get TLS Certificate errors while executing dependency-check.bat for my repo

[ChaurAW1]

Hi, I am facing issue while executing dependency-check.bat for my repo, pls find the error snap below.

[WARN] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key 11:40:18  [WARN] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=0 : 2 time 11:40:18  [WARN] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=0 : 3 time 11:40:18  [WARN] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=0 : 4 time 11:40:18  [WARN] NVD API request failures are occurring; retrying request for the 5 time 11:40:18  [WARN] NVD API request failures are occurring; retrying request for the 6 time 11:40:18  [WARN] NVD API request failures are occurring; retrying request for the 7 time 11:40:18  [WARN] NVD API request failures are occurring; retrying request for the 8 time 11:40:18  [WARN] NVD API request failures are occurring; retrying request for the 9 time 11:40:18  [WARN] NVD API request failures are occurring; retrying request for the 10 time 11:40:18  [WARN] NVD API request failures are occurring; retrying request for the 11 time 11:40:27  [WARN] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=0 : 2 time 11:40:27  [WARN] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=0 : 3 time 11:40:28  [WARN] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=0 : 4 time 11:41:09  ... 7 common frames omitted 11:41:09  Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json; unable to connect. 11:41:09  at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:267) 11:41:09  at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:163) 11:41:09  at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:138) 11:41:09  ... 9 common frames omitted 11:41:09  Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 11:41:09  at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) 11:41:09  at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378) 11:41:09  at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321) 11:41:09  at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316) 11:41:09  at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351) 11:41:09  at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226) 11:41:09  at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169) 11:41:09  at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) 11:41:09  at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) 11:41:09  at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) 11:41:09  at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) 11:41:09  at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) 11:41:09  at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) 11:41:09  at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) 11:41:09  at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) 11:41:09  ... 23 common frames omitted 11:41:09  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 11:41:09  at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148) 11:41:09  at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129) 11:41:09  at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) 11:41:09  at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) 11:41:09  ... 28 common frames omitted 11:41:09  [WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. 11:41:09  [ERROR] Unable to continue dependency-check analysis. 11:41:09  [ERROR] One or more fatal errors occurred 11:41:09  [ERROR] org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; unable to connect. 11:41:09  [ERROR] No documents exist

Can you pls help me for this same.

Thanks in advance

[aikebah]

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

most likely causes:

1. An intercepting re-encrypting proxy for which your java does not trust the (internal, company-trusted MITM CA of the proxy)
2. A severely outdated Java that does not know the root-CA certificates yet that have signed the certificates for the NVD, CISA and github servers.

The latter is far lower in chance than the former, so I suspect you're in on a company network with a re-encrypting proxy. You'll have to work with your IT department to add the trust of that proxy's CA certificate to your Jvm in order to make java trust the trusted man-in-the-middle.

[ChaurAW1]

Hi,

Can you please provide me document link from where I get the hole details about the certificate, Which is needed in this analysis.

Thanks Amit

From: Hans Aikema @.> Sent: Wednesday, September 4, 2024 2:45 PM To: jeremylong/DependencyCheck @.> Cc: Amit Chaurasiya @.>; Author @.> Subject: Re: [jeremylong/DependencyCheck] get bug while executing dependency-check.bat for my repo (Issue #6944)

External: Think before clicking

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

most likely causes:

1. An intercepting re-encrypting proxy for which your java does not trust the (internal, company-trusted MITM CA of the proxy)
2. A severely outdated Java that does not know the root-CA certificates yet that have signed the certificates for the NVD, CISA and github servers.

The latter is far lower in chance than the former, so I suspect you're in on a company network with a re-encrypting proxy. You'll have to work with your IT department to add the trust of that proxy's CA certificate to your Jvm in order to make java trust the trusted man-in-the-middle.

— Reply to this email directly, view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/6944#issuecomment-2328336212, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFV2LRH4SDCGI5YSNH6HMHDZU3FRFAVCNFSM6AAAAABNR5WO2WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRYGMZTMMRRGI. You are receiving this because you authored the thread.Message ID: @.***>

This email, including attachments, is private and confidential and may contain personal views which are not the views of the Company unless specifically stated. If you have received this email in error, please notify the sender and delete it from your system. Any commercial terms contained in this e-mail or any attachments are for discussion purposes only, and do not constitute a legal agreement. No binding agreement will exist unless and until written execution of a long form contract signed by all parties to the agreement. Please note that the Company monitors e-mails sent or received. Further communication will signify your consent to this.

[aikebah]

@ChaurAW1 The CA certificate you would have to obtain from the administrators of your enterprise proxy that terminates the TLS at internet site and then re-encrypts for enterprise-local systems with a self-issued certficate so that it can inspect web-traffic for traces of malware/phishing/policy-rule-violation as defined in the proxy's ruleset.

The instructions on how to install a custom (CA root) certificate in the CA trust of Java are all over the internet and easily found by google,bing and no doubt many other internet search providers. Note that those steps will typically have to be repeated on each update of Java (which would re-install the factory default truststore) when you resolve it by importing into the standard cacerts file of java.

It's best for you to reach out to your in-company IT support on how to do it, as there may be all kinds of corporate policies in effect that govern what kind of resolution of the issue would be a valid actions by you and which of the various possible ways to 'get java to trust the certificates issued by my company's intercepting proxy' would constitute a violation of the company policies.

[aikebah]

Note that modifying the CA trust is a very security-sensitive operation if you don't know what you're doing. You might start trusting hackers that found a way in-between your system and the sites you want to visit if you add the wrong certificates to the trust (those of the hackers), which is why it is much better to reach out to your company IT support to ensure that what you configure are indeed company-trusted certificates (and that the way you install them is allowed by the various company security policies)

[aikebah]

https://smallstep.com/blog/everything-pki/#trust--trustworthiness

A section of a blog that explains how crucial it is to only have trusted certificates in your truststore (and explains a whole lot more of the entire Public Key Infrastructure that is underpinning HTTPS to secure communication in the other sections)

[ChaurAW1]

Hi,

Thank you so much for your reply. I will connect with my IT first. For any future query, I will let you know

Thanks Amit

From: Hans Aikema @.> Sent: Wednesday, September 4, 2024 7:10 PM To: jeremylong/DependencyCheck @.> Cc: Amit Chaurasiya @.>; Mention @.> Subject: Re: [jeremylong/DependencyCheck] get TLS Certificate errors while executing dependency-check.bat for my repo (Issue #6944)

External: Think before clicking

https://smallstep.com/blog/everything-pki/#trust--trustworthiness

A section of a blog that explains how crucial it is to only have trusted certificates in your truststore (and explains a whole lot more of the entire Public Key Infrastructure that is underpinning HTTPS to secure communication in the other sections)

— Reply to this email directly, view it on GitHubhttps://github.com/jeremylong/DependencyCheck/issues/6944#issuecomment-2329094666, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BFV2LRCQ5UYHDGFTAABDYSDZU4ESLAVCNFSM6AAAAABNR5WO2WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRZGA4TINRWGY. You are receiving this because you were mentioned.Message ID: @.***>

This email, including attachments, is private and confidential and may contain personal views which are not the views of the Company unless specifically stated. If you have received this email in error, please notify the sender and delete it from your system. Any commercial terms contained in this e-mail or any attachments are for discussion purposes only, and do not constitute a legal agreement. No binding agreement will exist unless and until written execution of a long form contract signed by all parties to the agreement. Please note that the Company monitors e-mails sent or received. Further communication will signify your consent to this.