search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.42k stars 1.28k forks source link

Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD. #523

Closed chrisdeml closed 8 years ago

chrisdeml commented 8 years ago

Hi! I'm struggling to download the newest NVD CVE database since a while. A already tried out different versions of the plugin (1.2.4, 1.2.11, 1.3.3, 1.3.6, 1.4.0). I'm quite sure, that it already worked some time ago with version 1.3.3 without setting any proxy configuration.

After reading and googling this error I've already tried to set the proxy in my maven settings.xml as well as in the plugin setup directly. Unfortunately nothing worked out till yet. :-(

This is the current error: Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.

org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP HEAD request. at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:246) at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:94) at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:299) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:231) at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:70) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:433) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:318) at org.owasp.dependencycheck.maven.Engine.analyzeDependencies(Engine.java:86) at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:83) at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:375) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:101) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:209) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:84) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:59) at org.apache.maven.lifecycle.internal.LifecycleStarter.singleThreadedBuild(LifecycleStarter.java:183) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:161) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:320) at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156) at org.jvnet.hudson.maven3.launcher.Maven3Launcher.main(Maven3Launcher.java:117) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.codehaus.plexus.classworlds.launcher.Launcher.launchStandard(Launcher.java:329) at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:239) at org.jvnet.hudson.maven3.agent.Maven3Main.launch(Maven3Main.java:181) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at hudson.maven.Maven3Builder.call(Maven3Builder.java:134) at hudson.maven.Maven3Builder.call(Maven3Builder.java:69) at hudson.remoting.UserRequest.perform(UserRequest.java:121) at hudson.remoting.UserRequest.perform(UserRequest.java:49) at hudson.remoting.Request$2.run(Request.java:325) at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:953) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:235) ... 41 more Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(InputRecord.java:482) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934) ... 48 more

Can someone please help me out?

Greetz, Chris

jeremylong commented 8 years ago

Please checkout the "Still Failing" section on the Proxy Configuration page. We've found that some proxies are blocking HEAD requests in some situations; the tool makes an attempt to discover this situation and switches to not using HEAD requests (but this does not seem to work 100% of the time). As such, you can configure a property on the command line to force the setting to not use HEAD requests:

mvn -Ddownloader.quick.query.timestamp=false

Additionally, there might be other solutions for you - take a look at Internet Access Required

chrisdeml commented 8 years ago

Thank you for your quick answer, if I set this new option, the output is the following: Loaded Analyzer Hint Analyzer Loaded Analyzer CPE Analyzer Loaded Analyzer False Positive Analyzer Loaded Analyzer Cpe Suppression Analyzer Loaded Analyzer Dependency Bundling Analyzer Loaded Analyzer NVD CVE Analyzer Loaded Analyzer Vulnerability Suppression Analyzer Enabling the Central analyzer Loaded Analyzer Central Analyzer Nexus analyzer disabled, using Central instead Loaded Analyzer Nexus Analyzer Loaded Analyzer Nuspec Analyzer Loaded Analyzer Assembly Analyzer Loaded Analyzer OpenSSL Source Analyzer

Checking root project, nativegui-web, if updates have already been completed Checking for updates

Database dialect: H2 Database dialect: H2

Setting: downloader.quick.query.timestamp='true' Setting: downloader.quick.query.timestamp='true' Setting: downloader.quick.query.timestamp='true'

Setting: downloader.quick.query.timestamp='true' Setting: downloader.quick.query.timestamp='true' Setting: downloader.quick.query.timestamp='true'

Setting: downloader.quick.query.timestamp='true' Setting: downloader.quick.query.timestamp='true' Setting: downloader.quick.query.timestamp='true' Setting: downloader.quick.query.timestamp='true'

mf-smith commented 8 years ago

Hi,

I am also having the same problem with downloading the NVD CVE data. I am not behind a proxy.

Without the -Ddownloader.quick.query.timestamp=false option I get:

[INFO] Checking for updates
[DEBUG] Database dialect: H2
[DEBUG] Database dialect: H2
[WARNING] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[DEBUG] 
org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP HEAD request.
    at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:254)
    at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:94)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:341)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:270)
    at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:80)
    at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:432)
    at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:317)
    at org.owasp.dependencycheck.maven.Engine.analyzeDependencies(Engine.java:86)
    at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:83)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:410)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:862)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:286)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:197)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: java.net.SocketException: Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:196)
    at java.net.SocketInputStream.read(SocketInputStream.java:122)
    at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
    at sun.security.ssl.InputRecord.read(InputRecord.java:480)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:233)
    ... 31 more
[DEBUG] Database dialect: H2
[DEBUG] Begin Engine Version Check
[DEBUG] Last checked: 1467213875512
[DEBUG] Now: 1467217774246
[DEBUG] Current version: 1.4.0
[DEBUG] Upgrade not needed
[INFO] Check for updates complete (2681 ms)
[DEBUG] Database dialect: H2
[ERROR] No documents exist

Unable to continue dependency-check analysis.
[DEBUG] 
org.owasp.dependencycheck.exception.NoDataException: No documents exist
    at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:496)
    at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:322)
    at org.owasp.dependencycheck.maven.Engine.analyzeDependencies(Engine.java:86)
    at org.owasp.dependencycheck.maven.CheckMojo.runCheck(CheckMojo.java:83)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute(BaseDependencyCheckMojo.java:410)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
    at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
    at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
    at org.apache.maven.cli.MavenCli.execute(MavenCli.java:862)
    at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:286)
    at org.apache.maven.cli.MavenCli.main(MavenCli.java:197)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)

When I apply the -Ddownloader.quick.query.timestamp=false option I get many pages of repeated Setting: downloader.quick.query.timestamp='true' before a stackoverflow:

Exception in thread "main" java.lang.StackOverflowError
    at java.lang.StringCoding$StringDecoder.decode(StringCoding.java:153)
    at java.lang.StringCoding.decode(StringCoding.java:193)
    at java.lang.String.<init>(String.java:416)
    at java.lang.String.<init>(String.java:481)
    at java.net.SocketOutputStream.socketWrite0(Native Method)
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:113)
    at java.net.SocketOutputStream.write(SocketOutputStream.java:159)
    at sun.security.ssl.OutputRecord.writeBuffer(OutputRecord.java:377)
    at sun.security.ssl.OutputRecord.write(OutputRecord.java:363)
    at sun.security.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:837)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:808)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:679)
    at sun.security.ssl.SSLSocketImpl.sendAlert(SSLSocketImpl.java:2025)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1899)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1862)
    at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1826)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1366)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:233)
    at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:248)
        ......
    at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:248)
jeremylong commented 8 years ago

Updates were made in the 1.4.1-SNAPSHOT that will be included in the next release.

@mf-smith any chance you could try out the snapshot version? I also added more debug logging so if you can retest this I would like to see the debug log. The current snapshot repo is here: http://repository-dependency-check.forge.cloudbees.com/snapshot/

Thanks!

--jeremy

mf-smith commented 8 years ago

Hi Jeremy, thanks for the update, I'm away just now, I'll retest on my return. Thanks.

On Wed, 6 Jul 2016, 12:54 Jeremy Long, notifications@github.com wrote:

Updates were made in the 1.4.1-SNAPSHOT that will be included in the next release.

@mf-smith https://github.com/mf-smith any chance you could try out the snapshot version? I also added more debug logging so if you can retest this I would like to see the debug log. The current snapshot repo is here: http://repository-dependency-check.forge.cloudbees.com/snapshot/

Thanks!

--jeremy

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jeremylong/DependencyCheck/issues/523#issuecomment-230740712, or mute the thread https://github.com/notifications/unsubscribe/AI6N9fcnRQqr3nXlXdfIPCekFeK9HvIKks5qS4lGgaJpZM4JA8S3 .

anjalireddy commented 8 years ago

Hi Jeremy, Even I am facing the same issue. I added proxy details. I ran the following command: ./dependencycheck.sh -proxyserver xyz -proxyport xyz --project xyz --scan xyx --out xyz.html --log xyz.log

Log Details:

DEBUG - Entering finalize 2016-07-07 06:32:07,323 org.owasp.dependencycheck.data.update.NvdCveUpdater:91 WARN - Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD. 2016-07-07 06:32:07,334 org.owasp.dependencycheck.data.update.NvdCveUpdater:97 DEBUG - org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP HEAD request. at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:254) at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:94) at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:341) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:270) at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:80) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:432) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:317) at org.owasp.dependencycheck.App.runScan(App.java:200) at org.owasp.dependencycheck.App.run(App.java:122) at org.owasp.dependencycheck.App.main(App.java:63) Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:965) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:233) ... 9 common frames omitted Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(InputRecord.java:482) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946) ... 16 common frames omitted 2016-07-07 06:32:07,833 org.owasp.dependencycheck.data.nvdcve.CveDB:93 DEBUG - Database dialect: H2 2016-07-07 06:32:07,834 org.owasp.dependencycheck.data.update.EngineVersionCheck:90 DEBUG - Begin Engine Version Check 2016-07-07 06:32:07,835 org.owasp.dependencycheck.data.update.EngineVersionCheck:96 DEBUG - Last checked: 1467870823278 2016-07-07 06:32:07,835 org.owasp.dependencycheck.data.update.EngineVersionCheck:97 DEBUG - Now: 1467873127835 2016-07-07 06:32:07,836 org.owasp.dependencycheck.data.update.EngineVersionCheck:98 DEBUG - Current version: 1.4.0 2016-07-07 06:32:07,839 org.owasp.dependencycheck.data.update.EngineVersionCheck:156 DEBUG - Upgrade not needed 2016-07-07 06:32:07,871 org.owasp.dependencycheck.Engine:439 INFO - Check for updates complete (3520 ms) 2016-07-07 06:32:08,387 org.owasp.dependencycheck.data.nvdcve.CveDB:93 DEBUG - Database dialect: H2 2016-07-07 06:32:08,431 org.owasp.dependencycheck.Engine:324 ERROR - No documents exist

Unable to continue dependency-check analysis. 2016-07-07 06:32:08,431 org.owasp.dependencycheck.Engine:325 DEBUG - org.owasp.dependencycheck.exception.NoDataException: No documents exist at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:496) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:322) at org.owasp.dependencycheck.App.runScan(App.java:200) at org.owasp.dependencycheck.App.run(App.java:122) at org.owasp.dependencycheck.App.main(App.java:63) 2016-07-07 06:32:08,929 org.owasp.dependencycheck.data.nvdcve.CveDB:93 DEBUG - Database dialect: H2 2016-07-07 06:32:09,100 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Initializing Velocity, Calling init()... 2016-07-07 06:32:09,101 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Starting Apache Velocity v1.7 (compiled: 2010-11-19 12:14:37) 2016-07-07 06:32:09,101 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Default Properties File: org/apache/velocity/runtime/defaults/velocity.properties 2016-07-07 06:32:09,102 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Trying to use logger class org.owasp.dependencycheck.reporting.VelocityLoggerRedirect 2016-07-07 06:32:09,102 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Using logger class org.owasp.dependencycheck.reporting.VelocityLoggerRedirect 2016-07-07 06:32:09,112 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - ResourceLoader instantiated: org.apache.velocity.runtime.resource.loader.FileResourceLoader 2016-07-07 06:32:09,116 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Do unicode file recognition: false 2016-07-07 06:32:09,116 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - FileResourceLoader : adding path '.' 2016-07-07 06:32:09,139 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - ResourceCache: initialized (class org.apache.velocity.runtime.resource.ResourceCacheImpl) with class java.util.Collections$SynchronizedMap cache map. 2016-07-07 06:32:09,143 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Stop 2016-07-07 06:32:09,147 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Define 2016-07-07 06:32:09,149 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Break 2016-07-07 06:32:09,151 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Evaluate 2016-07-07 06:32:09,153 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Literal 2016-07-07 06:32:09,155 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Macro 2016-07-07 06:32:09,157 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Parse 2016-07-07 06:32:09,160 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Include 2016-07-07 06:32:09,162 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Loaded System Directive: org.apache.velocity.runtime.directive.Foreach 2016-07-07 06:32:09,221 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Created '20' parsers. 2016-07-07 06:32:09,230 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Velocimacro : "velocimacro.library" is not set. Trying default library: VM_global_library.vm 2016-07-07 06:32:09,231 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Velocimacro : Default library not found. 2016-07-07 06:32:09,231 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Velocimacro : allowInline = true : VMs can be defined inline in templates 2016-07-07 06:32:09,231 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Velocimacro : allowInlineToOverride = false : VMs defined inline may NOT replace previous VM definitions 2016-07-07 06:32:09,232 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Velocimacro : allowInlineLocal = false : VMs defined inline will be global in scope if allowed. 2016-07-07 06:32:09,232 org.owasp.dependencycheck.reporting.VelocityLoggerRedirect:66 DEBUG - Velocimacro : autoload off : VM system will not automatically reload global library macros

brentlangdon commented 8 years ago

I encountered what I believe to be this same issue recently.

If you navigate to https://nvd.nist.gov/, you will see the following:

Announcements Due to M-15-13, TLS 1.0 has been disabled on the NVDs webservers as of 6/23/2016. If you are experiencing problems downloading the NVD data feeds, it could be related to this change. Please ensure that the clients you are using to access the NVD data feeds support at least TLS 1.1 and preferably TLS 1.2.

To fix the command line version I added "-Dhttps.protocols=TLSv1.1,TLSv1.2" to dependency-check.bat, like this:

%JAVACMD% %JAVA_OPTS% -Dhttps.protocols=TLSv1.1,TLSv1.2 -classpath %CLASSPATH%....

To get this working with Maven, I found I could either pass this in on the mvn command line, or modify my MAVEN_OPTS, like this:

MAVEN_OPTS=-Xmx768M -XX:MaxPermSize=512m -Dhttps.protocols=TLSv1.1,TLSv1.2

It would be nice if I could configure this in the POM file instead of having to change options that apply to all plug ins. Would it be possible to add a protocol configuration value like the current connectionTimeout option? Is there a better way to configure this in the POM? Could Dependency Check be modified to not use TLS 1.0?

stevespringett commented 8 years ago

This issue could be impacting the Jenkins plugin as well, as reported by another user here: https://issues.jenkins-ci.org/browse/JENKINS-36444

The issue seems identical, except for the fact that the above mentioned workaround is not easily possible with Jenkins.

bufferoverflow commented 8 years ago

setting setEnabledProtocols should do the trick

jeremylong commented 8 years ago

@stevespringett the timing in the logs for the Jenkins user matches exactly when the changes occurred with the NVD hosted by NIST - June 23rd. I'll add an enabled protocols configuration option via the setEnabledProtocols (as suggested by @bufferoverflow). Once complete we should push release a new version as a couple of important updates have been made in the current development sprint.

anjalireddy commented 8 years ago

Thanks a lot for quick reply. When I set this option -Dhttps.protocols=TLSv1.1,TLSv1.2 it's working properly.

jeremylong commented 8 years ago

1.4.1 was released this morning and the patch to resolve this issue was included.

biancajiang commented 8 years ago

hi, @jeremylong, I'm cloning master branch thus on 1.4.2. All tests run fine for me locally. But running from Jenkins build still seeing this issue. DownloadTaskTest failed to download NVD CVE (however test result is pass). I have extra logging to show the SSL protocol and it's TLSv1.2: ` Running org.owasp.dependencycheck.data.update.nvd.DownloadTaskTest [INFO] Download Started for NVD CVE - modified [INFO] SSLSocket protocols: [INFO] TLSv1.2 [WARN] Download Failed for NVD CVE - modified Some CVEs may not be reported. [INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy. Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.007 sec - in org.owasp.dependencycheck.data.update.nvd.DownloadTaskTest

Results :

Tests run: 2, Failures: 0, Errors: 0, Skipped: 0 `

Any hint on how to further debug this? Also how can i enable DEBUG logging?

Thanks!

biancajiang commented 8 years ago

stacktrace:

org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download the NVD CVE data. at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:94) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:492) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:346) at com.ibm.dependency.PackageFinder.main(PackageFinder.java:94) at com.ibm.dependency.BaseTest.scanAll(BaseTest.java:111) at com.ibm.dependency.PythonDependencyTest.testAllPythonSamples(PythonDependencyTest.java:11) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27) at org.junit.runners.ParentRunner.run(ParentRunner.java:363) at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252) at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141) at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189) at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165) at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75) Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error making HTTP GET request. at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:279) at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:274) at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:221) at org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve.add(UpdateableNvdCve.java:101) at org.owasp.dependencycheck.data.update.NvdCveUpdater.retrieveCurrentTimestampsFromWeb(NvdCveUpdater.java:337) at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:266) at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:79) ... 36 more Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:209) at java.net.SocketInputStream.read(SocketInputStream.java:141) at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) at sun.security.ssl.InputRecord.read(InputRecord.java:503) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at org.owasp.dependencycheck.utils.Downloader.getLastModified(Downloader.java:254) ... 42 more

biancajiang commented 8 years ago

On my RHEL 7.2, only Oracle JDK provides the right TLS cipher required by nvd.nist.gov, namely: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (see https://www.ssllabs.com/ssltest/analyze.html?d=nvd.nist.gov)

Neither OpenJDK nor IBM JDK works for me. :(

jeremylong commented 8 years ago

Sorry for the delayed response. Which JDK version are you using?

biancajiang commented 8 years ago

JDK 1.8.

jeremylong commented 8 years ago

Does 1.4.0 work for you?

--Jeremy

biancajiang commented 8 years ago

I'll give it a try today. we move from 1.3.9 directly to 1.4.2.

jeremylong commented 8 years ago

I added a check if the java version is at least 1.8 the patch that was applied for Java 1.6 and 1.7 is skipped. This should resolve the issue seen by @biancajiang. The updated version will be released soon.

@biancajiang is there any chance you could test 1.4.3-SNAPSHOT that can be found in this repo: http://repository-dependency-check.forge.cloudbees.com/snapshot/

Thanks!

Jeremy

biancajiang commented 8 years ago

Yes, @jeremylong I tried your 1.4.3-SNAPSHOT and NVD downloaded happily with IBM JDK 1.8 too! Thanks for the fix!

P.S. unrelated - heads up on PR coming on new language support. pls lemme know if there's a better way for such communication.

jeremylong commented 8 years ago

An update was made to remove the cipher suite specification from the SSLSocketFactoryEx. This appears to fix issues with IBM JDK 7.

wschiang commented 8 years ago

Hi Jeremy, We are having the similar issue, not able to download the NVD CVE data: [INFO] Checking for updates [INFO] Download Started for NVD CVE - Modified [INFO] Download Complete for NVD CVE - Modified (135 ms) [INFO] Processing Started for NVD CVE - Modified [WARN] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. [INFO] Check for updates complete (5735 ms)

And when we use mvn to rebuild the project, it failed on: Tests in error: DownloaderIntegrationTest.testFetchFile:44 » DownloadFailed Error downloading ... DownloaderIntegrationTest.testGetLastModified:51 » DownloadFailed Error making...

We are currently using OWASP DC v1.4.0, with OpenJDK version 1.8.0_101. We also tried mvn options and -D property setting as suggested in the discussion (with OWASP DC v1.4.2 and v1.4.3), but they all failed for the same reason.

We wonder if we should try other JDK packages, any advise? Thank you!

jeremylong commented 8 years ago

Can you try using the recently released version - 1.4.3.

wschiang commented 8 years ago

We switched JDK from OpenJDK to Oracle Java HotSpot, and also upgraded OWASP DC to v1.4.3, now the operation is back to normal. Thanks.

biancajiang commented 8 years ago

Hi, @jeremylong ,

I pulled 1.4.3, cleared my local repository and rebuild with IBM JDK 1.8, unfortunately, the update test failed. Debugging shows the exception was thrown at: https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java#L254. Debugger also shows the protocol used is "TLSv1", not sure if this is okay for NVD or not.

Running org.owasp.dependencycheck.data.update.nvd.NvdCveUpdaterIntegrationTest Consider updating the local data files to make the NvdCveUpdaterIntegrationTest perform faster [INFO] Download Started for NVD CVE - 2014 [INFO] Download Started for NVD CVE - 2016 [INFO] Download Started for NVD CVE - Modified [INFO] Download Complete for NVD CVE - Modified (1184 ms) [INFO] Processing Started for NVD CVE - Modified [INFO] Download Complete for NVD CVE - 2014 (3248 ms) [INFO] Processing Started for NVD CVE - 2014 [INFO] Download Complete for NVD CVE - 2016 (3677 ms) [INFO] Processing Complete for NVD CVE - 2014 (11223 ms) [INFO] Processing Started for NVD CVE - 2016 Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 16.67 sec <<< FAILURE! - in org.owasp.dependencycheck.data.update.nvd.NvdCveUpdaterIntegrationTest testUpdate(org.owasp.dependencycheck.data.update.nvd.NvdCveUpdaterIntegrationTest) Time elapsed: 16.669 sec <<< ERROR! org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: java.lang.NullPointerException at org.owasp.dependencycheck.data.update.nvd.NvdCveUpdaterIntegrationTest.testUpdate(NvdCveUpdaterIntegrationTest.java:67)

biancajiang commented 8 years ago

@jeremylong interestingly, I see the same pb even with OpenJDK. am I missing something?

biancajiang commented 8 years ago

Turns out my pb was b/c own user error. v1.4.3 works for me!

igarashitm commented 8 years ago

Hi @jeremylong ,

v1.4.3 doesn't work for me. -Djava.net.debug=all shows following:

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1459489269 bytes = { 164, 153, 59, 177, 76, 144, 157, 95, 232, 60, 214, 63, 31, 130, 48, 135, 120, 65, 227, 242, 15, 213, 55, 128, 86, 89, 248, 92 }
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=nvd.nist.gov]
***
[write] MD5 and SHA1 hashes:  len = 144
0000: 01 00 00 8C 03 03 57 FE   0A F5 A4 99 3B B1 4C 90  ......W.....;.L.
0010: 9D 5F E8 3C D6 3F 1F 82   30 87 78 41 E3 F2 0F D5  ._.<.?..0.xA....
0020: 37 80 56 59 F8 5C 00 00   2C 00 3D 00 6B 00 6A 00  7.VY.\..,.=.k.j.
0030: 35 00 39 00 38 00 3C 00   67 00 40 00 2F 00 33 00  5.9.8.<.g.@./.3.
0040: 32 00 9D 00 9F 00 A3 00   9C 00 9E 00 A2 00 0A 00  2...............
0050: 16 00 13 00 FF 01 00 00   37 00 0D 00 1E 00 1C 06  ........7.......
0060: 03 06 01 05 03 05 01 04   03 04 01 04 02 03 03 03  ................
0070: 01 03 02 02 03 02 01 02   02 01 01 00 00 00 11 00  ................
0080: 0F 00 00 0C 6E 76 64 2E   6E 69 73 74 2E 67 6F 76  ....nvd.nist.gov
main, WRITE: TLSv1.2 Handshake, length = 144
[Raw write]: length = 149
0000: 16 03 03 00 90 01 00 00   8C 03 03 57 FE 0A F5 A4  ...........W....
0010: 99 3B B1 4C 90 9D 5F E8   3C D6 3F 1F 82 30 87 78  .;.L.._.<.?..0.x
0020: 41 E3 F2 0F D5 37 80 56   59 F8 5C 00 00 2C 00 3D  A....7.VY.\..,.=
0030: 00 6B 00 6A 00 35 00 39   00 38 00 3C 00 67 00 40  .k.j.5.9.8.<.g.@
0040: 00 2F 00 33 00 32 00 9D   00 9F 00 A3 00 9C 00 9E  ./.3.2..........
0050: 00 A2 00 0A 00 16 00 13   00 FF 01 00 00 37 00 0D  .............7..
0060: 00 1E 00 1C 06 03 06 01   05 03 05 01 04 03 04 01  ................
0070: 04 02 03 03 03 01 03 02   02 03 02 01 02 02 01 01  ................
0080: 00 00 00 11 00 0F 00 00   0C 6E 76 64 2E 6E 69 73  .........nvd.nis
0090: 74 2E 67 6F 76                                     t.gov
main, handling exception: java.net.SocketException: Connection reset
main, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
main, WRITE: TLSv1.2 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Broken pipe
main, called closeSocket()
[ERROR] IO Exception: Connection reset
[WARNING] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[WARNING] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] No documents exist

Unable to continue dependency-check analysis.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 25.977 s
[INFO] Finished at: 2016-10-12T19:05:42+09:00
Finalizer, called close()
Finalizer, called closeInternal(true)
[INFO] Final Memory: 39M/664M
Finalizer, called close()
[INFO] ------------------------------------------------------------------------
Finalizer, called closeInternal(true)
Finalizer, called close()
Finalizer, called closeInternal(true)
Finalizer, called close()
Finalizer, called closeInternal(true)
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:1.4.3:check (default) on project camel-core: One or more exceptions occured during analysis: Unable to continue dependency-check analysis.
[ERROR] Unable to download the NVD CVE data.
[ERROR] No documents exist

I'm running it with OpenJDK 1.8.0_102 on Fedora 24. No proxies. curl -O https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz just works fine, so definitely something wrong with org.owasp:dependency-check-maven:1.4.3:check. Do you see what is wrong here?

supergicko commented 8 years ago

we have the same problem like @igarashitm

wer are using 1.4.3

our java version: openjdk version "1.8.0_102" OpenJDK Runtime Environment (build 1.8.0_102-b14) OpenJDK 64-Bit Server VM (build 25.102-b14, mixed mode) OS: CENTOS 7.2

UPDATE

i installed the latest oracle jre via rpm and it works fine

mziemba commented 8 years ago

I'm having the same issue with plugin version 1.4.3:

$ java -version
openjdk version "1.8.0_101"
OpenJDK Runtime Environment (build 1.8.0_101-b13)
OpenJDK 64-Bit Server VM (build 25.101-b13, mixed mode)
[INFO] Checking for updates
[ERROR] IO Exception: Connection reset
[ERROR] IO Exception: Connection reset
[WARNING] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
jeremylong commented 8 years ago

I have yet to be able to reproduce this bug so I am having a really hard time what is happening on the affected systems. That being said - could someone that is having this issue with dependency-check tell me if the nist-data-mirror tool works? This is a related tool that some organizations use to download the NVD CVE data. You can download and run the tool with the following commands (note, gradle is being used to compile the code):

git clone https://github.com/stevespringett/nist-data-mirror.git
cd nist-data-mirror
gradle clean build
java -classpath "./build/classes/main" NistDataMirror ./data

The result will be that the NVD CVE xml files will be downloaded and stored in the data directory. If this works on systems that dependency-check is failing I will know how to resolve the issue.

igarashitm commented 8 years ago

Hi @jeremylong , I tried the one you suggested, it seems to be failing as well.

$ java -classpath "./build/classes/main" NistDataMirror ./data
Downloading files at Thu Oct 27 07:51:13 JST 2016
Downloading https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
Download failed : Connection reset
Downloading https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
Download failed : Connection reset
Downloading https://nvd.nist.gov/download/nvdcve-2002.xml.gz
Download failed : Connection reset
Downloading https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml.gz
Download failed : Connection reset
Downloading https://nvd.nist.gov/download/nvdcve-2003.xml.gz
Download failed : Connection reset
... (snip) ...
Downloading https://nvd.nist.gov/download/nvdcve-2016.xml.gz
Download failed : Connection reset
Downloading https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2016.xml.gz
Download failed : Connection reset
igarashitm commented 8 years ago

I tried a bit more with a simpler test case: https://gist.github.com/igarashitm/fba06c09c167a27e212dc492824bb4b1#file-testsingle-java

It just works with Oracle JDK: https://gist.github.com/igarashitm/fba06c09c167a27e212dc492824bb4b1#file-result-oracle-jdk-8u112

But not with OpenJDK: https://gist.github.com/igarashitm/fba06c09c167a27e212dc492824bb4b1#file-result-openjdk-build-1-8-0_102-b14

Hmm... I'm not sure if it's a bug or misconfiguration, but OpenJDK has some issue on TLSv1.2 handshake by default.

jeremylong commented 8 years ago

I've been beating my head against the wall for a while on this - and of course stackoverflow saves the day:

The answer is that OpenJDK may not include the necessary algorithms - the solution is to install and use bouncy castle. See one solution on stackoverflow here.

I will update the documentation on this and close this issue.

igarashitm commented 8 years ago

Verified it works if I install bouncycastle (dnf install bouncycastle) and use java.security.rpmnew file in the jre/lib/security. I'm not sure if that file is added by bouncycastle installation or not, but this file actually removes EC, ECDHE, ECDH from jdk.tls.disabledAlgorithms. Thank you for putting those info together!

lpearson05 commented 7 years ago

Hey guys,

I was working on scripting the installation of BouncyCastle, and testing was failing. I finally realized that the unexpected non-zero exits were due to the fact that the latest jdk.tls.disabledAlgorithms list has changed. The update check is now working for me with a fresh, out-of-the-box OpenJDK install. (I have not installed BouncyCastle or another third-party provider.)

yum -y install java-1.8.0-openjdk-devel.x86_64
$ java -version
openjdk version "1.8.0_111"
OpenJDK Runtime Environment (build 1.8.0_111-b15)
OpenJDK 64-Bit Server VM (build 25.111-b15, mixed mode)
$ grep -n "jdk.tls.disabledAlgorithms" /usr/lib/jvm/java/jre/lib/security/java.security
515:#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
516:jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
$ cat /etc/*release
CentOS Linux release 7.3.1611 (Core) 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.3.1611 (Core) 
CentOS Linux release 7.3.1611 (Core)

The build environment is a docker container, so the java rpm was installed on top of a pretty bare, updated Centos 7 build (latest official image).

FYI: The dependency-check version of the maven project I used to test the updated environment was 1.4.4.1. I saw the handshake failure with this same version prior to rebuilding the build environment. Before this rebuild I saw

$ grep jdk.tls.disabledAlgorithms java.security 
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC, ECDHE, ECDH

P.S. This thread was really helpful, especially for diffusing frustration. My thanks to all of the participants.

lock[bot] commented 6 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.