Improved resilience for downloading CVE data

[foxylion]

Is your feature request related to a problem? Please describe.

• We have repeating occurrences of failing downloads of the CVE data from our replicated NVD dataset.
• We use Amazon S3 to store the data, so an availability issue there should not be the problem.
• We use GitHub Actions to run ~50 CVE scans every night

Around 20-50% are failing beginning with an error like this:

Error downloading NVD CVE - https://s3.eu-central-1.amazonaws.com/xxxxx/nvdcve-2006.json.gz Reason: Download failed, unable to copy 'https://s3.eu-central-1.amazonaws.com/xxxxx/nvdcve-2006.json.gz' to '/tmp/dctemp647924ed-ddf4-4979-900c-970fbb581a15/nvd-datafeed-2cff5e42-cc75-46dc-8472-b8fd3aa666cd.json.gz'; Connection reset

Followed by H2 errors:

Failed to process CVE-2024-0069
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2024-0069'
    at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:877)
    at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:98)
    at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:33)
    at java.base@17.0.9/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base@17.0.9/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base@17.0.9/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base@17.0.9/java.lang.Thread.run(Thread.java:840)
Caused by: org.h2.jdbc.JdbcSQLNonTransientConnectionException: The database has been closed [90098-214]
    at org.h2.message.DbException.getJdbcSQLException(DbException.java:678)
    at org.h2.message.DbException.getJdbcSQLException(DbException.java:477)
    at org.h2.message.DbException.get(DbException.java:212)
    at org.h2.engine.SessionLocal.getTransaction(SessionLocal.java:1596)
    at org.h2.engine.SessionLocal.getStatementSavepoint(SessionLocal.java:1606)
    at org.h2.engine.SessionLocal.setSavepoint(SessionLocal.java:848)
    at org.h2.command.Command.executeUpdate(Command.java:244)
    at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:209)
    at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:169)
    at org.apache.commons.dbcp2.DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:137)
    at org.apache.commons.dbcp2.DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:137)
    at org.owasp.dependencycheck.data.nvdcve.CveDB.deleteVulnerability(CveDB.java:1113)
    at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:862)
    ... 6 more
Caused by: org.h2.mvstore.MVStoreException: Reading from file sun.nio.ch.FileChannelImpl@68eb327b failed at 8265648 (length -1), read 0, remaining 24576 [2.1.214/1]
    at org.h2.mvstore.DataUtils.newMVStoreException(DataUtils.java:1004)
    at org.h2.mvstore.DataUtils.readFully(DataUtils.java:470)
    at org.h2.mvstore.FileStore.readFully(FileStore.java:98)
    at org.h2.mvstore.Chunk.readBufferForPage(Chunk.java:422)
    at org.h2.mvstore.MVStore.readPage(MVStore.java:2569)
    at org.h2.mvstore.MVMap.readPage(MVMap.java:633)
    at org.h2.mvstore.Page$NonLeaf.getChildPage(Page.java:1125)
    at org.h2.mvstore.CursorPos.traverseDown(CursorPos.java:61)
    at org.h2.mvstore.MVMap.operate(MVMap.java:1770)
    at org.h2.mvstore.MVMap.put(MVMap.java:156)
    at org.h2.mvstore.MVStore.createChunk(MVStore.java:1622)
    at org.h2.mvstore.MVStore.serializeAndStore(MVStore.java:1595)
    at org.h2.mvstore.MVStore.lambda$storeNow$4(MVStore.java:1518)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
    ... 4 more
Caused by: java.nio.channels.ClosedChannelException
    at java.base/sun.nio.ch.FileChannelImpl.ensureOpen(FileChannelImpl.java:159)
    at java.base/sun.nio.ch.FileChannelImpl.read(FileChannelImpl.java:814)
    at org.h2.mvstore.DataUtils.readFully(DataUtils.java:456)
    ... 16 more
Failed to process CVE-2024-0070
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2024-0070'
    at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:877)
    at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:98)
    at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:33)
    at java.base@17.0.9/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base@17.0.9/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base@17.0.9/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base@17.0.9/java.lang.Thread.run(Thread.java:840)
Caused by: org.h2.jdbc.JdbcSQLNonTransientConnectionException: The database has been closed [90098-214]
    at org.h2.message.DbException.getJdbcSQLException(DbException.java:678)
    at org.h2.message.DbException.getJdbcSQLException(DbException.java:477)
    at org.h2.message.DbException.get(DbException.java:212)
    at org.h2.engine.SessionLocal.getTransaction(SessionLocal.java:1596)
    at org.h2.engine.SessionLocal.getStatementSavepoint(SessionLocal.java:1606)
    at org.h2.engine.SessionLocal.setSavepoint(SessionLocal.java:848)
    at org.h2.command.Command.executeUpdate(Command.java:244)
    at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:209)
    at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:169)
    at org.apache.commons.dbcp2.DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:137)
    at org.apache.commons.dbcp2.DelegatingPreparedStatement.executeUpdate(DelegatingPreparedStatement.java:137)
    at org.owasp.dependencycheck.data.nvdcve.CveDB.deleteVulnerability(CveDB.java:1113)
    at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:862)
    ... 6 more
Caused by: org.h2.mvstore.MVStoreException: Reading from file sun.nio.ch.FileChannelImpl@68eb327b failed at 8265648 (length -1), read 0, remaining 24576 [2.1.214/1]
    at org.h2.mvstore.DataUtils.newMVStoreException(DataUtils.java:1004)
    at org.h2.mvstore.DataUtils.readFully(DataUtils.java:470)
    at org.h2.mvstore.FileStore.readFully(FileStore.java:98)
    at org.h2.mvstore.Chunk.readBufferForPage(Chunk.java:422)
    at org.h2.mvstore.MVStore.readPage(MVStore.java:2569)
    at org.h2.mvstore.MVMap.readPage(MVMap.java:633)
    at org.h2.mvstore.Page$NonLeaf.getChildPage(Page.java:1125)
    at org.h2.mvstore.CursorPos.traverseDown(CursorPos.java:61)
    at org.h2.mvstore.MVMap.operate(MVMap.java:1770)
    at org.h2.mvstore.MVMap.put(MVMap.java:156)
    at org.h2.mvstore.MVStore.createChunk(MVStore.java:1622)
    at org.h2.mvstore.MVStore.serializeAndStore(MVStore.java:1595)
    at org.h2.mvstore.MVStore.lambda$storeNow$4(MVStore.java:1518)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
    ... 4 more
Caused by: java.nio.channels.ClosedChannelException
    at java.base/sun.nio.ch.FileChannelImpl.ensureOpen(FileChannelImpl.java:159)
    at java.base/sun.nio.ch.FileChannelImpl.read(FileChannelImpl.java:814)
    at org.h2.mvstore.DataUtils.readFully(DataUtils.java:456)
    ... 16 more

Describe the solution you'd like I'm not sure if the download error is the root cause and the H2 errors afterwards are symptoms. But if that's the case I would suggest implementing a retry-mechanism for downloading the CVE data.

Additional context We are using the Gradle plugin in version 9.0.7

[jeremylong]

To improve performance checkout https://jeremylong.github.io/DependencyCheck/data/cache-action.html and https://jeremylong.github.io/DependencyCheck/data/cacheh2.html.

Also, if you are using a single API key for all 50 scans being run nightly and you are building the database from scratch on every build you are of course going to run into issues. The rate limiting enforced by the NVD is per API Key. If you use the API key in multiple executions that may overlap in when they are run it would be very easy to hit the threshold and be blocked by the rate limiting. Highly recommend implementing some form of caching.

[foxylion]

We are using a replicated cached version of the NVD data, we also have an API key. We update the NVD data evening night in a separate workflow. So rate limiting should (from my point of view) not be a problem.

The cache action is for our use case not helpful, because:

• We have 50+ repositories, all with a separate CVE scan workflow.
• All the CVE workflows are triggered once per night, all at the same time.
• They will then download the CVE data from our mirror and run the scanner and this seems to be somewhat unreliable.

And caching in GitHub Actions is not possible across repositories.

[jeremylong]

I've never had an issue with the reliability of pulling data from a cache. Possibly memory issues in some env?

Another option would be to use a single node, even the CLI, to create a data directory (./dependency-check --updateonly ...) and then zip up the data directory. Then on each scanning node just pull down the data.zip, extract it, and run ODC with no-upate and point to the new data directory.

[jeremylong]

This is discussed here: https://jeremylong.github.io/DependencyCheck/data/cacheh2.html

[jeremylong]

Okay - the error you are seeing appears to be because s3 is unreliable?? Have you been able to replicate the error downloading the file via curl?

[jeremylong]

Specifically - I'm wondering what the error code is.

[foxylion]

We have a lot of interaction with AWS S3 via GitHub Actions for different purposes. Never seen anything related to communication with S3 failing.

I also thought about the h2 database caching. But what would happen if the version of the Gradle dependency check plugin is not the same across all workflows?

[jeremylong]

The database is intended to work across versions of ODC. In the cases where we've had breaking changes related to the database it has been documented in the release notes and we've bumped the major version of ODC.

[jeremylong]

I was just re-reading some of the ODC code. Are there other errors reported in the log around where you received the download failed because the connection was reset?

[jeremylong]

There is a chance this is related to a TLS issue as opposed to stability of the downloads.

[foxylion]

I was just re-reading some of the ODC code. Are there other errors reported in the log around where you received the download failed because the connection was reset?

Yes, the database error I have shown in my initial post is always a follow up when a connection reset happens.

There is a chance this is related to a TLS issue as opposed to stability of the downloads.

Probably, because sometimes we not only see a Connection Reset but a TLS Connection Reset.

The database is intended to work across versions of ODC. In the cases where we've had breaking changes related to the database it has been documented in the release notes and we've bumped the major version of ODC.

Ok, so we might consider caching an initialized database. But would be great if the download is more resilient and such workarounds would not be necessary. :smile:

[foxylion]

Here is some log output with enabled --debug flag of Gradle.

2023-12-28T08:37:31.158+0000 [INFO] [org.owasp.dependencycheck.data.update.nvd.api.DownloadTask] Download Started for NVD Cache - https://s3.eu-central-1.amazonaws.com/<s3-bucket-name>/nvdcve-2013.json.gz
2023-12-28T08:37:31.158+0000 [DEBUG] [org.owasp.dependencycheck.utils.HttpResourceConnection] Attempting retrieval of https://s3.eu-central-1.amazonaws.com/<s3-bucket-name>/nvdcve-2013.json.gz
2023-12-28T08:37:31.403+0000 [DEBUG] [jdk.event.security] X509Certificate: Alg:SHA256withRSA, Serial:68eae01b376754495d64864611ad625, Subject:CN=*.s3.eu-central-1.amazonaws.com, Issuer:CN=Amazon RSA 2048 M01, O=Amazon, C=US, Key type:RSA, Length:2048, Cert Id:257489978, Valid from:10/10/23, 12:00 AM, Valid until:8/12/24, 11:59 PM
2023-12-28T08:37:31.403+0000 [DEBUG] [jdk.event.security] X509Certificate: Alg:SHA256withRSA, Serial:77312380b9d6688a33b1ed9bf9ccda68e0e0f, Subject:CN=Amazon RSA 2048 M01, O=Amazon, C=US, Issuer:CN=Amazon Root CA 1, O=Amazon, C=US, Key type:RSA, Length:2048, Cert Id:-1856842780, Valid from:8/23/22, 10:21 PM, Valid until:8/23/30, 10:21 PM
2023-12-28T08:37:31.403+0000 [DEBUG] [jdk.event.security] X509Certificate: Alg:SHA256withRSA, Serial:67f944a2a27cdf3fac2ae2b01f908eeb9c4c6, Subject:CN=Amazon Root CA 1, O=Amazon, C=US, Issuer:CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US, Key type:RSA, Length:2048, Cert Id:668791387, Valid from:5/25/15, 12:00 PM, Valid until:12/31/37, 1:00 AM
2023-12-28T08:37:31.403+0000 [DEBUG] [jdk.event.security] X509Certificate: Alg:SHA256withRSA, Serial:a70e4a4c3482b77f, Subject:CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US, Issuer:OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US, Key type:RSA, Length:2048, Cert Id:1766010387, Valid from:9/2/09, 12:00 AM, Valid until:6/28/34, 5:39 PM
2023-12-28T08:37:31.404+0000 [DEBUG] [jdk.event.security] ValidationChain: -1472444962, -1856842780, 257489978
2023-12-28T08:37:31.529+0000 [DEBUG] [jdk.event.security]  TLSHandshake: s3.eu-central-1.amazonaws.com:443, TLSv1.2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 257489978
2023-12-28T08:37:31.532+0000 [DEBUG] [sun.net.www.protocol.http.HttpURLConnection] sun.net.www.MessageHeader@48eb8c76 pairs: {GET /<s3-bucket-name>/nvdcve-2013.json.gz HTTP/1.1: null}{Accept-Encoding: gzip, deflate}{User-Agent: Java/17.0.9}{Host: s3.eu-central-1.amazonaws.com}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
2023-12-28T08:37:31.771+0000 [DEBUG] [sun.net.www.protocol.http.HttpURLConnection] sun.net.www.MessageHeader@1f05ed111 pairs: {null: HTTP/1.1 200 OK}{x-amz-id-2: 9EnEGJbnDHYvWg8ztTovL4g3XSaebjuv3C8Fq1R++2TiLZiNaaU6jkHdSPq90XQgNJX8DK5T8uA=}{x-amz-request-id: MEY67G8GWEJYGG10}{Date: Thu, 28 Dec 2023 08:37:32 GMT}{Last-Modified: Thu, 28 Dec 2023 00:13:19 GMT}{ETag: "79a4264ec4738452eb73259930edbe73"}{x-amz-server-side-encryption: AES256}{Accept-Ranges: bytes}{Content-Type: application/json}{Server: AmazonS3}{Content-Length: 4185764}
Error: -28T08:37:32.809+0000 [ERROR] [org.owasp.dependencycheck.Engine] The execution of the download was interrupted
2023-12-28T08:36:58.730+0000 [LIFECYCLE] [class org.gradle.internal.buildevents.TaskExecutionLogger] 
org.owasp.dependencycheck.data.update.exception.UpdateException: The execution of the download was interrupted
2023-12-28T08:36:58.730+0000 [LIFECYCLE] [class org.gradle.internal.buildevents.TaskExecutionLogger] > Task :dependencyCheckUpdate
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.processDownload(NvdApiDataSource.java:281)
2023-12-28T08:37:32.806+0000 [DEBUG] [org.owasp.dependencycheck.data.update.NvdApiDataSource] Thread was interrupted during download execution
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.processDatafeed(NvdApiDataSource.java:170)
java.util.concurrent.ExecutionException: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://s3.eu-central-1.amazonaws.com/<s3-bucket-name>/nvdcve-2007.json.gz' to '/tmp/dctemp463a77b7-aff7-4d37-a84e-b844c115740d/nvd-datafeed-45f0ac92-1bea-496d-ab04-b5189602c2ff.json.gz'; TLS Connection Reset
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:113)
    at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
    at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:878)
    at org.owasp.dependencycheck.gradle.tasks.Update.update(Update.groovy:56)
    at java.base@17.0.9/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base@17.0.9/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base@17.0.9/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base@17.0.9/java.lang.reflect.Method.invoke(Method.java:568)
    at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:125)
    at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:58)
    at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:51)
    at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:29)
    at org.gradle.api.internal.tasks.execution.TaskExecution$3.run(TaskExecution.java:248)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
    at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
    at org.gradle.api.internal.tasks.execution.TaskExecution.executeAction(TaskExecution.java:233)
    at org.gradle.api.internal.tasks.execution.TaskExecution.executeActions(TaskExecution.java:216)
    at org.gradle.api.internal.tasks.execution.TaskExecution.executeWithPreviousOutputFiles(TaskExecution.java:199)
    at org.gradle.api.internal.tasks.execution.TaskExecution.execute(TaskExecution.java:166)
Please see http://jeremylong.github.io/DependencyCheck/data/tlsfailure.html for more information regarding how to resolve the issue.
    at org.gradle.internal.execution.steps.ExecuteStep.executeInternal(ExecuteStep.java:105)
    at org.gradle.internal.execution.steps.ExecuteStep.access$000(ExecuteStep.java:44)
    at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:59)
    at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:56)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
    at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
    at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:56)
    at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:44)
    at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:67)
    at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:37)
    at org.gradle.internal.execution.steps.CancelExecutionStep.execute(CancelExecutionStep.java:41)
    at org.gradle.internal.execution.steps.TimeoutStep.executeWithoutTimeout(TimeoutStep.java:74)
    at org.gradle.internal.execution.steps.TimeoutStep.execute(TimeoutStep.java:55)
    at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:50)
    at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:28)
    at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.executeDelegateBroadcastingChanges(CaptureStateAfterExecutionStep.java:100)
    at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:72)
    at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:50)
    at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:40)
    at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:29)
    at org.gradle.internal.execution.steps.BuildCacheStep.executeWithoutCache(BuildCacheStep.java:179)
    at org.gradle.internal.execution.steps.BuildCacheStep.lambda$execute$1(BuildCacheStep.java:70)
    at org.gradle.internal.Either$Right.fold(Either.java:175)
    at org.gradle.internal.execution.caching.CachingState.fold(CachingState.java:59)
    at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:68)
    at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:46)
    at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:36)
    at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:25)
    at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:36)
    at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:22)
    at org.gradle.internal.execution.steps.SkipUpToDateStep.executeBecause(SkipUpToDateStep.java:91)
    at org.gradle.internal.execution.steps.SkipUpToDateStep.lambda$execute$2(SkipUpToDateStep.java:55)
    at java.base@17.0.9/java.util.Optional.orElseGet(Optional.java:364)
    at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:55)
    at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:37)
    at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:65)
    at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:36)
    at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:37)
    at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:27)
    at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:77)
    at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:38)
    at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:94)
    at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:49)
    at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:71)
    at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:45)
    at org.gradle.internal.execution.steps.SkipEmptyWorkStep.executeWithNonEmptySources(SkipEmptyWorkStep.java:177)
    at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:81)
    at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:53)
    at org.gradle.internal.execution.steps.RemoveUntrackedExecutionStateStep.execute(RemoveUntrackedExecutionStateStep.java:32)
    at org.gradle.internal.execution.steps.RemoveUntrackedExecutionStateStep.execute(RemoveUntrackedExecutionStateStep.java:21)
    at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsStartedStep.execute(MarkSnapshottingInputsStartedStep.java:38)
    at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:36)
    at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:23)
    at org.gradle.internal.execution.steps.CleanupStaleOutputsStep.execute(CleanupStaleOutputsStep.java:75)
    at org.gradle.internal.execution.steps.CleanupStaleOutputsStep.execute(CleanupStaleOutputsStep.java:41)
    at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.lambda$execute$2(ExecuteWorkBuildOperationFiringStep.java:66)
    at java.base@17.0.9/java.util.Optional.orElseGet(Optional.java:364)
    at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:66)
    at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:38)
    at org.gradle.internal.execution.steps.AssignWorkspaceStep.lambda$execute$0(AssignWorkspaceStep.java:32)
    at org.gradle.api.internal.tasks.execution.TaskExecution$4.withWorkspace(TaskExecution.java:293)
    at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:30)
    at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:21)
    at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:37)
    at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:27)
    at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:47)
    at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:34)
    at org.gradle.internal.execution.impl.DefaultExecutionEngine$1.execute(DefaultExecutionEngine.java:64)
    at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeIfValid(ExecuteActionsTaskExecuter.java:146)
    at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:135)
    at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46)
    at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:51)
    at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57)
    at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:74)
    at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36)
    at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77)
    at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55)
    at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
    at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
    at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52)
    at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:42)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:331)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:318)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.lambda$execute$0(DefaultTaskExecutionGraph.java:314)
    at org.gradle.internal.operations.CurrentBuildOperationRef.with(CurrentBuildOperationRef.java:80)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:314)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:303)
    at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:463)
    at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:380)
    at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
    at org.gradle.internal.concurrent.AbstractManagedExecutor$1.run(AbstractManagedExecutor.java:47)
    at java.base@17.0.9/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base@17.0.9/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base@17.0.9/java.lang.Thread.run(Thread.java:840)
Caused by: java.util.concurrent.ExecutionException: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://s3.eu-central-1.amazonaws.com/<s3-bucket-name>/nvdcve-2007.json.gz' to '/tmp/dctemp463a77b7-aff7-4d37-a84e-b844c115740d/nvd-datafeed-45f0ac92-1bea-496d-ab04-b5189602c2ff.json.gz'; TLS Connection Reset
Please see http://jeremylong.github.io/DependencyCheck/data/tlsfailure.html for more information regarding how to resolve the issue.
    at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
    at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.processDownload(NvdApiDataSource.java:271)
    ... 133 more
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://s3.eu-central-1.amazonaws.com/<s3-bucket-name>/nvdcve-2007.json.gz' to '/tmp/dctemp463a77b7-aff7-4d37-a84e-b844c115740d/nvd-datafeed-45f0ac92-1bea-496d-ab04-b5189602c2ff.json.gz'; TLS Connection Reset
Please see http://jeremylong.github.io/DependencyCheck/data/tlsfailure.html for more information regarding how to resolve the issue.
    at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:152)
    at org.owasp.dependencycheck.data.update.nvd.api.DownloadTask.call(DownloadTask.java:89)
    at org.owasp.dependencycheck.data.update.nvd.api.DownloadTask.call(DownloadTask.java:39)
    at java.base@17.0.9/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    ... 3 more
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: TLS Connection Reset
Please see http://jeremylong.github.io/DependencyCheck/data/tlsfailure.html for more information regarding how to resolve the issue.
    at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:264)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:163)
    at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:138)
    ... 6 more
Caused by: java.net.SocketException: Connection reset
    at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:328)
    at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:355)
    at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:808)
    at java.base/java.net.Socket$SocketInputStream.read(Socket.java:966)
    at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:484)
    at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)
    at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:206)
    ... 8 more
    at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
    at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.processDownload(NvdApiDataSource.java:271)
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.processDatafeed(NvdApiDataSource.java:170)
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:113)
    at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:906)
    at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:878)
    at org.owasp.dependencycheck.gradle.tasks.Update.update(Update.groovy:56)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:125)
    at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:58)
    at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:51)
    at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:29)
    at org.gradle.api.internal.tasks.execution.TaskExecution$3.run(TaskExecution.java:248)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:29)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:26)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:47)
    at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:68)
    at org.gradle.api.internal.tasks.execution.TaskExecution.executeAction(TaskExecution.java:233)
    at org.gradle.api.internal.tasks.execution.TaskExecution.executeActions(TaskExecution.java:216)
    at org.gradle.api.internal.tasks.execution.TaskExecution.executeWithPreviousOutputFiles(TaskExecution.java:199)
    at org.gradle.api.internal.tasks.execution.TaskExecution.execute(TaskExecution.java:166)
    at org.gradle.internal.execution.steps.ExecuteStep.executeInternal(ExecuteStep.java:105)
    at org.gradle.internal.execution.steps.ExecuteStep.access$000(ExecuteStep.java:44)
    at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:59)
    at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:56)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
    at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
    at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:56)
    at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:44)
    at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:67)
    at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:37)
    at org.gradle.internal.execution.steps.CancelExecutionStep.execute(CancelExecutionStep.java:41)
    at org.gradle.internal.execution.steps.TimeoutStep.executeWithoutTimeout(TimeoutStep.java:74)
    at org.gradle.internal.execution.steps.TimeoutStep.execute(TimeoutStep.java:55)
    at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:50)
    at org.gradle.internal.execution.steps.CreateOutputsStep.execute(CreateOutputsStep.java:28)
    at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.executeDelegateBroadcastingChanges(CaptureStateAfterExecutionStep.java:100)
    at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:72)
    at org.gradle.internal.execution.steps.CaptureStateAfterExecutionStep.execute(CaptureStateAfterExecutionStep.java:50)
    at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:40)
    at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:29)
    at org.gradle.internal.execution.steps.BuildCacheStep.executeWithoutCache(BuildCacheStep.java:179)
    at org.gradle.internal.execution.steps.BuildCacheStep.lambda$execute$1(BuildCacheStep.java:70)
    at org.gradle.internal.Either$Right.fold(Either.java:175)
    at org.gradle.internal.execution.caching.CachingState.fold(CachingState.java:59)
    at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:68)
    at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:46)
    at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:36)
    at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:25)
    at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:36)
    at org.gradle.internal.execution.steps.RecordOutputsStep.execute(RecordOutputsStep.java:22)
    at org.gradle.internal.execution.steps.SkipUpToDateStep.executeBecause(SkipUpToDateStep.java:91)
    at org.gradle.internal.execution.steps.SkipUpToDateStep.lambda$execute$2(SkipUpToDateStep.java:55)
    at java.base/java.util.Optional.orElseGet(Optional.java:364)
    at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:55)
    at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:37)
    at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:65)
    at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:36)
    at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:37)
    at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:27)
    at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:77)
    at org.gradle.internal.execution.steps.ResolveCachingStateStep.execute(ResolveCachingStateStep.java:38)
    at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:94)
    at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:49)
    at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:71)
    at org.gradle.internal.execution.steps.CaptureStateBeforeExecutionStep.execute(CaptureStateBeforeExecutionStep.java:45)
    at org.gradle.internal.execution.steps.SkipEmptyWorkStep.executeWithNonEmptySources(SkipEmptyWorkStep.java:177)
    at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:81)
    at org.gradle.internal.execution.steps.SkipEmptyWorkStep.execute(SkipEmptyWorkStep.java:53)
    at org.gradle.internal.execution.steps.RemoveUntrackedExecutionStateStep.execute(RemoveUntrackedExecutionStateStep.java:32)
    at org.gradle.internal.execution.steps.RemoveUntrackedExecutionStateStep.execute(RemoveUntrackedExecutionStateStep.java:21)
    at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsStartedStep.execute(MarkSnapshottingInputsStartedStep.java:38)
    at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:36)
    at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:23)
    at org.gradle.internal.execution.steps.CleanupStaleOutputsStep.execute(CleanupStaleOutputsStep.java:75)
    at org.gradle.internal.execution.steps.CleanupStaleOutputsStep.execute(CleanupStaleOutputsStep.java:41)
    at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.lambda$execute$2(ExecuteWorkBuildOperationFiringStep.java:66)
    at java.base/java.util.Optional.orElseGet(Optional.java:364)
    at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:66)
    at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:38)
    at org.gradle.internal.execution.steps.AssignWorkspaceStep.lambda$execute$0(AssignWorkspaceStep.java:32)
    at org.gradle.api.internal.tasks.execution.TaskExecution$4.withWorkspace(TaskExecution.java:293)
    at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:30)
    at org.gradle.internal.execution.steps.AssignWorkspaceStep.execute(AssignWorkspaceStep.java:21)
    at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:37)
    at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:27)
    at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:47)
    at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:34)
    at org.gradle.internal.execution.impl.DefaultExecutionEngine$1.execute(DefaultExecutionEngine.java:64)
    at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeIfValid(ExecuteActionsTaskExecuter.java:146)
    at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:135)
    at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46)
    at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:51)
    at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57)
    at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:74)
    at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36)
    at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77)
    at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55)
    at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:204)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:199)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:66)
    at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:157)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:59)
    at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:53)
    at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:73)
    at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52)
    at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:42)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:331)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:318)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.lambda$execute$0(DefaultTaskExecutionGraph.java:314)
    at org.gradle.internal.operations.CurrentBuildOperationRef.with(CurrentBuildOperationRef.java:80)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:314)
    at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:303)
    at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:463)
    at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:380)
    at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
    at org.gradle.internal.concurrent.AbstractManagedExecutor$1.run(AbstractManagedExecutor.java:47)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to copy 'https://s3.eu-central-1.amazonaws.com/<s3-bucket-name>/nvdcve-2007.json.gz' to '/tmp/dctemp463a77b7-aff7-4d37-a84e-b844c115740d/nvd-datafeed-45f0ac92-1bea-496d-ab04-b5189602c2ff.json.gz'; TLS Connection Reset
Please see http://jeremylong.github.io/DependencyCheck/data/tlsfailure.html for more information regarding how to resolve the issue.
    at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:152)
    at org.owasp.dependencycheck.data.update.nvd.api.DownloadTask.call(DownloadTask.java:89)
    at org.owasp.dependencycheck.data.update.nvd.api.DownloadTask.call(DownloadTask.java:39)
    at java.base@17.0.9/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    ... 3 more
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: TLS Connection Reset
Please see http://jeremylong.github.io/DependencyCheck/data/tlsfailure.html for more information regarding how to resolve the issue.
    at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:264)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:163)
    at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:138)
    ... 6 more
Caused by: java.net.SocketException: Connection reset
    at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:328)
    at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:355)
    at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:808)
    at java.base/java.net.Socket$SocketInputStream.read(Socket.java:966)
    at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:484)
    at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)
    at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:589)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142)
    at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:206)
    ... 8 more

[foxylion]

In addition to what's already said. We used S3 before version 9 already to replicate the CVE data into our infrastructure. This worked very well, we never had any stability issues. So I really think there must be something wrong with version 9 where there problems suddenly arose.

[jeremylong]

What happens if you configure TLS like this: -Dhttps.protocols=TLSv1.1,TLSv1.2,TLSv1.3?

[foxylion]

Sadly it does not solve the problem. One note added: It is not a specific file, just randomly an HTTPS request fails.

[jeremylong]

while not a correct fix at all - but might be a workaround until I can figure out what is going on with the connection resets. Simply copy the cache from the s3 bucket locally:

mkdir -p cache
pushd cache
YEAR=`date +%Y`
CACHE=`pwd`
curl -L -O "https://s3.eu-central-1.amazonaws.com/<s3-bucket-name>/cache.properties"
for y in {2020..$YEAR}
do
  curl -L -O "https://s3.eu-central-1.amazonaws.com/<s3-bucket-name>/nvdcve-$YEAR.json.gz"
  curl -L -O "https://s3.eu-central-1.amazonaws.com/<s3-bucket-name>/nvdcve-$YEAR.meta"
done
popd

Then configure ODC to use "file:///$CACHE" as the nvd data feed url.

[prabhu]

We're mirroring NVD (and many other sources) here in case anyone is looking for a git based solution.

https://github.com/AppThreat/vuln-list/tree/main/nvd