dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

NVD mirroring error

Open mdouble opened this issue 1 year ago • 3 comments

Current Behavior

NVD mirroring seems not to work for a while.

From our logfile:

2024-08-12 09:30:52,563 INFO [NistApiMirrorTask] Mirroring CVEs that were modified since 2024-06-27T23:15:50Z 2024-08-12 09:30:53,662 ERROR [NistApiMirrorTask] An unexpected error occurred while mirroring the contents of the National Vulnerability Database io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 403 at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:352) at org.dependencytrack.tasks.NistApiMirrorTask.inform(NistApiMirrorTask.java:166) at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source) 2024-08-12 09:30:53,662 INFO [NistApiMirrorTask] Mirroring of 0 CVEs completed in PT1.0990885S

NVD Feeds URL is https://nvd.nist.gov/feeds API endpoint is https://services.nvd.nist.gov/rest/json/cves/2.0

API key was updated. Still the same behavior.

Steps to Reproduce

  1. see above

Expected Behavior

Mirroring works. No errors in log.

Dependency-Track Version

4.10.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

mdouble avatar Aug 12 '24 13:08 mdouble

See: https://docs.dependencytrack.org/changelog/#v4-11-5

This release primarily addresses an inability to mirror the NVD via its REST API. The NVD REST API recently experienced increased load, causing service disruptions. Dependency-Track users who opted into API mirroring will have seen symptoms of this as NvdApiException: NVD Returned Status Code: 503 errors in the logs.

To reduce load on their systems, NIST started to block requests with a certain User-Agent header, which Dependency-Track happens to use. Upgrading to v4.11.5 will allow Dependency-Track to no longer be subject to this block.

Users who can’t immediately update, yet are reliant on NVD data being current, can switch back to the feed file based mirroring by disabling Enable mirroring via API in the administration panel.

nscuro avatar Aug 12 '24 13:08 nscuro

Is this the same issue? Returned status code above is "403 Forbidden" while 4.11.5 resolves "503 Service Unavailable".

mdouble avatar Aug 15 '24 12:08 mdouble

The 503s were caused by excessive load of NVD servers, which NIST acted on by blocking all clients with a specific User-Agent header. This block will manifest in 403 responses.

Please upgrade to 4.11.5 or later.

nscuro avatar Aug 19 '24 09:08 nscuro

Upgrade to 4.11.7 resolved issue.

mdouble avatar Aug 29 '24 13:08 mdouble

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Sep 29 '24 10:09 github-actions[bot]