Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to ignore Maven dependency-check failure on missing nvd file

I tried to perform a release of my project today using the Maven release plugin. It failed due to the dependency-check-maven plugin's attempt to download the 2020 version of the CVD file, which hasn't yet been uploaded:

Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.meta; received 404 -- resource not found

A brief perusal of the NVD Data Feeds page shows that file hasn't been uploaded yet.
enter image description here

Obviously I could wait about 24 hours and this problem will probably go away; however, I'm still interested in knowing how I could override this URL to release my project today. I've tried some command line options including variations on:

mvn dependency-check:check -DcveUrlBase=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2019.json.gz

However, they still result in errors. I know I can skip this check but would prefer to still check all the files prior to 2020.

This issue suggests creating a local repository with the nist-data-mirror plugin, but that seems like a lot of overhead vs. waiting 24 hours.

Are there any command line or easily-reverted pom.xml edits that will allow me to release my project today?

EDIT: This has been reported as an issue at the plugin site.

like image 212
Daniel Widdis Avatar asked Jan 01 '20 20:01

Daniel Widdis


People also ask

Why does my Maven project fail?

In your maven project, If the dependencies are placed not properly. This may result to create problems such as unused dependencies, duplicate dependencies, version conflicts…etc. These result execution failure of the project.

How do I find responsible Maven dependencies?

To find responsible maven dependency, we can build the dependency tree by issuing the following command at the root of the project: This will produce a dependency tree showing each dependency, it’s corresponding transitive dependencies, and finally the libraries that are pulled into your project.

What is MVN dependency analyze command?

This command help to find out what are the used, declared, and undeclared dependencies in your project. This is a superb command for cleanup your pom. Let's check out how the mvn dependency:analyze command works for the above pom.xml. In the above project, I used only the dependency commons-lang3 in the code.

How to resolve dependency related problems in Linux?

Here is the set of 8 important commands that resolves dependency related problems. We are covering the commands such as dependency:tree, dependency: analyze, dependency:analyze-duplicate, dependency:build-classpath, dependency:resolve, dependency:sources, dependency:list-repositories, dependency:copy-dependencies


1 Answers

My suggestion is to create a seperate job for updating the database from checking your dependencies, this way when updating fails the check can still occur. This has 2 extra advantages, first, checking of the dependencies is faster as you do not have to build up your database every time and, second, less requests have to go to the NVD which saves them resources.

NVD now also publishes the 2020 CVE's so no fix/workaround is needed for now, but he has created a fix https://github.com/jeremylong/DependencyCheck/commit/217da90bd6991125087f0be3a60a60763194ecf1 which will be included in the upcoming release and this will fix the problem before 2021 when we might encounter this again.

I would also suggest to keep the suggestions in the github issue that you also mention. Discussions can of-course still happen here.

https://github.com/jeremylong/DependencyCheck/issues/2403

like image 78
V Jansen Avatar answered Oct 08 '22 11:10

V Jansen