search

eclipse-sw360 / sw360

SW360 project
https://www.eclipse.org/sw360/
Other
119 stars 98 forks source link

cve-search not working anymore? #1151

Open grandpaul opened 3 years ago

grandpaul commented 3 years ago

Description

It seems that circl.lu not allowed for public usage anymore. https://github.com/cve-search/cve-search/issues/595

Should we mentioned this in the document that we MUST host our own cve-search service?

How to reproduce

Assign a component with CPE but no CVE found. When looking the log, we saw 2021-02-22 00:00:01 ERROR Heuristic:53 - IOException in searchlevel with description=heuristic (dist. 00) with needle=cpe:2.3:.:openssl:openssl:1.1.1d. with exception message=https://cve.circl.lu/api/cvefor/cpe%3A2.3%3A.%3Aopenssl%3Aopenssl%3A1.1.1d. java.io.FileNotFoundException: https://cve.circl.lu/api/cvefor/cpe%3A2.3%3A.%3Aopenssl%3Aopenssl%3A1.1.1d.* at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1920) ~[?:?]

Versions

I'm running official docker on Debian testing.

Logs

Any logs (if any) generated in

SW360 logs

2021-02-23 00:00:02 ERROR Heuristic:53 - IOException in searchlevel with description=heuristic (dist. 10) with needle=cpe:2.3:.:openssl:openssl:. with exception message=https://cve.circl.lu/api/cvefor/cpe%3A2.3%3A.%3Aopenssl%3Aopenssl%3A. java.io.FileNotFoundException: https://cve.circl.lu/api/cvefor/cpe%3A2.3%3A.%3Aopenssl%3Aopenssl%3A.* at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1920) ~[?:?] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520) ~[?:?] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250) ~[?:?] at java.net.URL.openStream(URL.java:1140) ~[?:?] at org.eclipse.sw360.cvesearch.datasource.CveSearchApiImpl.getParsedContentFor(CveSearchApiImpl.java:53) ~[src-cvesearch-13.1.0-SNAPSHOT.j ar:?] at org.eclipse.sw360.cvesearch.datasource.CveSearchApiImpl.getParsedCveSearchDatas(CveSearchApiImpl.java:69) ~[src-cvesearch-13.1.0-SNAPSH OT.jar:?] at org.eclipse.sw360.cvesearch.datasource.CveSearchApiImpl.cvefor(CveSearchApiImpl.java:104) ~[src-cvesearch-13.1.0-SNAPSHOT.jar:?] at org.eclipse.sw360.cvesearch.datasource.heuristics.Heuristic.runForNeedleWithMeta(Heuristic.java:47) ~[src-cvesearch-13.1.0-SNAPSHOT.jar :?]

mcjaeger commented 3 years ago

yes, the project has quit the public service and it might be good to add some developer documentation how to setup the cve-search, including link to the maintained docker container: https://github.com/cve-search/cve-search#docker-versions