Nearly all GAVs cannot be mapped to CPE

jfabia...@googlemail.com

unread,

Mar 23, 2018, 4:29:30 AM3/23/18

to Dependency Check

I am trying to set up the dependency-check-maven-plugin in a company network with a strangely restricted network. For that I

* set up a server to replace the nvd servers

* disabled the central analyzer in favour of the Nexus analyzer (because MavenCentral is hard to reach from the network)

The plugin runs without giving errors, seems to download the relevant files and writes a report, but nearly all CPE fields are empty. It manages to detect

org.apache.httpcomponents:httpclient:4.3.5 as

cpe:/a:apache:httpclient:4.3.5

but I does not recognise usual dependencies as commons-logging:commons-logging:1.1, com.google.code.gson:gson:2.8.0 or log4j:log4j:1.2.15.

I checked that the database file dc.h2.db is created, but it is quite small (2.5MB).

Actually, I do not know what I should check next.

Any suggestions?

Fabian

By the way: Is there any commercial support available for the plugin?

J. Fabian Meier

unread,

Mar 23, 2018, 6:11:58 AM3/23/18

to Dependency Check

I read that the GAV to CPE conversion is done using a Lucene index. Where is this usually found? The dependency-check-data directory in my .m2 does only contain the dc.h2.db file.

Jeremy Long

unread,

Mar 23, 2018, 6:12:34 AM3/23/18

to jfabia...@googlemail.com, Dependency Check

Unfortunately, no - there is no commercial support available for dependency-check.

Regarding your issue - there is definitely something wrong with the setup as the database should be over 300mb. Some suggestions to get this up and running.

1. Create a bare minimum pom.xml that only contains the dependency-check configuration for your environment such as the one below (but updated to use your internal NVD mirror):

<project 
    xmlns="http://maven.apache.org/POM/4.0.0" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.owasp.test</groupId>
    <artifactId>odc-setup-test</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <packaging>pom</packaging>
    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>3.1.1</version>
                <configuration>
                    <format>ALL</format>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>

2. Run the maven dependency-check purge and then the maven-dependency-check update-only goals:

mvn org.owasp:dependency-check-maven:3.1.1:purge
mvn org.owasp:dependency-check-maven:3.1.1:update-only -X

The log resulting from the update-only will help determine exactly what is wrong.

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-check+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jeremy Long

unread,

Mar 23, 2018, 6:13:31 AM3/23/18

to J. Fabian Meier, Dependency Check

The Lucene index is actually an in-memory index that is built at runtime from data contained in the database.

--Jeremy

On Fri, Mar 23, 2018 at 6:11 AM, J. Fabian Meier <johannesf...@gmail.com> wrote:

I read that the GAV to CPE conversion is done using a Lucene index. Where is this usually found? The dependency-check-data directory in my .m2 does only contain the dc.h2.db file.

--

J. Fabian Meier

unread,

Mar 23, 2018, 6:50:31 AM3/23/18

to Dependency Check

Thank you very much for your fast and thorough response. I get:

I suspect that the files of the form nvdcve-2.0-2014.xml.gz are only "checked for updates" but not downloaded. I debugged the server and it actually receives the GET requests and services them.

To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.

jfabia...@googlemail.com

unread,

Mar 23, 2018, 8:44:27 AM3/23/18

to Dependency Check

Digging deeper I found out that dependency-check is only sending HEAD requests for nvdcve-2.0-2014.xml.gz etc., but never actually tries to GET them.

There is probably some reason that it thinks the files are uptodate, even if I purged everything before.

Message has been deleted

jfabia...@googlemail.com

unread,

Mar 23, 2018, 10:01:56 AM3/23/18

to Dependency Check

My previous answers were lost, so I just say that I found the problem by looking at the source code and that it lies in not having a Last-Modified Date in the HTTP header.

Jeremy Long

unread,

Mar 24, 2018, 6:37:36 AM3/24/18

to Dependency Check

Actually, that is a known issue that we need to better document. Glad you figured it out.

--Jeremy

Hans Aikema

unread,

Mar 25, 2018, 11:42:37 AM3/25/18

to Dependency Check

> On 24 Mar 2018, at 11:37, Jeremy Long <jerem...@gmail.com> wrote:
>
> Actually, that is a known issue that we need to better document. Glad you figured it out.
>
> --Jeremy
>

> --
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Jeremy,

how about changing to a ‘failsafe’ default of “if a proper timestamp was not determined” (timestamp == 0) then assume that the dataset was last changed at the time of checking? It would mean that in situations like Fabian’s the files would ALWAYS get downloaded, but I think for the sake of security that would be preferred to NEVER.

https://github.com/aikebah/DependencyCheck/commit/908742b4177d489251a62d5b8b852c741bf53b23
would need some testing to see that it really works (allthough I fail to see why it wouldn’t work), but I think a change to such a strategy would be good in the fight for as few false-negatives as reasonably possible

kind regards,
Hans Aikema

Reply all

Reply to author

Forward

Message has been deleted