Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DependencyCheck no longer working #6853

Closed
Chelseasweeney07 opened this issue Jul 17, 2024 · 6 comments
Closed

DependencyCheck no longer working #6853

Chelseasweeney07 opened this issue Jul 17, 2024 · 6 comments

Comments

@Chelseasweeney07
Copy link

OWASP pipeline had been working as needed/expected in Azure pipeline. Within the last week-all pipelines are failing saying:
[ERROR] Error updating the NVD Data; the NVD returned a 403 or 404 error
[INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
[WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] Unable to continue dependency-check analysis.
[ERROR] One or more fatal errors occurred
[ERROR] Error updating the NVD Data; the NVD returned a 403 or 404 error

Please ensure your API Key is valid; see https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#api-key-is-used-and-a-403-or-404-error-occurs

If your NVD API Key is valid try increasing the NVD API Delay.

If this is ocurring in a CI environment
[ERROR] No documents exist
Dependency Check completed with exit code 13.
Dependency Check reports:
[]
Dependency Check failed with message "Dependency Check exited with an error code (exit code: 13)."
##[error]Dependency Check exited with an error code (exit code: 13).

I ensured API is good. Not sure what changed that it is now not working...

Version of dependency-check used
Dependency-Check Core version 9.2.0

Expected behavior
For it to succeed if no vulnerabilities or fail and produce report with vulnerabilities

Additional context
[INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
[WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] Unable to continue dependency-check analysis.
[ERROR] One or more fatal errors occurred
[ERROR] Error updating the NVD Data; the NVD returned a 403 or 404 error

@chadlwilson
Copy link
Contributor

#6817

@Chelseasweeney07
Copy link
Author

Chelseasweeney07 commented Jul 17, 2024 via email

@chadlwilson
Copy link
Contributor

chadlwilson commented Jul 17, 2024

The Azure DevOps plugin is not maintained by this project, but I believe you can tell it whet underlying ODC version to use - or it defaults to the latest version by default.

If your pipelines are using an old version you should check your configuration. Perhaps you have fixed the version or are using a custom repo to download dependency check itself (which has an old version).

@Chelseasweeney07
Copy link
Author

Chelseasweeney07 commented Jul 17, 2024 via email

@chadlwilson
Copy link
Contributor

Not 100% sure, I don't use ADO.

But probably needs you to download one of the release zips from https://github.com/jeremylong/DependencyCheck/releases and put it in the right location.

Otherwise you might need to ask over at https://github.com/dependency-check/azuredevops

@Chelseasweeney07
Copy link
Author

Chelseasweeney07 commented Jul 17, 2024 via email

@aikebah aikebah closed this as completed Jul 19, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants