-2022-22249 Detail - NVD

When there is a continuous mac move a memory corruption causes one or more FPCs to crash and reboot. ... Nist CVSS score...

CVE-2022-41604 Detail - NVD

This can be leveraged to perform an arbitrary file move as NT ... By selecting these links, you will be leaving NIST webspace....