lwoodring commented 8 hours ago

Describe the bug Execution of plugin fails due to UpdateException, NVD API is returning that ISO date format is invalid:

Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 404 - Invalid ISO 8601 date/time format, see documentation.

Looks to be the same as issue: https://github.com/jeremylong/DependencyCheck/issues/7164

Version of dependency-check used The problem occurs using version 11.1.0 and 11.1.1 of the maven plugin: dependency-check-maven

Log file

[INFO] Checking for updates
[DEBUG] rate limited call delay: 5000
[DEBUG] rate limited call delay: 5000
[DEBUG] rate limited call delay: 5000
[DEBUG] rate limited call delay: 5000
[DEBUG] requesting URI: https://services.nvd.nist.gov/rest/json/cves/2.0?lastModStartDate=2024-11-25T10%3A00%3A00-05&lastModEndDate=2025-03-25T10%3A00%3A00-05&resultsPerPage=2000&startIndex=0
[DEBUG] Ticket taken At: 12:11:39; count: 1; by 85
[DEBUG] Requested At: 12:11:39; URI: /rest/json/cves/2.0?lastModStartDate=2024-11-25T10%3A00%3A00-05&lastModEndDate=2025-03-25T10%3A00%3A00-05&resultsPerPage=2000&startIndex=0
[DEBUG] Ticket returned At: 12:11:56; count: 2; by 85
[DEBUG] Status Code: 404
[DEBUG] Reason: Not Found
[DEBUG] Response Headers:
[DEBUG] Key : message ,Value : Invalid ISO 8601 date/time format, see documentation.
[DEBUG] Key : x-frame-options ,Value : SAMEORIGIN
[DEBUG] Key : access-control-allow-origin ,Value : *
[DEBUG] Key : access-control-allow-headers ,Value : accept, apiKey, content-type, origin, x-requested-with
[DEBUG] Key : access-control-allow-methods ,Value : GET, HEAD, OPTIONS
[DEBUG] Key : access-control-allow-credentials ,Value : false
[DEBUG] Key : date ,Value : Wed, 04 Dec 2024 17:11:56 GMT
[DEBUG] Key : content-length ,Value : 0
[DEBUG] Key : apikey ,Value : Yes
[DEBUG] Key : strict-transport-security ,Value : max-age=31536000
[DEBUG] Response: 
[ERROR] Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi (NvdApiDataSource.java:397)
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.update (NvdApiDataSource.java:117)
    at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:906)
    at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:711)
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:637)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1959)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1157)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:906)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:283)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:206)
    at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:103)
    at java.lang.reflect.Method.invoke (Method.java:580)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:283)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:226)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:407)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:348)
Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 404 - Invalid ISO 8601 date/time format, see documentation.
    at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient._next (NvdCveClient.java:410)
    at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next (NvdCveClient.java:331)
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi (NvdApiDataSource.java:353)
    at org.owasp.dependencycheck.data.update.NvdApiDataSource.update (NvdApiDataSource.java:117)
    at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:906)
    at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:711)
    at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:637)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1959)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1157)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:328)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:316)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:212)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:174)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:75)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:162)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:159)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:906)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:283)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:206)
    at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:103)
    at java.lang.reflect.Method.invoke (Method.java:580)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:283)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:226)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:407)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:348)

To Reproduce Run plugin per Maven config:

         <plugin>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-maven</artifactId>
            <version>11.1.1</version>
            <configuration>
               <failBuildOnCVSS>7</failBuildOnCVSS>
               <nvdValidForHours>24</nvdValidForHours>
               <autoUpdate>true</autoUpdate>
               <skip>false</skip>
               <format>HTML</format>
               <nvdApiKey>XXXXX</nvdApiKey>
            </configuration>
            <executions>
               <execution>
                  <id>dependency-check</id>
                  <phase>deploy</phase>
                  <goals>
                     <goal>check</goal>
                  </goals>
               </execution>
            </executions>
         </plugin>

Expected behavior not an exception

Additional context Linux Alma9

ftiercelin commented 8 hours ago

@lwoodring I suppose at one stage you have used <nvdDatafeedUrl>https://mirror.cveb.in/nvd/json/cve/1.1/nvdcve-1.1-{0}.json.gz</nvdDatafeedUrl> if so, your issue should be fixed in 12.0.0 as per https://github.com/jeremylong/DependencyCheck/pull/7222 see also https://github.com/jeremylong/DependencyCheck/issues/7219 and https://github.com/jeremylong/DependencyCheck/issues/7164

lwoodring commented 7 hours ago

Yes, I did use a mirror for a bit in the last weeks due to other issues. I will await the release.

ftiercelin commented 7 hours ago

@lwoodring , in my case doing the following cleaned up the issue:

upgrade plugin to 11.1.1
run mvn dependency-check:purge
run mvn dependency-check:check (as usual)

2 will purge your database, including the faulty date causing the ISO date format issue - but since moving to 11.X seems to be requiring a full download of all CVE, this is probably not such a big issue anyway.

jeremylong / DependencyCheck

Fails due to "NVD Returned Status Code: 404 - Invalid ISO 8601 date/time format" #7228

2 will purge your database, including the faulty date causing the ISO date format issue - but since moving to 11.X seems to be requiring a full download of all CVE, this is probably not such a big issue anyway.