Skip to content

Please Read: Mandatory Upgrade to 12.1.0 or later #7463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jeremylong opened this issue Feb 24, 2025 · 9 comments
Closed

Please Read: Mandatory Upgrade to 12.1.0 or later #7463

jeremylong opened this issue Feb 24, 2025 · 9 comments

Comments

@jeremylong
Copy link
Collaborator

Due to compatibility issues with the NVD API - all users must upgrade to 12.1.0 or later.
@jeremylong jeremylong pinned this issue Feb 24, 2025
@jeremylong jeremylong mentioned this issue Feb 24, 2025
Closed
@marcelstoer
Copy link
Collaborator

For details see the CHANGELOG and the referenced issue.

bpapez added a commit to Jahia/jahia-modules-action that referenced this issue Feb 27, 2025
@bpapez
fix: Failed to parse NVD data
9bb986f 
Compatibility issues with the NVD API lead to failing nightly checks.
Fix is to do the mandatory update of dependency-check-maven and follow
advise on: dependency-check/DependencyCheck#7463
This was referenced Feb 27, 2025
Closed
Merged
@lm-aols lm-aols mentioned this issue Mar 4, 2025
Closed
Jurrie added a commit to Jurrie/dependencycheck-central-mysql-docker that referenced this issue Mar 4, 2025
@Jurrie
Bump dependencycheck plugin to 12.1.0
dec4cb4 
Because of
dependency-check/DependencyCheck#7463 prior
versions do not work with the NVD API anymore and will fill up the logs.
@Jurrie Jurrie mentioned this issue Mar 4, 2025
Merged
@mgilgar mgilgar mentioned this issue Mar 5, 2025
Closed
natedanner added a commit to openrewrite/rewrite-build-gradle-plugin that referenced this issue Mar 5, 2025
@natedanner
update suppressions and owasp.dependencycheck version. see dependency…
1eb7fd0 
…-check/DependencyCheck#7463
@natedanner natedanner mentioned this issue Mar 5, 2025
Merged
@kaushikdutta2025
Copy link

Image

Image

Hi We are facing build failures after updating to 12.1.0. Please check the screenshots. This is java application and we are using gradle ./gradlew dependencyCheckAnalyze ..we have use nvd api key as wel... In one other python repo we are getting this error

Image

@jeremylong
Copy link
Collaborator Author

The parse error is becuase the CPE has a trailing tab; see #7509 (comment)

I'll email the NVD

@kaushikdutta2025
Copy link

kaushikdutta2025 commented Mar 7, 2025 via email

@kaushikdutta2025
Copy link

kaushikdutta2025 commented Mar 7, 2025 via email

@GoodOwl
Copy link

GoodOwl commented Mar 7, 2025

Hi,
We are using dependency check in cicd pipeline so nvd are pulled on demand. can you please suggest a solution.

Regards,
Kaushik Dutta

To update the nvd data sounds like the best approach. Is it possible?

@davidecavestro
Copy link

davidecavestro commented Mar 7, 2025
edited
Loading

Hi,
We are using dependency check in cicd pipeline so nvd are pulled on demand. can you please suggest a solution.

Regards,
Kaushik Dutta

TLDR;
you should persist the nvd db

I can just speak for the maven plugin as I've not tried this with gradle.
For the trailing tab issue I see:
mvn org.owasp:dependency-check-maven:12.1.0:update-only -> SUCCESS (logs an error and continue)
mvn org.owasp:dependency-check-maven:8.2.1:update-only -> FAILURE

so using a cicd pipeline is a valid approach IF you use a version that doesn't fail. i.e. I use it to (nightly) cache the data into a container image, possibly for multiple plugin versions (the nvd db persistence varies). Then I run maven on CI using that image, hence reusing the cached data.
But this doesn't work for the versions that still fail.
OTOH if you get the data just to put it into a relational db, then you are ok.
Repeatedly downloading the nvd db on the fly leads to various issues (throttling, random network errors, etc)

That said I hope folks at Nist will fix it soon (possibly adding some check to avoid further disruptions).

@RichardSlater RichardSlater mentioned this issue Mar 10, 2025
Merged
@aikebah aikebah mentioned this issue Mar 12, 2025
Closed
This was referenced Mar 17, 2025
Merged
Merged
@ob-alexn-sportsbet
Copy link

Are there any plans to backport these latest fixes to version 10 which is the last Java 8 compatible version of dependency-check?

@jeremylong
Copy link
Collaborator Author

No

hezhangjian pushed a commit to apache/bookkeeper that referenced this issue Apr 1, 2025
@Shawyeok
Bump dependency-check to 12.1.0 (#4569)
bdc08bc 
### Motivation

The CI Job `OWASP Dependency Check` has failed consistently since [last month][failed-ci-job], below are the error details:
```
Error:  Unable to continue dependency-check analysis.
Error:  Failed to execute goal org.owasp:dependency-check-maven:10.0.2:aggregate (default) on project bookkeeper: Fatal exception(s) analyzing Apache BookKeeper :: Parent: One or more exceptions occurred during analysis:
Error:  	UpdateException: Error updating the NVD Data
Error:  		caused by NvdApiException: Failed to parse NVD data
Error:  		caused by ValueInstantiationException: Cannot construct instance of `io.github.jeremylong.openvulnerability.client.nvd.CvssV4Data$ModifiedCiaType`, problem: SAFETY
Error:   at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 3052240] (through reference chain: io.github.jeremylong.openvulnerability.client.nvd.CveApiJson20["vulnerabilities"]->java.util.ArrayList[1471]->io.github.jeremylong.openvulnerability.client.nvd.DefCveItem["cve"]->io.github.jeremylong.openvulnerability.client.nvd.CveItem["metrics"]->io.github.jeremylong.openvulnerability.client.nvd.Metrics["cvssMetricV40"]->java.util.ArrayList[0]->io.github.jeremylong.openvulnerability.client.nvd.CvssV4["cvssData"]->io.github.jeremylong.openvulnerability.client.nvd.CvssV4Data["modifiedSubsequentSystemIntegrity"])
Error:  		caused by IllegalArgumentException: SAFETY
Error:  	NoDataException: No documents exist
Error:  -> [Help 1]
```

According to `dependency-check` Mandatory Upgrade [Notice](dependency-check/DependencyCheck#7463):
```
Due to compatibility issues with the NVD API - all users must upgrade to 12.1.0 or later.
```

This patch is to do so.

[failed-ci-job]: https://github.com/apache/bookkeeper/actions/runs/13349834218/job/37284861261
@jeremylong jeremylong mentioned this issue Apr 2, 2025
Closed
@chadlwilson chadlwilson mentioned this issue Apr 9, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@davidecavestro @marcelstoer @jeremylong @chadlwilson @GoodOwl @ob-alexn-sportsbet @kaushikdutta2025