Dependencycheck: NIST NVD URL no longer works

Created on 30 Mar 2018 · 21Comments · Source: jeremylong/DependencyCheck

Logs:

$ dependency-check --updateonly
[INFO] Checking for updates
[INFO] starting getUpdatesNeeded() ...
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
[WARN] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code

It looks like this URL: https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml.gz no longer works and has been changed to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz.

We are seeing the same issues from the gradle plugin as well. Let me know if more information is needed.

bug

Source

gregory-lyons

👍23

Most helpful comment

This looks like a permanent change in their URL scheme. The difference seems to be adding xml schema version in the URL (...xml/cve/2.0/... instead of ...xml/cve/...). From a quick visual check here all feed links seem to follow the new scheme.

Anyway, seems we can work around this by configuring the new URL. In a gradle build script this looks like:

dependencyCheck {
     cve {
         url20Modified = 'https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz'
         url20Base = 'https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz'
     }

Documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html

zerogvt on 30 Mar 2018

❤7 🎉7 👍2

All 21 comments

Hopefully, this is a temporary configuration issue on their end as it effects the entire Dependency-Check ecosystem. But the URL endpoints have changed. For those who are using nist-data-mirror, it's been updated with the new URLs and a release pushed to Maven Central. Awaiting synchronization.

stevespringett on 30 Mar 2018

👍1

Anyway, seems we can work around this by configuring the new URL. In a gradle build script this looks like:

dependencyCheck {
     cve {
         url20Modified = 'https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz'
         url20Base = 'https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz'
     }

Documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html

zerogvt on 30 Mar 2018

❤7 🎉7 👍2

For maven users: please follow Example 5 from documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html

shekh-akther on 30 Mar 2018

❤2

You could find new links at https://nvd.nist.gov/vuln/data-feeds#XML_FEED for configuration change as @zerogvt and @shekh-akther mentioned above.
For those who use maven - working config:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>3.1.1</version>
    <configuration>
        <cveUrl12Modified>https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz</cveUrl12Modified>
        <cveUrl20Modified>https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz</cveUrl20Modified>
        <cveUrl12Base>https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-%d.xml.gz</cveUrl12Base>
        <cveUrl20Base>https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz</cveUrl20Base>
    </configuration>
</plugin>

Ivorlun on 30 Mar 2018

👍6

Any help for cli users?
I found the same issue,,

if08017 on 30 Mar 2018

👍1

@if08017 same recommendation as the Jenkins folks. Specify NVD URLs typically used for mirroring. You wont actually be using a NVD mirror (although I do recommend it), you'll simply be correcting the URLs using this method.

Refer to https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

cveUrl12Modified
cveUrl20Modified
cveUrl12Base
cveUrl20Base

stevespringett on 30 Mar 2018

👍4

These cli parameters work for me:

owasp-dependency-check --data mydatadir --project myprojectname -o reports -f JSON -s . -l logfile --cveUrl12Base "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-%d.xml.gz" --cveUrl20Base "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz" --cveUrl12Modified "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz" --cveUrl20Modified "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz"

NIST's XML feed overview page actually lists the new URLs, so DependencyCheck should react immediately and fix this breakage in a new release.

AndiDog on 31 Mar 2018

🎉2 👍2 ❤1

Do you have any estimated release date for this?

TheHydGuy on 31 Mar 2018

Until a newer version is available, you can update Jenkins settings to reflect these URLs:

https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz
https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz
https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-2018.xml.gz
https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz

Hope this helps. I was able to test it on owasp dependency plugin 3.1.1 and 2.1.0

kalyankix on 1 Apr 2018

👍2

Hi
We are using org.owasp:dependency-check-maven plugin in our project. To generated report 'mvn dependency-check:aggregate' goal is used, build had failed with below error.
"Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: GET request returned a non-200 status code"
After using above mentioned nvd.nist.gov URLS error is no more occurring but report is still not generating.

There is no other error. SLF4j related errors are occurring but that should be an issue.
Could you pls. help me with report generation.
Pallavi

pallavi-t on 2 Apr 2018

@kalyankix - thanks a lot for providing directly the links - worked as a charm for me on my Jenkins!

ozlatkov on 2 Apr 2018

👍1

For CLI users:

./dependency-check.sh --updateonly \
  --cveUrl12Base     "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-%d.xml.gz" \
  --cveUrl20Base     "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz" \
  --cveUrl12Modified "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz" \
  --cveUrl20Modified "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz"

alfredocambera on 2 Apr 2018

v3.1.2 was released today which resolves this issue.

stevespringett on 2 Apr 2018

👍11

https://www.owasp.org/index.php/OWASP_Dependency_Check Is not updated, so here is the link:

http://dl.bintray.com/jeremy-long/owasp/dependency-check-3.1.2-release.zip

alfredocambera on 2 Apr 2018

@stevespringett, tested the newer version, and can confirm that it's working. Thanks a lot for helping us.

kalyankix on 2 Apr 2018

Maybe I am doing something wrong, but it seems as if the version included in the docker image is still 3.1.1

docker run --rm owasp/dependency-check:3.1.2 -v

gives the result

Dependency-Check Core version 3.1.1

svedjebratt on 3 Apr 2018

I'm seeing the same issue with the docker image. I believe it was accidentally built with the older version.

meastes on 3 Apr 2018

Yes, there is: https://groups.google.com/forum/m/#!topic/dependency-check/N6dPqILSyfs

v6ak on 9 Apr 2018

I see that the old URL (https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml.gz) is now working again (together with the new URL). Any information about this decision?