Dependencycheck: Duplicate key exception for 'CWE-125'

Created on 8 Jun 2020  路  3Comments  路  Source: jeremylong/DependencyCheck

We're currently utilizing the DependencyCheck framework with a centralized DB which is updated a couple of times a day.

This has been working fairly well for the longest time however, recently we got into a situation where the update fails due to a Duplicate Key entry - This then fails the entire update process.

This seems to pertain to a fairly recent CVE: CVE-2020-11042

I've tried to resolve the issue by manipluating the DB directly, but seemingly there are multiple entries which the update is trying to insert.

org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-11042' at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:156) at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113) at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-11042' at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:887) at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:99) at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139) at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152) ... 6 more Caused by: java.sql.SQLException: Violation of PRIMARY KEY constraint 'PK__cweEntry__C3F22D24072682AC'. Cannot insert duplicate key in object 'dbo.cweEntry'. The duplicate key value is (111345, CWE-125). at net.sourceforge.jtds.jdbc.SQLDiagnostic.addDiagnostic(SQLDiagnostic.java:372) at net.sourceforge.jtds.jdbc.TdsCore.tdsErrorToken(TdsCore.java:2988) at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2421) at net.sourceforge.jtds.jdbc.TdsCore.getMoreResults(TdsCore.java:671) at net.sourceforge.jtds.jdbc.JtdsStatement.processResults(JtdsStatement.java:613) at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQL(JtdsStatement.java:572) at net.sourceforge.jtds.jdbc.JtdsPreparedStatement.execute(JtdsPreparedStatement.java:784) at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerabilityInsertCwe(CveDB.java:1114) at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:874) ... 9 more

Is there a possibility to exclude said CVE, from the update cycle, as we've inspected it and it does not affect us other than breaking the update cycle set in place.

Any feedback here would be much appreciated.

PS: We're running on the latest version of the framework 5.3.2

bug question
Source
picture KevinMcT
👍1

Most helpful comment

It looks like the MSSQL Initialization script includes a primary key that needs to be removed

https://github.com/jeremylong/DependencyCheck/blob/2bb3951ee43ee39d36fae32b3ad19ae8b05ec459/core/src/main/resources/data/initialize_mssql.sql#L35-L39

However, the primary key is not defined in the MySQL Initialization script:

https://github.com/jeremylong/DependencyCheck/blob/2bb3951ee43ee39d36fae32b3ad19ae8b05ec459/core/src/main/resources/data/initialize_mysql.sql#L36-L39

picture jeremylong on 17 Jun 2020
👍2

All 3 comments

I have the same problem. (massql on azure)

EDIT: With MySQL is working normally (local)

EDIT2:
Logs:

`

Task :preUpdate
Task :dependencyCheckUpdate
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-11042'
org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-11042'
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:156)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:113)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:40)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-11042'
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:887)
at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:99)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:139)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:152)
... 6 more
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: Violation of PRIMARY KEY constraint 'PK__cweEntry__C3F22D246C9DEF86'. Cannot insert duplicate key in object 'dbo.cweEntry'. The duplicate key value is (108070, CWE-125).
at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError(SQLServerException.java:262)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.getNextResult(SQLServerStatement.java:1632)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.doExecutePreparedStatement(SQLServerPreparedStatement.java:600)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement$PrepStmtExecCmd.doExecute(SQLServerPreparedStatement.java:522)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7225)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:3053)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.executeCommand(SQLServerStatement.java:247)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.executeStatement(SQLServerStatement.java:222)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.execute(SQLServerPreparedStatement.java:503)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerabilityInsertCwe(CveDB.java:1114)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:874)
... 9 more
Task :dependencyCheckUpdate FAILED
FAILURE: Build failed with an exception.
*What went wrong:
Execution failed for task ':dependencyCheckUpdate'.
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-11042'
*Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
*Get more help at https://help.gradle.org
BUILD FAILED in 21h 19m 8s
2 actionable tasks: 2 executed

`

ognjen-it picture ognjen-it on 13 Jun 2020

It looks like the MSSQL Initialization script includes a primary key that needs to be removed

https://github.com/jeremylong/DependencyCheck/blob/2bb3951ee43ee39d36fae32b3ad19ae8b05ec459/core/src/main/resources/data/initialize_mssql.sql#L35-L39

However, the primary key is not defined in the MySQL Initialization script:

https://github.com/jeremylong/DependencyCheck/blob/2bb3951ee43ee39d36fae32b3ad19ae8b05ec459/core/src/main/resources/data/initialize_mysql.sql#L36-L39

jeremylong picture jeremylong on 17 Jun 2020
👍2

Yes, now it is working!
Thank you! :)

ognjen-it picture ognjen-it on 25 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

amandel picture amandel  路  3Comments
dwvisser picture dwvisser  路  4Comments
Stephan202 picture Stephan202  路  3Comments
chadlwilson picture chadlwilson  路  3Comments
javixeneize picture javixeneize  路  4Comments