Description
Precondition
- I checked the issues list for existing open or closed reports of the same problem.
Describe the bug
Downloading nvd datafeed from a mirror created with vulnz fail with the following error :
java.util.zip.ZipException: Not in GZIP format
In detail :
I created a bitbucket page that mirror the nvd feed. The mirror is created with the vulnz docker image (steps: create cache with vulnz, git commit and push content, mirror is served by bitbucket page).
I then added nvdDataFeedUrl in the another project pom.xml pointing to the page.
I am able to check the urls are indeed correct, as I can download the json.gz with my browser.
dependency-check-maven (and I suppose others too) fail with the error above
if I check the http header I get from the server when I used my browser, I can see that
content-encoding is gzip
content-type is application/json
My best guess is that both client and server agree on handling gzip and the client ends up with an uncompressed json and then try to uncompress it again
Version of dependency-check used
The problem occurs using version 12.1.0 of the maven plugin (docker: maven:3.9.6-eclipse-temurin-17-alpine)
Log file
https://gist.github.com/JoKoT3/5a077a3a5d2d50c3abc17eb04c96f35d
To Reproduce
Steps to reproduce the behavior:
- create a mirror with vulnz
- serve said mirror with HTTP/2 with gzip content-encoding (bitbucket pages appear to use cloudfront)
- set the URL for the mirror in nvdDataFeedUrl
- run dependency-check in a way that the database has to be populated
- see error
Expected behavior
Fix may be to implement a catch on the java.util.zip.ZipException and try to load it as an uncompressed json
Additional context
I can provide my personnal mirror URL in private for testing purposes