Closed rmontag-ap closed 1 year ago
My current workaround is indeed to 1) run nist-data-mirror 2) remove offending file nvdcve-1.1-2013.json.gz 3) manual download "wget https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.json.gz"
Additional info: We are using nist-data-mirror 1.6.0 since June 2022, but this issue has started last week and has hit us now three times in a row in the last days.
I did some further checks and the checksum on the unzipped 2013 is not matching:
$ cat nvdcve-1.1-2013.meta
lastModifiedDate:2022-09-30T03:01:57-04:00
size:45431615
zipSize:2449884
gzSize:2449748
sha256:4DF6DAF5270EEA9F79D316297EBCC70352A0BFF40F49A8715A7E6C621B55CBAA
$ sha256sum nvdcve-1.1-2013.json
95a2e870cc5865c11fcc4b63e98d633ca249899011244f74bcd2254127e39f62 nvdcve-1.1-2013.json
$ stat -c %s nvdcve-1.1-2013.json.gz
2449748
So I now extracted the manual downloaded file and now the sha256 matches and nist-data-mirror is not complaining about 2013:
...
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2012.meta
Download succeeded nvdcve-1.1-2012.meta
File 2012 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.meta
Download succeeded nvdcve-1.1-2013.meta
File 2013 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2014.meta
Download succeeded nvdcve-1.1-2014.meta
File 2014 is valid.
...
I still need to find out how both the nvdcve-1.1-2013.json.gz
and the nvdcve-1.1-2013.json
got corrupted on my system.
We suffer the same issue with nist-data-mirror
1.5.0 but with the nvdcve
files for first 2020 and then 2014. A check that only valid files are replaced would be great.
After deleting both (extracted) json and json.gz file, the nist-data-mirror is working as expected. I did not find out, what has caused the corruption of the 2013 file.
We suffer the same issue with 1.5.3, and now upgraded to docker image nvd-mirror
1.6.0. But I expect the problem to show again in a few days. This is quite a problem for our CI system, as the maven dependency-check plugin caches the files itself but does not handle corrupt .json.gz files very well, i.e. it does not try to fetch again when I've already fixed the nvd-mirror manually...
I don't think the issue is solved. I moved my other comments to #39
I agree, I closed my issue, but the core problem is not solved. As we are doing the distribution of the downloaded files with another tool, we changed our distribution tool to check the integrity of the cve files (again) and block the upload in case of a file corruption.
Hello, we are currently facing a weird issue with our nist-data-mirror for approx. a week. The file nvdcve-1.12013.json.gz gets corrupt and cannot be extracted:
When the file is corrupt and we run nist-data-mirror 1.6.0 on our data folder we are getting the following output:
So it reports that the file is corrupted; but I have no idea what has caused the corruption and how to solve it. We have a cronjob that is running the nist-data-mirror every hour.
I already deleted all nvdcve-1.1-2013* files and rerun the nist-data-mirror:
So the download fron the nist-data-mirror failed. I did a manual download from the same server and it worked without problem:
Any advice and help would be appreciated.
Greetings, Rainer