Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta'

848 views

Skip to first unread message

Arjo Poldervaart

unread,

Sep 30, 2019, 7:44:09 AM9/30/19

to Dependency Check

Hi Jeremy,

Our downloads from nvd.nist.gov are suddenly failing, I tried adding the nist certificates (entire chain) into the cacerts keystore. Using a small Java main() I can connect, and also using a Groovy script inside of the Jenkins script console. While running a build I get the stacktrace below. I also tried starting jenkins with the explicit path to the keystore:

-Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit

Do you have any ideas or suggestions for me?

Building in workspace /var/lib/jenkins/workspace/generic-victims-scan

[DependencyCheck] [INFO] Checking for updates

[DependencyCheck] [ERROR] Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta

[DependencyCheck] org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta

[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:347)

[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.getUpdatesNeeded(NvdCveUpdater.java:385)

[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.update(NvdCveUpdater.java:122)

[DependencyCheck] at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:922)

[DependencyCheck] at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:723)

[DependencyCheck] at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:653)

[DependencyCheck] at org.owasp.dependencycheck.App.runScan(App.java:251)

[DependencyCheck] at org.owasp.dependencycheck.App.run(App.java:183)

[DependencyCheck] at org.owasp.dependencycheck.App.main(App.java:80)

[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta'

[DependencyCheck] at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:115)

[DependencyCheck] at org.owasp.dependencycheck.data.update.NvdCveUpdater.getMetaFile(NvdCveUpdater.java:340)

[DependencyCheck] ... 8 common frames omitted

[DependencyCheck] Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta; unable to connect.

[DependencyCheck] at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:238)

[DependencyCheck] at org.owasp.dependencycheck.utils.HttpResourceConnection.fetch(HttpResourceConnection.java:138)

[DependencyCheck] at org.owasp.dependencycheck.utils.Downloader.fetchContent(Downloader.java:110)

[DependencyCheck] ... 9 common frames omitted

[DependencyCheck] Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[DependencyCheck] at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:198)

[DependencyCheck] at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1969)

[DependencyCheck] at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345)

[DependencyCheck] at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339)

[DependencyCheck] at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968)

[DependencyCheck] at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777)

[DependencyCheck] at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264)

[DependencyCheck] at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1092)

[DependencyCheck] at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026)

[DependencyCheck] at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)

[DependencyCheck] at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)

[DependencyCheck] at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)

[DependencyCheck] at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)

[DependencyCheck] at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429)

[DependencyCheck] at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)

[DependencyCheck] at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)

[DependencyCheck] at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

[DependencyCheck] at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:163)

[DependencyCheck] at org.owasp.dependencycheck.utils.HttpResourceConnection.obtainConnection(HttpResourceConnection.java:178)

[DependencyCheck] ... 11 common frames omitted

[DependencyCheck] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[DependencyCheck] at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)

[DependencyCheck] at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)

[DependencyCheck] at java.base/sun.security.validator.Validator.validate(Validator.java:264)

[DependencyCheck] at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343)

[DependencyCheck] at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226)

[DependencyCheck] at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133)

[DependencyCheck] at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947)

[DependencyCheck] ... 25 common frames omitted

[DependencyCheck] Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[DependencyCheck] at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

[DependencyCheck] at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

[DependencyCheck] at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)

[DependencyCheck] at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

[DependencyCheck] ... 31 common frames omitted

The groovy script I used:

def url = new URL('https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta')

def connection = url.openConnection()

connection.requestMethod = 'GET'

if (connection.responseCode == 200) {

println connection.content.text

println connection.contentType

println connection.lastModified

connection.headerFields.each { println "> ${it}"}

}

and the response:

lastModifiedDate:2019-09-27T14:02:23-04:00
size:9403084
zipSize:424826
gzSize:424682
sha256:20B9F15DD1A04ABC0055D5DF04C1614734B986C856A08899F09C5948633EDCD7

text/plain
1569608116000
> X-Frame-Options=[SAMEORIGIN]
> Accept-Ranges=[bytes]
> null=[HTTP/1.1 200 OK]
> Strict-Transport-Security=[max-age=31536000]
> Server=[Microsoft-IIS/8.5]
> ETag=["0d226835f75d51:0"]
> Last-Modified=[Fri, 27 Sep 2019 18:15:16 GMT]
> Content-Length=[162]
> Date=[Mon, 30 Sep 2019 11:30:02 GMT]
> Content-Type=[text/plain]
Result: {X-Frame-Options=[SAMEORIGIN], Accept-Ranges=[bytes], null=[HTTP/1.1 200 OK], Strict-Transport-Security=[max-age=31536000], Server=[Microsoft-IIS/8.5], ETag=["0d226835f75d51:0"], Last-Modified=[Fri, 27 Sep 2019 18:15:16 GMT], Content-Length=[162], Date=[Mon, 30 Sep 2019 11:30:02 GMT], Content-Type=[text/plain]}

Jeremy Long

unread,

Sep 30, 2019, 7:47:59 AM9/30/19

to Dependency Check

See https://github.com/jeremylong/DependencyCheck/issues/2222

--Jeremy

Reply all

Reply to author

Forward

0 new messages