Dependencycheck: Plugin is failing to download Metadata file

It seems as though the files have been moved to a 1.1 version/path:

https://nvd.nist.gov/vuln/data-feeds#JSON_FEED

The file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta is available, while the 1.0 version is not.

There's a changelog indicating the change:

• https://nvd.nist.gov/vuln/Data-Feeds/JSON-feed-changelog

According to this news item, they originally planned on deprecating 1.0 last year:

• https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release

I'm coming form sbt-dependency-check, and my solution was to update to version 2.0.0.

It looks like If you're using this plugin directly, update to at least 5.2.3: https://github.com/jeremylong/DependencyCheck/blob/main/RELEASE_NOTES.md#version-523-2019-11-11

Coming from gradle-dependency-check, updating to at least 5.2.3 has* solved the problem for me.

LE: I have somehow managed to write hasn't instead of has. Updating managed to solve the issue for me, using the Gradle plugin.
However, if you are using Artifactory and have configured the task to fetch the feed files via Artifactory and not going directly to the NVD url, then please note that you have to update your task config to point to the 1.1 schema version instead of the 1.0.

dependencyCheck {
    ...
    cve {
        urlModified = "<<here goes the link to new schema version>>"
    }
}

I am using maven plugin, and updating to 6.0.1 solved the issue for me! Thanks @MSM-GabrielF

Hi all, i got the same problem and change to mirror cve. But i try to following the document to change the cveurlmodified

--cveUrlModified=http://mirror-url/nist/*.json.gz  
--cveUrlBase=http://mirror-url/nist/nvdcve-1.1-%d.json.gz

But i got another problem.

DependencyCheck] [INFO] Checking for updates

[DependencyCheck] [ERROR] Unable to download meta file: http://mirror-url/nist/*.meta; received 404 -- resource not found

[DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: http://mirror-url/nist/*.meta; received 404 -- resource not found

[DependencyCheck]   at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:351)

[DependencyCheck]   at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:385)

[DependencyCheck]   at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:122)

[DependencyCheck]   at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:921)

[DependencyCheck]   at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:723)

[DependencyCheck]   at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:653)

[DependencyCheck]   at org.owasp.dependencycheck.App.runScan(App.java:251)

[DependencyCheck]   at org.owasp.dependencycheck.App.run(App.java:183)

[DependencyCheck]   at org.owasp.dependencycheck.App.main(App.java:80)

[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.ResourceNotFoundException: Requested resource does not exists - received a 404

[DependencyCheck]   at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:204)

[DependencyCheck]   at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138)

[DependencyCheck]   at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:110)

[DependencyCheck]   at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:340)

[DependencyCheck]   ... 8 common frames omitted

[DependencyCheck] [WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.

[DependencyCheck] [ERROR] Unable to continue dependency-check analysis.

[DependencyCheck] [ERROR] One or more fatal errors occurred

[DependencyCheck] [ERROR] Unable to download meta file: http://mirror-url/nist/*.meta; received 404 -- resource not found

[DependencyCheck] [ERROR] No documents exist

Any idea to fix it?
Thanks

Your CVE URL modified argument is wrong - there is no asterisk.

--cveUrlModified=http://mirror-url/nist/nvdcve-1.1-modified.json.gz

Hello i might have the same problem.

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.0.3:aggregate (default-cli) on project blueprint: Fatal exception(s) analyzing Website: One or more exceptions occurred during analysis:
[ERROR]         UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modifimeta; received 404 -- resource not found
[ERROR]                 caused by ResourceNotFoundException: Requested resource does not exists - received a 404
[ERROR]         NoDataException: No documents exist
[ERROR] -> [Help 1]

It seems that the download URL isn't correct and when i am passing it directly over with the -Dcve.url.modified= switch, it gets wrong modified as well, is there any fix to it?

The URL is https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta not https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modifimeta. Also, it appears you are trying to pass in the default location which is not needed. Can you provide the command you are trying to run that is failing?

Thanks for your reply.
But it is not a typo because i am getting this error even without the -Dcve.url.modified= variable AND with the variable with the correct URL.
mvn org.owasp:dependency-check-maven:6.0.3:aggregate -Dcve.url.modified=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta <- thats the command i am using.
And i`ve took a look into the code and it seems that the url gets modified.
I dont see a reason for that, because it is correctly provided in the settings so the modification is totaly unnacessary.

Ah - I see the confusion. You should not pass the location of the "meta" file - rather you need to use the location of the actual modified file:

-Dcve.url.modified=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz

ODC will then try to pull the meta file to check if we need to update.

Ah - yep, this solved the issue for now, thank you very much for your quick response and please stay healthy.