search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
5.93k stars 1.21k forks source link

Recoverable I/O exception for https://services.nvd.nist.gov/ #6645

Closed fmarot closed 1 week ago

fmarot commented 1 week ago

Hello all,

since nearly a week (may the 2nd) I get the following exceptions when running the dependency-check Maven plugin (update-only goal). And the job never reaches completion. Is it expected ? Is it a problem on my setup ?

I have an NVD API token which, I think, is correctly configured.

INFO: Finished configuration in 54 ms.
[INFO] Checking for updates
[INFO] Recoverable I/O exception (java.io.IOException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
[INFO] Recoverable I/O exception (java.io.IOException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
[INFO] Recoverable I/O exception (java.io.IOException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
[INFO] Recoverable I/O exception (java.io.IOException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
[WARNING] NVD API request failures are occurring; retrying request for the 5 time
[WARNING] NVD API request failures are occurring; retrying request for the 5 time
[INFO] Recoverable I/O exception (java.io.IOException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
[WARNING] NVD API request failures are occurring; retrying request for the 6 time
[WARNING] NVD API request failures are occurring; retrying request for the 6 time
[INFO] Recoverable I/O exception (java.io.IOException) caught when processing request to {s}->[https://services.nvd.nist.gov:443](https://services.nvd.nist.gov/)
[WARNING] NVD API request failures are occurring; retrying request for the 7 time
[WARNING] NVD API request failures are occurring; retrying request for the 7 time

Any help or hint is appreciated.

jeremylong commented 1 week ago

Sometimes the NVD API, not owned by this project, will throttle requests and/or have bandwidth issues. We highly recommend either mirroring the NVD or keeping the data directory in tact between scans. See:

fmarot commented 1 week ago

Thanks @jeremylong. In fact this is my mirroring job ("update-only" goal of the Maven plugin) which has been failing for nearly a week. This job updates a PGSQL Database. The analyze jobs using the DB in read-only only do not fail. Usually, when problems do not come from my side, I see here other people complaining but as I see no-one but myself complaining right now, I fear I have a problem.

jeremylong commented 1 week ago

Validate your api key is still valid.

On Mon, May 6, 2024, 8:48 AM Francois Marot @.***> wrote:

Thanks @jeremylong https://github.com/jeremylong. In fact this is my mirroring job ("update-only" goal of the Maven plugin) which has been failing for nearly a week. This job updates a PGSQL Database. The analyze jobs using the DB in read-only only do not fail. Usually, when problems do not come from my side, I see here other people complaining but as I see no-one but myself complaining right now, I fear I have a problem.

— Reply to this email directly, view it on GitHub https://github.com/jeremylong/DependencyCheck/issues/6645#issuecomment-2095941381, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGSVQUMNAHAG3YWUA7YXI3ZA53Y5AVCNFSM6AAAAABHIXI3RGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJVHE2DCMZYGE . You are receiving this because you were mentioned.Message ID: @.***>

fmarot commented 1 week ago

Validate your api key is still valid.

it is... I tested it with the curl command and I got correct answer, while if I change any character in the key I got "invalid key" (or similar). I'm missing something but what ?...

fmarot commented 1 week ago

Problem solved, sorry, this was a problem with my company's firewall (Palo alto) which auto updated and was refusing the connection to nvd.nist.gov because it detected something... My Dependency Track instance suffered from the same problem silently... Beware the firewalls... :/ Thanks for your support Jeremy and sorry for the false problem.