Failing on processing NVD data due to unknown field: cvssMetricV40 #6746
Comments
|
Related to jeremylong/Open-Vulnerability-Project#163 |
|
My project stuck due to this issue. Is there a workaround while waiting for the fix to be published. |
|
No workaround unless you pre-process NVD API data to remove But there is a fix coming :-) |
|
Thanks for the update. Is there a view on when this fix will be available? Assuming this is to be a new version 9.2.1 or 9.3.0? |
|
I'm not the maintainer obviously, but he mentioned at jeremylong/Open-Vulnerability-Project#163 (comment) intent to release the library that needs fixing in "the morning" and then update ODC to use it and release ODC and plugins. But no idea what timezone that means so perhaps not so helpful. 😅 Possibly UTC-4 (US east coast), meaning at least 7-8 hours away 😃 |
|
fix will be in 10.0.0 - which should be published tomorrow morning (US Eastern timezone). |
|
See #6756 - which allows the update to occur. But CvssV4 has not yet been added to the report. |
|
Our dependency check gets stuck with "NVD API request failures are occurring; retrying request for the 5 time" messages for hours since friday, I assume this is the same problem? |
@echalone Yes. The actual reason for the errors is hidden unless you turn on The "blind" retry has also been changed for the next version in jeremylong/Open-Vulnerability-Project#168, so future API compatibility problems like this should fail fast rather than seeming stuck. Might need some more iteration to retry certain types of errors depending on how well behaving the NVD API is when it's under load (e.g if it starts returning HTTP |
Thank you for the explanation :) |
|
I used this script to patch our cached database: Use at your own risk. 😬 |
|
The 10.0.0 release is happening now. However, due to other commitments, I may not be able to push the gradle plugin until later today. |
|
After Update to 10.0.0 |
Did you interrupt the upgrade the first time or have two instances trying to update the same database at the same time? Looks OK, so looks like trying to upgrade an already upgraded database, perhaps. If it’s just H2, perhaps you want to try from a clean database. |
|
I switched from 9.2.0 to 10.0.0 and run the check on one project. And I get this error. |
|
I cleaned the DB and startet it again. The problem is that the first run need time. |
|
I'm testing now, but looks like some of the manual db scripts forgot to increment to 5.5? Maybe also explains the above if you using a centralized db? |
The error was on local windows enviroment. On Linux the updated run without any issue. |
Looks like query for postgres is missing two params, so its failing withThe column index is out of range: 71, number of columns: 70 as update query only has 70 columns, but all the other dbs appear to expect 72?
|
|
In my Case looks like similar to @SMUnlimited. I Create a new Postgresql DB with the "initialize_postgres.sql". I change the last line in to INSERT INTO properties(id,value) VALUES ('version','5.5'); After that the Error like Database schema does not match this version of dependency-check: Database schema is out of date -> [Help 1] .... is gone but i got [ERROR] Failed to process CVE-2000-0564 |
|
We have updated from 9.1.0 to 10.0.0 and works ok. |
|
I think the issue with the postgresql error is due to 2 missing statements in the SQL in file (core/src/main/resources/data/dbStatements_postgresql.properties), I've commented the commit (ad0d16a) @jeremylong, with where I think the issues might be. Hope it helps and thank you for your effort. |
|
Thanks for the update. From fresh local update it completes the update but lots of errors. Repeated on 5 different VM's S:\sqa>S:\sqa\node\tools\dependency-check\bin\dependency-check --nvdApiKey XXX --updateonly --data S:\sqa\depcheckdata |
|
Seeing the same issues on our pipelines too with version |
|
Same here... |
|
@rupreck - the errors listed are from me accidentally leaving a line of debug code in place. You update worked successfully. I'll remove my debug code |
|
The issue with CvssMetricV40 has been resolved - as such, I am closing this issue. You can follow along with this projects inability to do anything about the NVD API returning a 503/timeout/etc. here: #6758 Biggest suggestion is to use an API key and increase the |
|
First of all, thanks for all updates. When I make these changes manually it al starts to work (waiting on update right now, that's taking some time). |
|
@PeterPaulH thank you for the report. We are fixing the script now: #6776 |
|
thx a lot at the end i change the Version manually from 5.4 to 5.5 |
|
Thanks @jeremylong for the quick fixes. |
This gets rid of log lines like: ``` [2024-07-02 03:51:36.108] ERROR CveDB - Updating CVE: CVE-2024-5635 ``` Which were not errors but debug log lines left in by accident: - jeremylong/DependencyCheck#6746 (comment) - jeremylong/DependencyCheck@8c731cd
This gets rid of log lines like: ``` [2024-07-02 03:51:36.108] ERROR CveDB - Updating CVE: CVE-2024-5635 ``` Which were not errors but debug log lines left in by accident: - jeremylong/DependencyCheck#6746 (comment) - jeremylong/DependencyCheck@8c731cd
This gets rid of log lines like: ``` [2024-07-02 03:51:36.108] ERROR CveDB - Updating CVE: CVE-2024-5635 ``` Which were not errors but debug log lines left in by accident: - jeremylong/DependencyCheck#6746 (comment) - jeremylong/DependencyCheck@8c731cd
This gets rid of log lines like: ``` [2024-07-02 03:51:36.108] ERROR CveDB - Updating CVE: CVE-2024-5635 ``` Which were not errors but debug log lines left in by accident: - jeremylong/DependencyCheck#6746 (comment) - jeremylong/DependencyCheck@8c731cd
|
Sorry for the question which may seem dumb but: are we forced to upgrade immediately to version 10+ because older version's databases cannot be updated anymore due to the new field cvssMetricV40 ? |
|
Closed, but it produced breaking changes. The SonarQube Hotspots feature no longer contains Dependency Hotspots. Will raise with maintainers of that plugin, but this has been extremely disruptive. |
|
You need to upgrade to ODC 10+. Additionally, we have not updated the reports at all - only the parsing of the NVD data. Updating the reports will occur in a future version. Any issues currently being faced are likely due to the NVD API not being available - they are aware of the problem and are working on it. |
Describe the bug
The plugin cannot read the response due to an unknown field: cvssMetricV40
Version of dependency-check used
The problem occurs using version 9.2.0 of the maven plugin
Log file
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Check works
Additional context
If you don't enable maven debug logging, it appears that the process is stuck forever
The text was updated successfully, but these errors were encountered: