jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.41k stars 1.27k forks source link

how create an offline cache #7096

Open hicker-kin opened 1 week ago

hicker-kin commented 1 week ago

i pull the cache data (json) :
ls ~/java/target/docs:

...... nvdcve-1.1-2024.json.gz ..... staff 376K 10 24 16:01 nvdcve-1.1-recent.json.gz staff 162B 10 24 16:01 nvdcve-1.1-recent.meta

then install client, run command line:

dependency-check --project "spring-boot-docker" --scan . \ --log scan-log.log \ --format GITLAB --format HTML \ --data ~/java/target/docs \ --disableHostedSuppression --disableCentral --disableOssIndex --disableRetireJS \ --noupdate

occur error:

[ERROR] One or more fatal errors occurred [ERROR] Autoupdate is disabled and the database does not exist

image

why? how can i create an local cache for dependency-check datasource?

aikebah commented 6 days ago

If you read the github pages you'll find there

The Open Vulnerability Project's vuln CLI can be used to create an offline copy of the data obtained from the NVD API. Then configure dependency-check to use the NVD Datafeed URL

I've highlighted the part you didn't take properly into account. The NVD API data cache is something else than the datadirectory of DependencyCheck. You need to configure the NVD datafeed URL to point to the files in your local cache.

So take a look at the CLI configuration and look for a way to configure the NVD datafeed URL and you'll find that you need to point --nvdDatafeed to your offline NVD API cache.

aikebah commented 6 days ago

Note that the typical use of it would be hosting it at some central http server in your private network, but a file-URL (file:///....) instead of an http-URL should also work fine.