无法下载NVD CVE数据

问题描述 投票:0回答:1
[INFO]
[INFO] --- dependency-check-maven:4.0.2:check (default) @ realtimePaymachine ---
[INFO] Central analyzer disabled
[WARNING] The POM for com.oracle:ojdbc:jar:12.2.0.1 is missing, no dependency information available
[INFO] Checking for updates
[INFO] starting getUpdatesNeeded() ...
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2009.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2009.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2010.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2010.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2011.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2011.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2007.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2007.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2020.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2020.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2002.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2002.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2008.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2008.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2004.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2004.xml.gz
[ERROR] IO Exception connecting to https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz: HEAD request returned a non-200 status code: https://nvd.nist.gov/feeds/xm
l/cve/2.0/nvdcve-2.0-2018.xml.gz
[WARNING] Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.
[INFO] If you are behind a proxy you may need to configure dependency-check to use the proxy.
[WARNING] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] No documents exist

Unable to continue dependency-check analysis.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  13.128 s
[INFO] Finished at: 2020-03-11T23:10:47-06:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:4.0.2:check (default) on project realtimePaymachine: Fatal exception(s) analyzing realtimePaymachine: Unable
 to continue dependency-check analysis.
[ERROR]         Unable to download the NVD CVE data.
[ERROR]         No documents exist
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

在pom.xml中,我添加了ojdbc依赖项

 <dependency>
            <groupId>com.oracle</groupId>
            <artifactId>ojdbc</artifactId>
            <version>${ojdbc.version}</version>
            <scope>provided</scope>
        </dependency>

当我进行构建时,无法下载NVD CVE数据。我是否必须包含依赖项来重命名该问题或任何方式,以便我可以尝试所有可能的方式提供任何帮助?

java spring ojdbc
1个回答
0
投票

通过cURL访问这些端点将提供以下输出:

curl -v https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz
*   Trying 2600:1f18:268d:1d01:f609:5e91:8a48:f546...
* TCP_NODELAY set
* Connected to nvd.nist.gov (2600:1f18:268d:1d01:f609:5e91:8a48:f546) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Maryland; L=Gaithersburg; O=National Institute of Standards and Technology; OU=OISM; CN=nvd.nist.gov
*  start date: Oct 15 00:00:00 2019 GMT
*  expire date: Oct 15 12:00:00 2020 GMT
*  subjectAltName: host "nvd.nist.gov" matched cert's "nvd.nist.gov"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET /feeds/xml/cve/2.0/nvdcve-2.0-2018.xml.gz HTTP/1.1
> Host: nvd.nist.gov
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 410 Data Feed/Service Retired
< server: Microsoft-IIS/8.5
< x-frame-options: SAMEORIGIN
< date: Thu, 12 Mar 2020 06:29:02 GMT
< content-length: 0
< strict-transport-security: max-age=31536000

它说410数据馈送/服务已退休,表明他们不再支持此服务/端点。

您上一次可以成功运行此检查的时间是?

UPDATE

似乎他们的页面当前也确实很慢/无法访问:https://nvd.nist.gov/。我认为他们目前有一个问题。因此,请等待一段时间或暂时禁用该检查,以至少获得成功的构建。

© www.soinside.com 2019 - 2024. All rights reserved.