Closed faizan-ali-mlk closed 2 weeks ago
testableapple
commented
3 weeks ago Hi @faizan-ali-mlk, Thanks for opening the ticket. Feel free to provide the required version via :cli_version option.
In the meantime, I will try to look at the possibility of updating the default version when I have some time 👍
Best, Alexey
faizan-ali-mlk
commented
3 weeks ago Hi @testableapple,
Thanks for paying attention on this issue.
I can’t simply use the cli_version parameter for the latest version because it requires a key, and I don’t see any parameter available to provide that key.
Regards, Faizan ali
testableapple
commented
3 weeks ago @faizan-ali-mlk, could you please remind me of the key you are referring to? As far as I remember it's just a version of the DependencyCheck CLI that matters 🤔
faizan-ali-mlk
commented
3 weeks ago @testableapple
Upgrading to 10.0.2 or later is mandatory
Older versions of dependency-check are causing numerous, duplicative requests that end in processing failures are causing unnecassary load on the NVD API. Dependency-check 10.0.2 uses an updated User-Agent header that will allow the NVD to block calls from the older client.
NVD API Key Highly Recommended Dependency-check has moved from using the NVD data-feed to the NVD API. Users of dependency-check are highly encouraged to obtain an NVD API Key; see https://nvd.nist.gov/developers/request-an-api-key Without an NVD API Key dependency-check's updates will be extremely slow. Please see the documentation for the cli, maven, gradle, or ant integrations on how to set the NVD API key.
testableapple
commented
2 weeks ago Hi @faizan-ali-mlk, Check out https://github.com/testableapple/fastlane-plugin-dependency_check_ios_analyzer/releases/tag/v1.3.0
We have started using Azure DevOps for our iOS project, but I am encountering a very unusual issue with this plugin. In Azure DevOps, the dependency meta files are downloaded every time because each time it has different cloud to run. However, the problem I'm facing is that if I run the same job multiple times, it only successfully downloads the meta file once. For the rest of the attempts, it gives an error instead.
One more thing: it is still targeting the oldest version of the dependency checker, which is 6.6.2, even though version 10.0.3 is already available. Can we update this plugin to the latest version?
:56]: 🚀 Downloading DependencyCheck: https://github.com/jeremylong/DependencyCheck/releases/download/v6.2.2/dependency-check-6.2.2-release.zip [06:40:57]: $ chmod 775 ./fastlane/dependencyCheckReports/dependency-check/bin/dependency-check.sh [06:40:57]: $ ./fastlane/dependencyCheckReports/dependency-check/bin/dependency-check.sh --enableExperimental --disableBundleAudit --prettyPrint --project project-ios --out ./fastlane/dependencyCheckReports/CocoaPods/report --failOnCVSS 11 --scan ./Podfile.lock --format ALL --suppression ./fastlane/suppression/dependency-check-suppression.xml [06:41:00]: ▸ [INFO] Checking for updates [06:41:10]: ▸ [ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta [06:41:10]: ▸ org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta [06:41:10]: ▸ at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:349) [06:41:10]: ▸ at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:401) [06:41:10]: ▸ at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:122) [06:41:10]: ▸ at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:873) [06:41:10]: ▸ at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:680) [06:41:10]: ▸ at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:606) [06:41:10]: ▸ at org.owasp.dependencycheck.App.runScan(App.java:254) [06:41:10]: ▸ at org.owasp.dependencycheck.App.run(App.java:186) [06:41:10]: ▸ at org.owasp.dependencycheck.App.main(App.java:81) [06:41:10]: ▸ Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta'; Error downloading file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta; unable to connect. [06:41:10]: ▸ at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:187) [06:41:10]: ▸ at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:342) [06:41:10]: ▸ ... 8 common frames omitted [06:41:10]: ▸ Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta; unable to connect. [06:41:10]: ▸ at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:267) [06:41:10]: ▸ at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:163)