Closed rupreck closed 2 weeks ago
jeremylong
commented
2 weeks ago There were no changes to the output of dependency-check with v10.0.0 or 10.0.1. The report updates will happen in a future release. The issues you are facing are likely due to the NVD API being down. The NVD is aware of the problem and they are working on it.
rupreck
commented
2 weeks ago Thanks for the update. Is there a status page or other notification for that NVD API status?
I assume then all projects reports will have to be regenerated for the hotspots to show, once this is online?
rupreck
commented
2 weeks ago The NVD Status page is here: https://www.nist.gov/itl/nvd
The problem still remains today. Is this plugin calling that NVD API to read the report? That seems a strange thing for this to do when Dependency Check has done that.
Could this instead be a compatibility issue with SonarQube 10.5.0 or later?
rupreck
commented
2 weeks ago Looking through the source code, there is nothing in this plugin that I can see that is reliant on the NVD API. If the output has not changed then this is likely a compatibility problem with Sonar 10.5.0 / 10.5.1 / 10.6.0.
There is nothing in logs that indicate any problem with the plugin.
Is there an update or workaround on the horizon?
There were no changes to the output of dependency-check with v10.0.0 or 10.0.1. The report updates will happen in a future release. The issues you are facing are likely due to the NVD API being down. The NVD is aware of the problem and they are working on it.
rupreck
commented
2 weeks ago This behaviour appears to be due to the unannounced deprecation of the Security Hotspots feature.
This is a big disappointment, as they are a more natural place to record and manage CVE's.
Version 10.0.0 and then 10.0.1 of the OWASP Dependency Check that this plugin relies on were hurriedly released over the weekend because all prior versions of the OWASP Dependency Check were broken by a change in the NVD database schema that was not properly accommodated prior. All users of the OWASP Dependency Check must upgrade to >=10.0.0 because the check will not longer run because the database can no longer be updated until they do.
The ticket that discusses this problem and the hurried update is here: https://github.com/jeremylong/DependencyCheck/issues/6746
This plugin version 5.0.0 is not fully functioning with the new v10.0.0+. The Dependency Check Report is loaded but no hotspots are raised. Therefore the Gate Conditions are not blocked by serious CVE issues.
To Reproduce Install Dependency Check version 9 or earlier. Run a scan - will not work. Install Dependency Check 10.0.0 or later. Run a scan - report is produced, no hotspots are raised.
Current behavior No Hotspots raised
Expected behavior Hotspots raised
Versions (please complete the following information):
Additional context Please confirm that SonarQube 10.5.1 is compatible with 5.0.0