Closed dbenduga closed 5 years ago
stevespringett
commented
5 years ago Configuration will vary depending on which DC implementation you're using. For the CLI, the docs are here: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html
dbenduga
commented
5 years ago Hello Steve,
Need Small help...
Could you please help me to mirror *.meta files with NVD-mirror.
I am able to mirror nvdcve-modified.xml.gz, nvdcve-2.0-modified.xml.gz and nvdcve-1.0-modified.json.gz however application still is facing problem while Dependency Check. They need *.meta files as well.
How to add these files with json and xml ?
Regards, Dipesh Bendugade
On Thu, Jul 4, 2019 at 9:03 PM Steve Springett notifications@github.com wrote:
Configuration will vary depending on which DC implementation you're using. For the CLI, the docs are here: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/stevespringett/nist-data-mirror/issues/24?email_source=notifications&email_token=AMQZJCCG4JAWE3INW23X2YTP5YJ33A5CNFSM4H5YGT3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZHWR4Q#issuecomment-508520690, or mute the thread https://github.com/notifications/unsubscribe-auth/AMQZJCHHSIEOTRA2F5OOQSDP5YJ33ANCNFSM4H5YGT3A .
-- Dipesh Bendugade. +91 9921999289
stevespringett
commented
5 years ago meta and json files are supported in v1.3.0.
dbenduga
commented
5 years ago I am using v.1.3.0 only but i can see json and xml files only under /tmp/nvd.
Regards, Dipesh Bendugade
On Mon, Jul 15, 2019 at 8:10 PM Steve Springett notifications@github.com wrote:
meta and json files are supported in v1.3.0.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/stevespringett/nist-data-mirror/issues/24?email_source=notifications&email_token=AMQZJCG3FW3TYPDXQAUEOCLP7SD6HA5CNFSM4H5YGT3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ55BZY#issuecomment-511430887, or mute the thread https://github.com/notifications/unsubscribe-auth/AMQZJCCPYI766U66XR6M7ZDP7SD6HANCNFSM4H5YGT3A .
-- Dipesh Bendugade. +91 9921999289
stevespringett
commented
5 years ago Not sure.
wget https://repo1.maven.org/maven2/us/springett/nist-data-mirror/1.3.0/nist-data-mirror-1.3.0.jar
java -jar nist-data-mirror-1.3.0.jar ./mirror jsonThis will produce three files per year (.json, .json.gz, and .meta) along with the modified.json/gz/meta
Not sure about the Docker container. It was contributed, but I have never tested it. YMMV
dbenduga
commented
5 years ago Thanks Steve.. issue got resolved 😀
On Mon, Jul 15, 2019, 9:07 PM Steve Springett notifications@github.com wrote:
Not sure.
wget https://repo1.maven.org/maven2/us/springett/nist-data-mirror/1.3.0/nist-data-mirror-1.3.0.jar
java -jar nist-data-mirror-1.3.0.jar ./mirror json
This will produce three files per year (.json, .json.gz, and .meta) along with the modified.json/gz/meta
Not sure about the Docker container. It was contributed, but I have never tested it. YMMV
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/stevespringett/nist-data-mirror/issues/24?email_source=notifications&email_token=AMQZJCCFH5H6YPUQIXJ4LULP7SKUHA5CNFSM4H5YGT3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ6CVLI#issuecomment-511453869, or mute the thread https://github.com/notifications/unsubscribe-auth/AMQZJCFSX4H4TWXNDMHBV6LP7SKUHANCNFSM4H5YGT3A .
neil-n-brown
commented
5 years ago Hi @stevespringett,
I'm struggling to understand how to get Dependency check to work with my data mirror. For CLI config Do I just add the two addtional cveURL arguements to the end (as shown below)
dependency-check.sh --project "example-project" --scan $libDir --format XML --out $workspace --proxyserver ${MYPROXY_SERVER_HOST} --proxyport ${MYPROXY_SERVER_PORT} --cveUrlModified http://example_repo.com:8081/nexus/content/sites/nist-data-mirror/nvdcve-1.0-modified.json.gz --cveUrlBase http://example_repo.com:8081:8081/nexus/content/sites/nist-data-mirror/nvdcve-1.0-%d.json.gz
The problem I'm having is that it is asking for .meta files in the log but I don't see where to specific the location of the .meta files like i can with the json.gz files.
Am I missing another cveURL argument?
stevespringett
commented
5 years ago @BrownieX You'll need to ask dependency-check usage questions on the dependency-check mailing list or github issue repo. I no longer use dependency-check in this context and have not used version 5 with a mirror at all.
strictlygit
commented
5 years ago @stevespringett the binaries posted here https://github.com/stevespringett/nist-data-mirror/releases - need to be updated - the changes you are looking for are post 1.2.0. @BrownieX - pull down the sources and build out the jar
strictlygit
commented
5 years ago i spent the best part of a day banging my head of the same wall - until i realised
stevespringett
commented
5 years ago Not sure why 1.3.0 didn't get published to GitHub releases. I'll have to investigate the next time I do a release. In the mean time, I've manually added the 1.3.0 release to it.
I have build nist-data-mirror docker container. All nvdcve.json and nvdcve.xml files downloaded in container under /tmp/nvd
Now question is : How can use this data with OWASP Dependency Check?
In which config file i need to mentioned below settings? is it on my nist-data-mirror container or client side?
cveUrl12Modified=http://hostname/mirror/nvd/nvdcve-modified.xml.gz cveUrl20Modified=http://hostname/mirror/nvd/nvdcve-2.0-modified.xml.gz cveUrl12Base=http://hostname/mirror/nvd/nvdcve-%d.xml.gz cveUrl20Base=http://hostname/mirror/nvd/nvdcve-2.0-%d.xml.gz