jeremylong
commented
6 years ago Unfortunately - we haven't made the server identification very smart (yet). While yes, we should cycle through the configured servers to determine if we should add the credentials. At the moment the NVD CVE data cannot be obtained from a server that requires authentication.
mahernandezpIndra
When "mvn org.owasp:dependency-check-maven:3.3.1:check" command is run an error appears:
[ERROR] IO Exception connecting to https://artifactory/2.0/nvdcve-2.0-2004.xml.gz: HEAD request returned a non-200 status code: https://artifactory/2.0/nvdcve-2.0-2004.xml.gz [DEBUG] Exception details org.owasp.dependencycheck.utils.DownloadFailedException: HEAD request returned a non-200 status code: https://artifactory/2.0/nvdcve-2.0-2004.xml.gz at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:273) at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:235) at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:512) at org.owasp.dependencycheck.data.update.NvdCveUpdater$TimestampRetriever.call(NvdCveUpdater.java:485) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
We are using internal mirroring of CVE in the pom.xml configuration and is as follows:
Besides, every artifactory url exists and in settings.xml an id for server also was provided but the error is still appearing.
Apart from that, we also try:
$ mvn org.owasp:dependency-check-maven:3.3.1:check -Ddownloader.quick.query.timestamp=false
but for GET request same error is obtained " GET request returned a non-200 status code" and artifactory administrators told us that a 401 error is returned but as I explained before in the settings an id server with user and password was provided.
Can you help up?
Thanks in advance!