Error downloading NVD CVE

[santiagomarrone]

dependency-check-build-task@6 constantly fails at the time of downloading NVD CVE.

Please find the logs of the latest run below. It's worth saying that even though in this particular case it fails for NVD CVE - 2017, other runs would fail for different reports, as for example NVD CVE - 2005.

2023-01-02T14:00:45.7581330Z ##[section]Starting: Check dependencies
2023-01-02T14:00:45.7597840Z ==============================================================================
2023-01-02T14:00:45.7598810Z Task         : OWASP Dependency Check
2023-01-02T14:00:45.7599600Z Description  : Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
2023-01-02T14:00:45.7600280Z Version      : 6.0.4
2023-01-02T14:00:45.7600590Z Author       : Dependency Check
2023-01-02T14:00:45.7601140Z Help         : [More Information](https://jeremylong.github.io/DependencyCheck/index.html)
2023-01-02T14:00:45.7601710Z ==============================================================================
2023-01-02T14:00:46.0815430Z Starting Dependency Check...
2023-01-02T14:00:46.0857000Z Setting report directory to /Users/runner/work/1/TestResults/dependency-check
2023-01-02T14:00:46.0865780Z Creating report directory at /Users/runner/work/1/TestResults/dependency-check
2023-01-02T14:00:46.0880910Z Downloading Dependency Check 7.1.2 installer from GitHub..
2023-01-02T14:00:46.3226140Z Downloading ZIP from "https://github.com/jeremylong/DependencyCheck/releases/download/v7.1.2/dependency-check-7.1.2-release.zip"...
2023-01-02T14:00:47.5174470Z Dependency Check script set to /Users/runner/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.4/dependency-check/bin/dependency-check.sh
2023-01-02T14:00:47.5178090Z Invoking Dependency Check...
2023-01-02T14:00:47.5180080Z Path: /Users/runner/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.4/dependency-check/bin/dependency-check.sh
2023-01-02T14:00:47.5182620Z Arguments: --project "app-consumer" --scan "/Users/runner/work/1/s" --out "/Users/runner/work/1/TestResults/dependency-check" --format XML --format  JSON --format  JUNIT --log "/Users/runner/work/1/TestResults/dependency-check/log" --disableBundleAudit --disableYarnAudit
2023-01-02T14:00:47.5200890Z [command]/Users/runner/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.4/dependency-check/bin/dependency-check.sh --version
2023-01-02T14:00:49.3250020Z Dependency-Check Core version 7.1.2
2023-01-02T14:00:49.3298860Z Searching for left over lock files...
2023-01-02T14:00:49.3415910Z found no left over lock files, continuing...
2023-01-02T14:00:49.3439180Z [command]/Users/runner/work/_tasks/dependency-check-build-task_47ea1f4a-57ba-414a-b12e-c44f42765e72/6.0.4/dependency-check/bin/dependency-check.sh --project app-consumer --scan /Users/runner/work/1/s --out /Users/runner/work/1/TestResults/dependency-check --format XML --format JSON --format JUNIT --log /Users/runner/work/1/TestResults/dependency-check/log --disableBundleAudit --disableYarnAudit
2023-01-02T14:00:53.4799230Z [INFO] Checking for updates
2023-01-02T14:00:55.0566720Z [INFO] NVD CVE requires several updates; this could take a couple of minutes.
2023-01-02T14:00:59.1810620Z [INFO] Download Started for NVD CVE - 2002
2023-01-02T14:00:59.9659770Z [INFO] Download Complete for NVD CVE - 2002  (785 ms)
2023-01-02T14:00:59.9772440Z [INFO] Processing Started for NVD CVE - 2002
2023-01-02T14:01:09.0533360Z [INFO] Processing Complete for NVD CVE - 2002  (9076 ms)

...

[INFO] Download Started for NVD CVE - 2017
[INFO] Download Attempt 2 for NVD CVE - 2017
[INFO] Download Attempt 3 for NVD CVE - 2017
[INFO] Download Attempt 4 for NVD CVE - 2017
[ERROR] Download Failed for NVD CVE - 2017
Some CVEs may not be reported. Reason: Download failed, unable to copy 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2017.json.gz' to '/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/dctempfc5af090-41f8-45e8-8bfd-ec2d6d1e1b21/cve2017_2069044712719727836.json.gz'; Error downloading file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2017.json.gz; unable to connect.
[ERROR] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[INFO] Download Attempt 5 for NVD CVE - 2017

You can also find the definition of the corresponding stage of the pipeline below.

- stage: DependencyCheckStage
  jobs:

    - job: DependencyCheckJob

      steps:

        - script: |
            brew install gpg2
            curl -sSL https://rvm.io/mpapis.asc | gpg --import -
            curl -sSL https://rvm.io/pkuczynski.asc | gpg --import -        
            curl -sSL https://get.rvm.io | bash -s stable
            source /Users/runner/.rvm/scripts/rvm
            rvm install ruby-2.7.5
            rvm use 2.7.5 --default
            gem install bundler -v 2.1.4
            bundle install
            gem install bundler-audit
            which bundle-audit
            echo '##vso[task.prependpath]/Users/runner/.rvm/gems/ruby-2.7.5/bin'
            bundle-audit update

        - task: dependency-check-build-task@6
          inputs:
            projectName: "MyProjectName"
            scanPath: "."
            format: "XML, JSON, JUNIT"
            enableVerbose: true
            additionalArguments: '--disableBundleAudit --disableYarnAudit'

If this error is caused by a network limitation for NVD CVE that can not be resolved from our side, it would be nice to know if it's possible for the dependency check to continue running even if a particular report has failed to download.

[alaincroisetiere]

Hi, this repo is an Azure Dev Ops Extensions for the OWASP Dependency Check tool. Your requirement can by adress by the https://github.com/jeremylong/DependencyCheck/ repo.

[ejohn20]

Closing this issue. This is an internal dependency check issue.