search

stevespringett / nist-data-mirror

A simple Java command-line utility to mirror the CVE JSON data from NIST.
Apache License 2.0
206 stars 93 forks source link

Tomcat serving NVD mirror files, depceck client reporting "Unable to update Cached Web DataSource" #10

Closed carloreggiani closed 6 years ago

carloreggiani commented 6 years ago
  1. mirrored in a local folder with java -jar nist-data-mirror.jar by tomcat (static content)
  2. executed depcheck cli with parameters :

--cveUrl12Modified http://server:8090/nvd-mirror/nvdcve-Modified.xml.gz --cveUrl20Modified http://server:8090/nvd-mirror/nvdcve-2.0-Modified.xml.gz --cveUrl12Base http://server:8090/nvd-mirror/nvdcve-%d.xml.gz --cveUrl20Base http://server:8090/nvd-mirror/nvdcve-2.0-%d.xml.gz

  1. execution partially complete, error regarding "update Cached Web DataSource": maybe need to clear H2 client database?

Here the datails from execution:

2018-03-19T14:43:02.9352768Z [INFO] Checking for updates 2018-03-19T14:43:02.9352768Z [INFO] starting getUpdatesNeeded() ... 2018-03-19T14:43:03.1384018Z [INFO] Download Started for NVD CVE - Modified 2018-03-19T14:43:03.3727768Z [INFO] Download Complete for NVD CVE - Modified (234 ms) 2018-03-19T14:43:03.3727768Z [INFO] Processing Started for NVD CVE - Modified 2018-03-19T14:43:04.0915268Z [WARN] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities. 2018-03-19T14:43:04.0915268Z [INFO] Analysis Started 2018-03-19T14:43:07.4040268Z [INFO] Finished Archive Analyzer (3 seconds) 2018-03-19T14:43:07.4196518Z [INFO] Finished File Name Analyzer (0 seconds) 2018-03-19T14:43:10.3102768Z [INFO] Finished Assembly Analyzer (2 seconds) 2018-03-19T14:43:10.3259018Z [INFO] Finished Dependency Merging Analyzer (0 seconds) 2018-03-19T14:43:10.3259018Z [INFO] Finished Version Filter Analyzer (0 seconds) 2018-03-19T14:43:10.4352768Z [INFO] Finished Hint Analyzer (0 seconds) 2018-03-19T14:43:13.1384018Z [INFO] Created CPE Index (2 seconds) 2018-03-19T14:43:13.1384018Z [INFO] Skipping CPE Analysis for npm 2018-03-19T14:43:14.0446518Z [INFO] Finished CPE Analyzer (3 seconds) 2018-03-19T14:43:14.1384018Z [INFO] Finished False Positive Analyzer (0 seconds) 2018-03-19T14:43:14.2790268Z [INFO] Finished Cpe Suppression Analyzer (0 seconds) 2018-03-19T14:43:14.3884018Z [INFO] Finished NVD CVE Analyzer (0 seconds) 2018-03-19T14:43:14.4352768Z [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) 2018-03-19T14:43:14.4821518Z [INFO] Finished Dependency Bundling Analyzer (0 seconds) 2018-03-19T14:43:14.5915268Z [INFO] Analysis Complete (10 seconds) 2018-03-19T14:43:14.9040268Z [ERROR] org.xml.sax.SAXException: Error updating 'CVE-2004-0558' 2018-03-19T14:43:14.9040268Z org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2004-0558'

stevespringett commented 6 years ago

The nist-data-mirror project is independent of Dependency-Check, but yes, wiping out the Dependency-Check data directory occasionally and ensuring you're using the latest version of Dependency-Check is always a good idea.

carloreggiani commented 6 years ago

Deleted the local h2 database, worked fine!

Thank you @stevespringett

stevespringett commented 6 years ago

Glad its working. Cheers.