DependencyCheck: Version 8.0.0. KnownExploitedDataSource proxy HTTP 403
KnownExploitedDataSource Line: 78
//TODO - add all the proxy config, likely use the same as configured for NVD
final HttpResourceConnection conn = new HttpResourceConnection(settings);
In class HostedSuppressionsDataSource i do not see such a commonet:
Logs:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:8.0.0:check (default-cli) on project iaml: Fatal exception(s) analyzing aaaaaaaaaa: One or more exceptions occurred during analysis:
[ERROR] UpdateException: org.owasp.dependencycheck.utils.DownloadFailedException: Error downloading file https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; unable to connect.
[ERROR] caused by DownloadFailedException: Error downloading file https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; unable to connect.
[ERROR] caused by IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 403 Forbidden"
[ERROR] NoDataException: No documents exist
[ERROR] -> [Help 1]
[ERROR]
About this issue
- Original URL
- State: open
- Created a year ago
- Reactions: 6
- Comments: 23 (3 by maintainers)
Commits related to this issue
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-profiler by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-stax by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-apache-http by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-variable-substitution by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-xinclude by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-json by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-cache by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-csv by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-expressions by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-solace by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-jmx-jms by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-wmq by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-oauth by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-vcs-git by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-amqp by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-aws by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-cassandra by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-cxf by deleted user a year ago
- Bump org.owasp.dependencycheck to version 7.4.4, as 8.0.0 doesnt work with proxy https://github.com/jeremylong/DependencyCheck/issues/5313 — committed to adaptris/interlok-service-tester by deleted user a year ago
I’m also getting a 403 from a runner on the Hetzner network. I can’t find anything about a ban list, though.
Experiencing the same problem… gitlab-runner on Hetzner, scan is failing because not able to download from cisa.gov. Downgraded to maven-plugin version 7.4.4.
The known exploited vulnerability catalog does not add any new vulnerabilities… but any vulnerabilities in the catalog likely need to be patched ASAP as there are known attacks happening using the CVE.
On Thu, Jun 29, 2023, 2:52 PM msaubier @.***> wrote:
The site is blocked in GCP europe-west too. Can’t tell if it blocked the whole GCP network but this is already pretty bad on its own. Why are they doing this? Do they want that nobody is using this?
you can use a mirror or proxy via the plugin config like so:
The options would be to mirror the catalog or disable the analyzer.
My gut feel: they whitelisted the URL or the entire CISA website on your proxy