clj-holmes / clj-watson

clojure deps SCA
Eclipse Public License 2.0
84 stars 9 forks source link

Persistent 503 errors? #34

Closed seancorfield closed 11 months ago

seancorfield commented 1 year ago

For the last two or three days, I've been unable to run Watson:

Downloading/Updating database.
** ERROR: **
Exception: #error {
 :cause NVD Returned Status Code: 503
 :via
 [{:type org.owasp.dependencycheck.data.update.exception.UpdateException
   :message Error updating the NVD Data
   :at [org.owasp.dependencycheck.data.update.NvdApiDataSource processApi NvdApiDataSource.java 336]}
  {:type io.github.jeremylong.openvulnerability.client.nvd.NvdApiException
   :message NVD Returned Status Code: 503
   :at [io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient next NvdCveClient.java 327]}]
 :trace
 [[io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient next NvdCveClient.java 327]

I don't know whether this is genuinely due to some underlying service being down or whether it's a configuration issue (using a deprecated endpoint that has now been removed).

seancorfield commented 1 year ago

Looks like https://github.com/jeremylong/DependencyCheck/issues/6107

seancorfield commented 1 year ago

I've rolled back to 8.4.3 for now, but it sounds like the NVD stuff will require users to switch to the new API key approach (and 9.0.1+ of DependencyCheck) fairly soon.

I requested an API key but I'm getting 403 errors now (with 9.0.1). I'm wondering if I have a bad API key. I'll revisit this if/when 8.4.3 stops working.

seancorfield commented 12 months ago

9.0.1 is not backward compatible with 8.4.3 so I suspect Watson will need changes to be able to work with 9.0.1 and let users provide their own API key (via the properties file, I think).

seancorfield commented 11 months ago

See #35 for some updates that make this work.

seancorfield commented 11 months ago

This will be addressed fully by #41

seancorfield commented 11 months ago

PR has been merged. Thank you!