clj-holmes / clj-watson

clojure deps SCA
Eclipse Public License 2.0
84 stars 9 forks source link

Persistent 503 errors? #34

Closed seancorfield closed 10 months ago

seancorfield commented 11 months ago

For the last two or three days, I've been unable to run Watson:

Downloading/Updating database.
** ERROR: **
Exception: #error {
 :cause NVD Returned Status Code: 503
 :via
 [{:type org.owasp.dependencycheck.data.update.exception.UpdateException
   :message Error updating the NVD Data
   :at [org.owasp.dependencycheck.data.update.NvdApiDataSource processApi NvdApiDataSource.java 336]}
  {:type io.github.jeremylong.openvulnerability.client.nvd.NvdApiException
   :message NVD Returned Status Code: 503
   :at [io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient next NvdCveClient.java 327]}]
 :trace
 [[io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient next NvdCveClient.java 327]

I don't know whether this is genuinely due to some underlying service being down or whether it's a configuration issue (using a deprecated endpoint that has now been removed).

seancorfield commented 11 months ago

Looks like https://github.com/jeremylong/DependencyCheck/issues/6107

seancorfield commented 11 months ago

I've rolled back to 8.4.3 for now, but it sounds like the NVD stuff will require users to switch to the new API key approach (and 9.0.1+ of DependencyCheck) fairly soon.

I requested an API key but I'm getting 403 errors now (with 9.0.1). I'm wondering if I have a bad API key. I'll revisit this if/when 8.4.3 stops working.

seancorfield commented 11 months ago

9.0.1 is not backward compatible with 8.4.3 so I suspect Watson will need changes to be able to work with 9.0.1 and let users provide their own API key (via the properties file, I think).

seancorfield commented 11 months ago

See #35 for some updates that make this work.

seancorfield commented 10 months ago

This will be addressed fully by #41

seancorfield commented 10 months ago

PR has been merged. Thank you!