Download Failed for NVD CVE

1,177 views
Skip to first unread message

Jeet Hadap

unread,
Oct 3, 2014, 11:23:32 AM10/3/14
to dependen...@googlegroups.com
Hi,

I am using dependency-check-maven version 1.2.5. and I don't have any proxy server in between, so connected directly to internet. 
But whenever I run the mvn dependency-check:check, I get the failures while downloading some of the NVD CVE. (see below) . However, I would download the NVD CVE xml files from a browser and it works fine. On browser it takes time but it works.  
I also left it over night for more than 15 hours, but it didn't work. 


Oct 03, 2014 3:38:24 PM org.owasp.dependencycheck.data.update.StandardUpdate update
INFO: NVD CVE requires several updates; this could take a couple of minutes.
Oct 03, 2014 3:38:25 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
INFO: Download Started for NVD CVE - 2007
Oct 03, 2014 3:38:25 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
INFO: Download Started for NVD CVE - 2009
Oct 03, 2014 3:38:25 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
INFO: Download Started for NVD CVE - 2010
Oct 03, 2014 3:57:14 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
WARNING: Download Failed for NVD CVE - 2009
Some CVEs may not be reported.
Oct 03, 2014 3:57:14 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
INFO: If you are behind a proxy you may need to configure dependency-check to use the proxy.
Oct 03, 2014 3:57:15 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
INFO: Download Started for NVD CVE - 2011
Oct 03, 2014 4:07:50 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
WARNING: Download Failed for NVD CVE - 2010
Some CVEs may not be reported.
Oct 03, 2014 4:07:50 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
INFO: If you are behind a proxy you may need to configure dependency-check to use the proxy.
Oct 03, 2014 4:07:50 PM org.owasp.dependencycheck.data.update.task.DownloadTask call
INFO: Download Started for NVD CVE - 2012


my POM configuration is as follows.

<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>1.2.2</version>
<configuration>
<connectionTimeout>9999999999</connectionTimeout>
<nexusUsesProxy>false</nexusUsesProxy>
</configuration> 
                <executions>
                    <execution>
                        <goals>
                            <goal>check</goal>
                        </goals>
                    </execution>
                </executions>
</plugin>

I tired setting <connectionTimeout> but didn't work. 

Let me know whats wrong? Also, if there is a way/option to download those NVD-CVE files manually and use them locally. 

Thanks,

J



Jeremy Long

unread,
Oct 3, 2014, 2:35:44 PM10/3/14
to Jeet Hadap, dependen...@googlegroups.com
If you can download the NVD files locally you should be able to set:

cveUrl20Base
cveUrl12Base
cveUrl20Modified
cveUrl12Modified

using the "file" protocol. An example would be:

file:///c:/nvd/nvdcve-%d.xml

Where %d is the the year. The application will replace the %d with 2006, 2007, 2008, etc. to import the entire set of NVD data. These configuration options are listed on the documentation page: http://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html  (but it doesn't indicate that the file protocol is usable, but it should work). These configuration options were added so that one could mirror the NVD locally (or at least internal to an enterprise, as many companies do not allow their build servers to talk to the Internet).

Also, regarding the connection timeout. Could re-run the scan with a logFile configured and then verify that the properties listed in the log file indicate that the connection Timeout is 9999999?

Best Regards,

Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jeet H

unread,
Oct 6, 2014, 8:40:26 AM10/6/14
to dependen...@googlegroups.com
Hi Jeremy,

Thanks, I will try this out and will let you know. Its taking ages to download manually as well. 
Yes, in logs I would see that connectionTimeout was configured to 9999999. But I think its either the issues with the NIST website or the network which I am using. Will try different n/w and see.

Thanks 

J

Jeremy Long

unread,
Nov 17, 2014, 6:34:36 AM11/17/14
to dependen...@googlegroups.com
The URLs to the NVD data have been updated in version 1.2.6 - I would highly recommend upgrading as the download speed should be greatly improved.

--Jeremy
Reply all
Reply to author
Forward
0 new messages