ESAPI 2.5.3.0 status update - stuck on failing Dependency Check
22 views
Skip to first unread message
Kevin W. Wall
Nov 23, 2023, 12:33:59 AM11/23/23
to esapi-project-users
Things were going well until I got to the point where Dependency Check started to run. As usual, I updated all the plugins and executed 'mvn compile install' to test things out. It ran fine until it got to running Dependency Check. At that point, it gave me a warning about not having an NVD API Key and failed, so I followed the instructions in the Dependency Check GitHub README.md and obtained that. Had to hunt a lot more (but grepping its code) until I found out how to use it from Maven.
It looks like Dependency Check is getting a 503 HTTP status code (i.e, Service Unavailable). If indeed that's what the error is, I expected it to go away after a bit, but it's been failing for the past 2+ hours so now I'm not so sure.
If it's still failing tomorrow, it probably won't be until at least Friday until it gets addressed. Alternatively, I may just skip Dependency Check as we also use Dependabot and Snyk. In fact, since tomorrow is Thanksgiving, I might not get to this until Friday anyway.
But that's where the 2.5.3.0 release currently stands. Below is an example of me trying running Dependency Check by itself. This is the error I get each time. Sometimes it fails immediately, sometimes after 12% of the records being downloaded, and this lucky time, I got as far as 23%. (Woohoo!)
wallk@feynman:~/work/esapi/prep-2.5.3.0$ mvn -DnvdApiKey=$NVD_API_KEY org.owasp:dependency-check-maven:check
[INFO] Scanning for projects...
[INFO]
[INFO] -----------------------< org.owasp.esapi:esapi >------------------------
[INFO] Building ESAPI 2.5.3.0
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency-check-maven:9.0.0:check (default-cli) @ esapi ---
[INFO] Checking for updates
[INFO] NVD API has 171,457 records in this update
[INFO] Downloaded 20,000/171,457 (12%)
[INFO] Downloaded 40,000/171,457 (23%)
[ERROR] Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi (NvdApiDataSource.java:336)
at org.owasp.dependencycheck.data.update.NvdApiDataSource.update (NvdApiDataSource.java:110)
at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:902)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:707)
at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:633)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1936)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1119)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
Caused by: io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 503
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next (NvdCveClient.java:327)
at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi (NvdApiDataSource.java:315)
at org.owasp.dependencycheck.data.update.NvdApiDataSource.update (NvdApiDataSource.java:110)
at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:902)
at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:707)
at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:633)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1936)
at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1119)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
[INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
[INFO] Begin database defrag
[INFO] End database defrag (1638 ms)
[WARNING] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] Unable to continue dependency-check analysis.
[INFO] Cache event queue destroyed: CacheEventQueue [listenerId=-91099005, cacheName=NODEAUDIT]
[INFO] Cache event queue destroyed: CacheEventQueue [listenerId=-91099005, cacheName=CENTRAL]
[INFO] Cache event queue destroyed: CacheEventQueue [listenerId=-91099005, cacheName=POM]
[ERROR] Region [NODEAUDIT] : Not alive and dispose was called, filename: NODEAUDIT
[ERROR] Region [CENTRAL] : Not alive and dispose was called, filename: CENTRAL
[ERROR] Region [POM] : Not alive and dispose was called, filename: POM
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 11:55 min
[INFO] Finished at: 2023-11-23T00:18:17-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:9.0.0:check (default-cli) on project esapi: Fatal exception(s) analyzing ESAPI: One or more exceptions occurred during analysis:
[ERROR] UpdateException: Error updating the NVD Data
[ERROR] caused by NvdApiException: NVD Returned Status Code: 503
[ERROR] NoDataException: No documents exist
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
wallk@feynman:~/work/esapi/prep-2.5.3.0$
-kevin
-- Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
NSA: All your crypto bit are belong to us.
Kevin W. Wall
Nov 23, 2023, 10:48:58 PM11/23/23
to esapi-project-users
Looks like lots of others are getting the same error:
The problem has persisted throughout the day.
As this seems to be an NVD server side problem and it likely won't get fixed until at least next week, so I am going to make an executive decision to skip the Dependency Check stuff and just trust that the GitHub Dependabot and the Snyk SCA stuff will be sufficient. (The NIST NVD project is not well funded, so I doubt someone is going to fix it tomorrow or over the weekend.)
-kevin
Reply all
Reply to author
Forward
0 new messages