Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
NIST NVD URL no longer works
See original GitHub issueLogs:
$ dependency-check --updateonly
[INFO] Checking for updates
[INFO] starting getUpdatesNeeded() ...
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
[WARN] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
It looks like this URL: https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml.gz no longer works and has been changed to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz.
We are seeing the same issues from the gradle plugin as well. Let me know if more information is needed.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:23
- Comments:21
Top Results From Across the Web
Data Feeds - NVD
In late 2023, the NVD will retire its legacy data feeds while working to guide any remaining data feed users to updated application-programming...
Read more >General FAQs - NVD
How do vulnerabilities get into the NVD? How do I dispute a CVE in the NVD? A vulnerability is identified, and possibly assigned...
Read more >CVE FAQs - NVD
The NVD will display a webpage for rejected vulnerabilities if you send that CVE name in the URL but they are not included...
Read more >Vulnerability APIs - NVD
The CVE API is used to easily retrieve information on a single CVE or a collection of CVE from the NVD. The NVD...
Read more >API Transition Guide - NVD
To further assist developers working with the APIs, the NVD is ... The CVE API no longer returns every detail of every associated...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
This looks like a permanent change in their URL scheme. The difference seems to be adding xml schema version in the URL (…xml/cve/2.0/… instead of …xml/cve/…). From a quick visual check here all feed links seem to follow the new scheme.
Anyway, seems we can work around this by configuring the new URL. In a gradle build script this looks like:
Documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html
v3.1.2 was released today which resolves this issue.