Please Read: Mandatory Upgrade to 10.0.2 or later

[jeremylong]

Users of 9.0.0 through 10.0.1 must upgrade to 10.0.2

Please see https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#mandatory-upgrade-notice.

Note 9.x no longer works - so you should have already upgraded.

[chadlwilson]

You might want to consider pinning this issue to the top of the issues.

[chadlwilson]

If it helps folks, reposting my summary from https://github.com/jeremylong/DependencyCheck/issues/6816#issuecomment-2219637687

Here's my summary given the current (July 2024) load. Hope it helps.

• >= 9.x, <= 10.0.1: Will get 403/404 due to NVD rejecting old clients #6817
  1. Upgrade to 10.0.2.
• >= 10.0.2 Without API key: Quite likely to be getting 503s due to load per #6758
  1. Consider getting an API key. :-)
• >= 10.0.2 With valid API key: Should be working, but
  • If getting 503: The retries should get you through eventually as load should be improving.
    1. But you might want to look at https://jeremylong.github.io/DependencyCheck/data/cachenvd.html or https://jeremylong.github.io/DependencyCheck/data/cacheh2.html to reduce your dependency on the NVD by reducing # of calls.
    2. Consider adjusting the ODC retry delay to be longer.
  • if getting 403/404:
    1. Double check your API key is valid using curl or similar.
    2. Double check the same API key is going through correctly from your plugin/CLI. The logging @jeremylong is adding may help improve this, but if using Gradle you can try logging it temporarily within Gradle to make sure it is being read correctly from your environment.
       • If you have been re-generating API keys, check you are using the correct one. Old keys are invalidated when you regenerate from the same email address.
    3. Turn on Maven debug logging, Gradle --info logging, or gradle --stacktrace and see if there is some other connectivity issue to the NVD API other than a 403/404/503. (especially if you have recently moved from ODC 8.x)

[akshat62]

2024-07-23T02:39:07.818+0530 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] > Failed to create Jar file /home/guptaksh/.gradle/caches/jars-8/496c5fdd91687c666d36586f714c36d0/jackson-core-2.17.1.jar.

How to fix this ?

[jeremylong]

@akshat62 please open a new issue for any unrelated problems. In your case, see https://github.com/dependency-check/dependency-check-gradle?tab=readme-ov-file#gradle-build-environment

If you have any follow-on problems/questions - open a new ticket.

[kwin]

What about version < 9? How long is this still supported from NVD side?

[chadlwilson]

https://nvd.nist.gov/general/news/change-timeline

Update: The retirement timeline has been extended for the Legacy Data Feed Files until further notice.

That comment is not dated but was first noted December 2023. https://groups.google.com/a/list.nist.gov/g/nvd-news/c/aofnAd3HP2g

The NVD will retire the Legacy Data Feed Files once improvements for bulk download capabilities of the NVD dataset are implemented.

To my knowledge there’s been no improvement to the bulk download capabilities yet, and the NVD has had many other problems to deal with this year. I’d follow https://www.nist.gov/itl/nvd