DependencyCheck: NIST NVD URL no longer works

Logs:

$ dependency-check --updateonly
[INFO] Checking for updates
[INFO] starting getUpdatesNeeded() ...
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code
[WARN] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[ERROR] IO Exception: HEAD request returned a non-200 status code
[ERROR] IO Exception: HEAD request returned a non-200 status code

It looks like this URL: https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml.gz no longer works and has been changed to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz.

We are seeing the same issues from the gradle plugin as well. Let me know if more information is needed.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 23
  • Comments: 21

Commits related to this issue

Most upvoted comments

This looks like a permanent change in their URL scheme. The difference seems to be adding xml schema version in the URL (…xml/cve/2.0/… instead of …xml/cve/…). From a quick visual check here all feed links seem to follow the new scheme.

Anyway, seems we can work around this by configuring the new URL. In a gradle build script this looks like:

dependencyCheck {
     cve {
         url20Modified = 'https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz'
         url20Base = 'https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz'
     }

Documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html

+16
zerogvt on Mar 30, 2018

v3.1.2 was released today which resolves this issue.

+11
stevespringett on Apr 2, 2018

You could find new links at https://nvd.nist.gov/vuln/data-feeds#XML_FEED for configuration change as @zerogvt and @shekh-akther mentioned above. For those who use maven - working config:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>3.1.1</version>
    <configuration>
        <cveUrl12Modified>https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz</cveUrl12Modified>
        <cveUrl20Modified>https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz</cveUrl20Modified>
        <cveUrl12Base>https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-%d.xml.gz</cveUrl12Base>
        <cveUrl20Base>https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz</cveUrl20Base>
    </configuration>
</plugin>
+6
Ivorlun on Mar 31, 2018

These cli parameters work for me:

owasp-dependency-check --data mydatadir --project myprojectname -o reports -f JSON -s . -l logfile --cveUrl12Base "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-%d.xml.gz" --cveUrl20Base "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz" --cveUrl12Modified "https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz" --cveUrl20Modified "https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz"

NIST’s XML feed overview page actually lists the new URLs, so DependencyCheck should react immediately and fix this breakage in a new release.

+5
AndiDog on Mar 30, 2018

@if08017 same recommendation as the Jenkins folks. Specify NVD URLs typically used for mirroring. You wont actually be using a NVD mirror (although I do recommend it), you’ll simply be correcting the URLs using this method.

Refer to https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

  • cveUrl12Modified
  • cveUrl20Modified
  • cveUrl12Base
  • cveUrl20Base
+4
stevespringett on Mar 30, 2018

Until a newer version is available, you can update Jenkins settings to reflect these URLs:

https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-2018.xml.gz https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz

Hope this helps. I was able to test it on owasp dependency plugin 3.1.1 and 2.1.0

+2
kalyankix on Mar 31, 2018

For maven users: please follow Example 5 from documentation: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html

+2
shekh-akther on Mar 30, 2018

I see that the old URL (https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml.gz) is now working again (together with the new URL). Any information about this decision?

+1
mlemmens on Apr 9, 2018

@kalyankix - thanks a lot for providing directly the links - worked as a charm for me on my Jenkins!

+1
ozlatkov on Apr 2, 2018

Any help for cli users? I found the same issue,

+1
if08017 on Mar 30, 2018

Hopefully, this is a temporary configuration issue on their end as it effects the entire Dependency-Check ecosystem. But the URL endpoints have changed. For those who are using nist-data-mirror, it’s been updated with the new URLs and a release pushed to Maven Central. Awaiting synchronization.

+1
stevespringett on Mar 30, 2018
Read more comments on GitHub
← DependencyCheck: New year bug
DependencyCheck: NPE during aggregate check in a multi module project →