search

jeremylong / Open-Vulnerability-Project

Java libraries for working with available vulnerability data sources (GitHub Security Advisories, NVD, EPSS, CISA Known Exploited Vulnerabilities, etc.)
Apache License 2.0
112 stars 34 forks source link

NVD API request failures are occurring - NVD Returned Status Code: 503 #182

Closed damienpuig closed 2 months ago

damienpuig commented 3 months ago

Hi!

NVD_API_KEY is set correctly.

Our Vulnz job stopped working a few days ago. Here is how we execute it:

      # requires NVD_API_KEY
      VULNZ_VERSION=6.1.1

      curl -sL https://github.com/jeremylong/Open-Vulnerability-Project/releases/download/v${VULNZ_VERSION}/vulnz-${VULNZ_VERSION}.jar \
        > vulnz-${VULNZ_VERSION}.jar
      chmod 777 vulnz-${VULNZ_VERSION}.jar

      java -Xmx2g -jar ./vulnz-${VULNZ_VERSION}.jar cve --cache --directory ./cache

Here is the result:

NVD API request failures are occurring; retrying request for the 5 time
NVD API request failures are occurring; retrying request for the 6 time
NVD API request failures are occurring; retrying request for the 7 time
NVD API request failures are occurring; retrying request for the 8 time
NVD API request failures are occurring; retrying request for the 9 time
NVD API request failures are occurring; retrying request for the 10 time
NVD API request failures are occurring; retrying request for the 11 time
Unable to complete NVD cache update due to error: NVD Returned Status Code: 503
io.github.jeremylong.vulnz.cli.cache.CacheException: Unable to complete NVD cache update due to error: NVD Returned Status Code: 503
    at io.github.jeremylong.vulnz.cli.commands.CveCommand.processRequest(CveCommand.java:276)
    at io.github.jeremylong.vulnz.cli.commands.CveCommand.timedCall(CveCommand.java:223)
    at io.github.jeremylong.vulnz.cli.commands.TimedCommand.call(TimedCommand.java:36)
    at io.github.jeremylong.vulnz.cli.commands.TimedCommand.call(TimedCommand.java:25)
    at picocli.CommandLine.executeUserObject(CommandLine.java:2045)
    at picocli.CommandLine.access$1500(CommandLine.java:148)
    at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2465)
    at picocli.CommandLine$RunLast.handle(CommandLine.java:2457)
    at picocli.CommandLine$RunLast.handle(CommandLine.java:2[41](https://<ci-url>#L41)9)
    at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2277)
    at picocli.CommandLine$RunLast.execute(CommandLine.java:2[42](https://<ci-url>#L42)1)
    at picocli.CommandLine.execute(CommandLine.java:2174)
    at io.github.jeremylong.vulnz.cli.Application.run(Application.java:73)
    at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:765)
    at org.springframework.boot.SpringApplication.lambda$callRunners$2(SpringApplication.java:749)
    at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:184)
    at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:357)
    at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:510)
    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
    at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
    at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
    at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596)
    at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:7[44](https://<ci-url>#L44))
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:315)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1300)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1289)
    at io.github.jeremylong.vulnz.cli.Application.main(Application.java:61)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
    at java.base/java.lang.reflect.Method.invoke(Method.java:580)
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:[49](https://<ci-url>#L49))
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
    at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65)
Completed in 23 seconds
jeremylong commented 3 months ago

The NVD is experiencing an availability issue - they are working on it. See https://groups.google.com/a/list.nist.gov/g/nvd-news/c/sJmF-2XIA80

ankurga commented 3 months ago

NVD guys are having issues at their side since past couple of days.:

https://groups.google.com/a/list.nist.gov/g/nvd-news/c/sJmF-2XIA80

damienpuig commented 3 months ago

Thanks guys!

jeremylong commented 2 months ago

Upgrading to vulnz 6.1.2 is a mandatory upgrade and should help resolve this issue. If using ODC, you must upgrade to 10.0.2.