Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please Read: Mandatory Upgrade to 10.0.2 or later #6817

Open
jeremylong opened this issue Jul 8, 2024 · 6 comments
Open

Please Read: Mandatory Upgrade to 10.0.2 or later #6817

jeremylong opened this issue Jul 8, 2024 · 6 comments

Comments

@jeremylong
Copy link
Owner

jeremylong commented Jul 8, 2024

Users of 9.0.0 through 10.0.1 must upgrade to 10.0.2

Please see https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#mandatory-upgrade-notice.

Note 9.x no longer works - so you should have already upgraded.

@chadlwilson

This comment was marked as resolved.

@chadlwilson
Copy link
Contributor

chadlwilson commented Jul 10, 2024

If it helps folks, reposting my summary from #6816 (comment)

Here's my summary given the current (July 2024) load. Hope it helps.

  • >= 9.x, <= 10.0.1: Will get 403/404 due to NVD rejecting old clients Please Read: Mandatory Upgrade to 10.0.2 or later #6817
    1. Upgrade to 10.0.2.
  • >= 10.0.2 Without API key: Quite likely to be getting 503s due to load per https://services.nvd.nist.gov/ endopint is giving 503 Service Unavailable  #6758
    1. Consider getting an API key. :-)
  • >= 10.0.2 With valid API key: Should be working, but
    • If getting 503: The retries should get you through eventually as load should be improving.
      1. But you might want to look at https://jeremylong.github.io/DependencyCheck/data/cachenvd.html or https://jeremylong.github.io/DependencyCheck/data/cacheh2.html to reduce your dependency on the NVD by reducing # of calls.
      2. Consider adjusting the ODC retry delay to be longer.
    • if getting 403/404:
      1. Double check your API key is valid using curl or similar.
      2. Double check the same API key is going through correctly from your plugin/CLI. The logging @jeremylong is adding may help improve this, but if using Gradle you can try logging it temporarily within Gradle to make sure it is being read correctly from your environment.
        • If you have been re-generating API keys, check you are using the correct one. Old keys are invalidated when you regenerate from the same email address.
      3. Turn on Maven debug logging, Gradle --info logging, or gradle --stacktrace and see if there is some other connectivity issue to the NVD API other than a 403/404/503. (especially if you have recently moved from ODC 8.x)

@akshat62
Copy link

2024-07-23T02:39:07.818+0530 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] > Failed to create Jar file /home/guptaksh/.gradle/caches/jars-8/496c5fdd91687c666d36586f714c36d0/jackson-core-2.17.1.jar.

How to fix this ?

@jeremylong
Copy link
Owner Author

@akshat62 please open a new issue for any unrelated problems. In your case, see https://github.com/dependency-check/dependency-check-gradle?tab=readme-ov-file#gradle-build-environment

If you have any follow-on problems/questions - open a new ticket.

@kwin
Copy link
Contributor

kwin commented Jul 31, 2024

What about version < 9? How long is this still supported from NVD side?

@chadlwilson
Copy link
Contributor

https://nvd.nist.gov/general/news/change-timeline

Update: The retirement timeline has been extended for the Legacy Data Feed Files until further notice.

That comment is not dated but was first noted December 2023. https://groups.google.com/a/list.nist.gov/g/nvd-news/c/aofnAd3HP2g

The NVD will retire the Legacy Data Feed Files once improvements for bulk download capabilities of the NVD dataset are implemented.

To my knowledge there’s been no improvement to the bulk download capabilities yet, and the NVD has had many other problems to deal with this year. I’d follow https://www.nist.gov/itl/nvd

alinposho added a commit to alinposho/nvd-clojure that referenced this issue Aug 2, 2024
 - Due to jeremylong/DependencyCheck#6817 we need to uptake the mandatory upgrade to dependency-check-core 10.0.3 for the dependency check to work.
alinposho added a commit to alinposho/nvd-clojure that referenced this issue Aug 2, 2024
 - Due to jeremylong/DependencyCheck#6817 we need to uptake the mandatory upgrade to dependency-check-core 10.0.3 for the dependency check to work.
@aikebah aikebah changed the title Please Read: Mandatory Upgrade to 10.0.2 Please Read: Mandatory Upgrade to 10.0.2 or later Oct 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants