Невозможно загрузить данные NVE CVE - PullRequest
1 голос
/ 12 марта 2020
[INFO]
[INFO] --- dependency-check-maven:4.0.2:check (default) @ realtimePaymachine ---
[INFO] Central analyzer disabled
[WARNING] The POM for com.oracle:ojdbc:jar:12.2.0.1 is missing, no dependency information available
[INFO] Checking for updates
[INFO] starting getUpdatesNeeded() ...
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2009.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2009.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2010.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2010.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2011.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2011.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2007.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2007.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2020.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2020.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2002.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2002.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2008.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2008.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2004.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2004.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2018.xml.gz
[WARNING] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[WARNING] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] No documents exist

Unable to continue dependency-check analysis.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  13.128 s
[INFO] Finished at: 2020-03-11T23:10:47-06:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:4.0.2:check (default) on project realtimePaymachine: Fatal exception(s) analyzing realtimePaymachine: Unable
 to continue dependency-check analysis.
[ERROR]         Unable to download the NVD CVE data.
[ERROR]         No documents exist
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

в pom. xml У меня есть ojdb c добавлена ​​зависимость

 <dependency>
            <groupId>com.oracle</groupId>
            <artifactId>ojdbc</artifactId>
            <version>${ojdbc.version}</version>
            <scope>provided</scope>
        </dependency>

когда я получаю сборку Не удается загрузить данные NVD CVE. Мне нужно включить любую зависимость чтобы решить эту проблему или каким-либо образом, чтобы я мог попробовать все возможные способы любой помощи?

1 Ответ

1 голос
/ 12 марта 2020

Доступ к этим конечным точкам через cURL дает следующий вывод:

curl -v https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz
*   Trying 2600:1f18:268d:1d01:f609:5e91:8a48:f546...
* TCP_NODELAY set
* Connected to nvd.nist.gov (2600:1f18:268d:1d01:f609:5e91:8a48:f546) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Maryland; L=Gaithersburg; O=National Institute of Standards and Technology; OU=OISM; CN=nvd.nist.gov
*  start date: Oct 15 00:00:00 2019 GMT
*  expire date: Oct 15 12:00:00 2020 GMT
*  subjectAltName: host "nvd.nist.gov" matched cert's "nvd.nist.gov"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET /feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz HTTP/1.1
> Host: nvd.nist.gov
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 410 Data Feed/Service Retired
< server: Microsoft-IIS/8.5
< x-frame-options: SAMEORIGIN
< date: Thu, 12 Mar 2020 06:29:02 GMT
< content-length: 0
< strict-transport-security: max-age=31536000

В нем указано 410 Data Feed / Service Retired, что указывает на то, что они больше не поддерживают эту службу / конечную точку.

Когда в последний раз вы могли успешно выполнить эту проверку?

ОБНОВЛЕНИЕ :

Похоже, что их страница в настоящее время действительно медленная / недоступна: https://nvd.nist.gov/. Я предположил бы, что у них в настоящее время есть проблема на их стороне. Поэтому либо подождите некоторое время, либо временно отключите проверку, чтобы получить хотя бы успешную сборку.

Добро пожаловать на сайт PullRequest, где вы можете задавать вопросы и получать ответы от других членов сообщества.
...