Search code examples
mavenmaven-dependencymaven-dependency-check-plugin

How to ignore Maven dependency-check failure on missing nvd file


I tried to perform a release of my project today using the Maven release plugin. It failed due to the dependency-check-maven plugin's attempt to download the 2020 version of the CVD file, which hasn't yet been uploaded:

Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.meta; received 404 -- resource not found

A brief perusal of the NVD Data Feeds page shows that file hasn't been uploaded yet.
enter image description here

Obviously I could wait about 24 hours and this problem will probably go away; however, I'm still interested in knowing how I could override this URL to release my project today. I've tried some command line options including variations on:

mvn dependency-check:check -DcveUrlBase=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2019.json.gz

However, they still result in errors. I know I can skip this check but would prefer to still check all the files prior to 2020.

This issue suggests creating a local repository with the nist-data-mirror plugin, but that seems like a lot of overhead vs. waiting 24 hours.

Are there any command line or easily-reverted pom.xml edits that will allow me to release my project today?

EDIT: This has been reported as an issue at the plugin site.


Solution

  • My suggestion is to create a seperate job for updating the database from checking your dependencies, this way when updating fails the check can still occur. This has 2 extra advantages, first, checking of the dependencies is faster as you do not have to build up your database every time and, second, less requests have to go to the NVD which saves them resources.

    NVD now also publishes the 2020 CVE's so no fix/workaround is needed for now, but he has created a fix https://github.com/jeremylong/DependencyCheck/commit/217da90bd6991125087f0be3a60a60763194ecf1 which will be included in the upcoming release and this will fix the problem before 2021 when we might encounter this again.

    I would also suggest to keep the suggestions in the github issue that you also mention. Discussions can of-course still happen here.

    https://github.com/jeremylong/DependencyCheck/issues/2403