Date parsing error when running the Check dependencies Maven Plugin

Question

We are facing recently a new error when running the maven check plugin in our spring boot project.
Our Configuration is bellow

<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>8.2.1</version>
  <configuration>
    <formats>
      <format>html</format>
      <format>json</format>
    </formats>
  </configuration>
  <executions>
    <execution>
      <goals>
        <goal>check</goal>
      </goals>
    </execution>
  </executions>
</plugin>

After Running the maven check dependency this is a caption of the error logs :

   2023-12-01T16:59:53.8260662Z [WARNING] A new version of dependency-check is available. Consider updating to version 9.0.2.
2023-12-01T16:59:53.9300519Z [INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
2023-12-01T16:59:54.0402611Z [ERROR] Error reading CISA Known Exploited Vulnerabilities JSON data
2023-12-01T16:59:54.0446587Z [ERROR] Unable to find the CISA Known Exploited Vulnerabilities file to parse
2023-12-01T16:59:54.0448462Z org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse
2023-12-01T16:59:54.0451357Z     at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse (KnownExploitedVulnerabilityParser.java:84)
2023-12-01T16:59:54.0452940Z     at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update (KnownExploitedDataSource.java:82)
2023-12-01T16:59:54.0453968Z     at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:900)
2023-12-01T16:59:54.0454784Z     at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:705)
2023-12-01T16:59:54.0455791Z     at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:631)
2023-12-01T16:59:54.0456909Z     at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1919)
2023-12-01T16:59:54.0458119Z     at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1102)
2023-12-01T16:59:54.0459304Z     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
2023-12-01T16:59:54.0460409Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
2023-12-01T16:59:54.0461390Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
2023-12-01T16:59:54.0462336Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
2023-12-01T16:59:54.0463286Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
2023-12-01T16:59:54.0464232Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
2023-12-01T16:59:54.0465322Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
2023-12-01T16:59:54.0466800Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
2023-12-01T16:59:54.0468146Z     at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
2023-12-01T16:59:54.0469387Z     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
2023-12-01T16:59:54.0470266Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:298)
2023-12-01T16:59:54.0471003Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
2023-12-01T16:59:54.0471819Z     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
2023-12-01T16:59:54.0472492Z     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
2023-12-01T16:59:54.0473157Z     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
2023-12-01T16:59:54.0473799Z     at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
2023-12-01T16:59:54.0474482Z     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
2023-12-01T16:59:54.0475386Z     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
2023-12-01T16:59:54.0476466Z     at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
2023-12-01T16:59:54.0477309Z     at java.lang.reflect.Method.invoke (Method.java:566)
2023-12-01T16:59:54.0478085Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
2023-12-01T16:59:54.0479028Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
2023-12-01T16:59:54.0479998Z     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
2023-12-01T16:59:54.0480958Z     at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
2023-12-01T16:59:54.0484209Z Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
2023-12-01T16:59:54.0487501Z  at [Source: (InputStreamReader); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
2023-12-01T16:59:54.0489077Z     at com.fasterxml.jackson.databind.exc.InvalidFormatException.from (InvalidFormatException.java:67)
2023-12-01T16:59:54.0490312Z     at com.fasterxml.jackson.databind.DeserializationContext.weirdStringException (DeserializationContext.java:1996)
2023-12-01T16:59:54.0491639Z     at com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue (DeserializationContext.java:1224)
2023-12-01T16:59:54.0493028Z     at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate (StdDeserializer.java:1362)
2023-12-01T16:59:54.0494167Z     at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate (StdDeserializer.java:1304)
2023-12-01T16:59:54.0495470Z     at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate (DateDeserializers.java:201)
2023-12-01T16:59:54.0496879Z     at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize (DateDeserializers.java:303)
2023-12-01T16:59:54.0498272Z     at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize (DateDeserializers.java:281)
2023-12-01T16:59:54.0499682Z     at com.fasterxml.jackson.module.blackbird.deser.SettableObjectProperty.deserializeAndSet (SettableObjectProperty.java:44)
2023-12-01T16:59:54.0500997Z     at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize (BeanDeserializer.java:278)
2023-12-01T16:59:54.0502265Z     at com.fasterxml.jackson.module.blackbird.deser.SuperSonicBeanDeserializer.deserialize (SuperSonicBeanDeserializer.java:155)
2023-12-01T16:59:54.0503802Z     at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue (DefaultDeserializationContext.java:323)
2023-12-01T16:59:54.0504966Z     at com.fasterxml.jackson.databind.ObjectReader._bind (ObjectReader.java:2079)
2023-12-01T16:59:54.0505839Z     at com.fasterxml.jackson.databind.ObjectReader.readValue (ObjectReader.java:1229)
2023-12-01T16:59:54.0507065Z     at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse (KnownExploitedVulnerabilityParser.java:77)
2023-12-01T16:59:54.0508510Z     at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update (KnownExploitedDataSource.java:82)
2023-12-01T16:59:54.0509481Z     at org.owasp.dependencycheck.Engine.doUpdates (Engine.java:900)
2023-12-01T16:59:54.0510266Z     at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase (Engine.java:705)
2023-12-01T16:59:54.0511139Z     at org.owasp.dependencycheck.Engine.analyzeDependencies (Engine.java:631)
2023-12-01T16:59:54.0512138Z     at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1919)
2023-12-01T16:59:54.0513306Z     at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:1102)
2023-12-01T16:59:54.0514477Z     at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
2023-12-01T16:59:54.0515544Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
2023-12-01T16:59:54.0516502Z     at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
2023-12-01T16:59:54.0517456Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
2023-12-01T16:59:54.0518392Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
2023-12-01T16:59:54.0519329Z     at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
2023-12-01T16:59:54.0520415Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
2023-12-01T16:59:54.0521701Z     at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
2023-12-01T16:59:54.0523048Z     at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
2023-12-01T16:59:54.0524269Z     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
2023-12-01T16:59:54.0525159Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:298)
2023-12-01T16:59:54.0525890Z     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
2023-12-01T16:59:54.0526611Z     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
2023-12-01T16:59:54.0527277Z     at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
2023-12-01T16:59:54.0527929Z     at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
2023-12-01T16:59:54.0528562Z     at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
2023-12-01T16:59:54.0529234Z     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
2023-12-01T16:59:54.0530125Z     at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
2023-12-01T16:59:54.0531196Z     at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
2023-12-01T16:59:54.0532030Z     at java.lang.reflect.Method.invoke (Method.java:566)
2023-12-01T16:59:54.0532802Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
2023-12-01T16:59:54.0533736Z     at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
2023-12-01T16:59:54.0534667Z     at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
2023-12-01T16:59:54.0535662Z     at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
2023-12-01T16:59:54.0536296Z [INFO] Begin database defrag
2023-12-01T17:00:01.6980202Z [INFO] End database defrag (7661 ms)
2023-12-01T17:00:01.7008453Z [WARNING] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
2023-12-01T17:00:01.7010049Z [ERROR] Unable to continue dependency-check analysis.
2023-12-01T17:00:02.0368360Z [INFO] ------------------------------------------------------------------------
2023-12-01T17:00:02.0378862Z [INFO] BUILD FAILURE
2023-12-01T17:00:02.0381631Z [INFO] ------------------------------------------------------------------------
2023-12-01T17:00:02.0382344Z [INFO] Total time:  06:37 min
2023-12-01T17:00:02.0382810Z [INFO] Finished at: 2023-12-01T17:00:02Z
2023-12-01T17:00:02.0383496Z [INFO] ------------------------------------------------------------------------
2023-12-01T17:00:02.0385139Z [ERROR] Failed to execute goal org.owasp:dependency-check-maven:8.2.1:check (default) on project acet-api: Fatal exception(s) analyzing acet-api: One or more exceptions occurred during analysis:
2023-12-01T17:00:02.0386722Z [ERROR]    UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse
2023-12-01T17:00:02.0389667Z [ERROR]        caused by InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
2023-12-01T17:00:02.0392812Z [ERROR]  at [Source: (InputStreamReader); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
2023-12-01T17:00:02.0394086Z [ERROR]    NoDataException: No documents exist

We have tried to upgrade the plugin version to 9.0.0 but always still have the same error.

After a first log analysis, the problem is caused by the cisa.gov json file because of the attribute dateReleased which is mal formatted.

https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

Does anyone know how to bypass this error or should we wait for cisa.org to modify the file?

Answer 1

The problem was resolved, CISA.GOV has fixed the file. Here is There response.