Closed PAKalucki closed 7 months ago
You can add dependencyCheckVersion: 8.4.3 to work around this until the NVD API is working as expected. Just make sure to remove the additionalArguments with your API key. See below.
Please note though that this will only work as long as the JSON feeds are up which are due to be retired on the 15th December.
# Latest Dependency Check CLI Doesn't Work due to NVD API Issues
# - task: dependency-check-build-task@6
# inputs:
# projectName: 'Test'
# scanPath: '**'
# format: 'HTML'
# additionalArguments: '--nvdApiKey ********-****-****-****-************'
# displayName: Get OWASP Vulnerabilities Files
# Pin to 8.4.3 to workaround this
- task: dependency-check-build-task@6
inputs:
dependencyCheckVersion: 8.4.3
projectName: 'Test'
scanPath: '**'
format: 'HTML'
displayName: Get OWASP Vulnerabilities Files
Did any one test it in new version 9.0.1 [ reference : https://github.com/jeremylong/DependencyCheck/issues/6107] ? I am getting below error [WARN] NVD API request failures are occurring; retrying request for the 5 time [INFO] NVD API has 171,546 records in this update [WARN] NVD API request failures are occurring; retrying request for the 5 time [WARN] NVD API request failures are occurring; retrying request for the 5 time [WARN] NVD API request failures are occurring; retrying request for the 5 time [WARN] NVD API request failures are occurring; retrying request for the 5 time [WARN] NVD API request failures are occurring; retrying request for the 6 time [WARN] NVD API request failures are occurring; retrying request for the 6 time [WARN] NVD API request failures are occurring; retrying request for the 6 time [WARN] NVD API request failures are occurring; retrying request for the 6 time [ERROR] Error updating the NVD Data org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:338) at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:110) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:904) at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:709) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:635) at org.owasp.dependencycheck.App.runScan(App.java:261) at org.owasp.dependencycheck.App.run(App.java:193) at org.owasp.dependencycheck.App.main(App.java:88) Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 502 at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:346) at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:317) ... 7 common frames omitted
The issue has been resolved with version 9.0.2 of DependencyCheck. The task automatically use the latest version of the DependencyCheck tool.
From version 9.0.0 of DependencyCheck you need to use --nvdApiKey
to indicate the NVD API Key, see https://nvd.nist.gov/developers/request-an-api-key
Azure DevOps OWASP Dependency Check started failing in pipeline with following error:
I'm running on Azure hosted agents.
My pipeline:
Full log: owasp.log