cve-bin-tool icon indicating copy to clipboard operation
cve-bin-tool copied to clipboard

Published 20 hours ago verified publisher icon intel

feat: add message about mirror when nvd is down

Open terriko opened this issue 1 year ago • 6 comments

@torabi12 posted a really interesting screenshot of what it looked like when NVD API2 failed while NVD was down:

          I can not update the DB using api2:

image

Originally posted by @torabi12 in https://github.com/intel/cve-bin-tool/issues/3541#issuecomment-1827317405

We should really make it easier for people to find out that if NVD is down they could fail over to the https://cveb.in mirror. I'd suggest if we have any sort of network failure with NVD that fails completely (e.g. do let it actually retry appropriately before failing over) we should print a big warning message explaining that NVD appears to be down and we're reverting to the mirror, then do that.

We should also update our documentation to make sure we explain how to switch to the mirror if you're having other weirdness with NVD (it happens sometimes, and is likely to happen more as they do some technical changes in December). The answer is you have to remove your NVD_API_KEY from your config/environment/command line flags, and I don't think that's terribly obvious.

terriko avatar Nov 29 '23 20:11 terriko

Yes, it would be great, because the user does not know what is behind the curtain. :)

torabi12 avatar Nov 29 '23 20:11 torabi12

hey @terriko , I would like to take on this issue. Could you please guide a bit on how to get started with it.

ayushthe1 avatar Jan 15 '24 13:01 ayushthe1

@ayushthe1

A quick way to start:

  • try disconnecting your computer from the network and then running cve-bin-tool -u now and seeing where it fails with a python traceback instead of a nice error message. You probably want to disable all data sources other than NVD so you don't have to wait for every other timeout too.
  • figure out how to catch the NVD related failure and have it switch to the mirror (which will also fail, and may need a nicer error message associated with it)
  • Note that since you're disconnected the mirror will also fail so you might as well make sure that prints an error message instead of a traceback too.

I think it generates a request network timeout error or something similar. Make sure whatever you do doesn't break whatever we have in place to do retries and only happens after we've given up on those. This likely isn't a super easy bug so be prepared for it to be confusing!

We also have a vague intention of standardizing the network libraries we use to all be requests, so if switching to requests right now makes your job easier don't be afraid to go that route.

terriko avatar Jan 16 '24 21:01 terriko

Hey @ayushthe1, are you working on this?

inosmeet avatar Feb 04 '24 04:02 inosmeet

Hey @ayushthe1, are you working on this?

Yes @Dev-Voldemort , I'm working. Will open a PR in few days on it. Was busy in my exams, so have been late on it. 😀

ayushthe1 avatar Feb 04 '24 05:02 ayushthe1

any update ?? @ayushthe1

inosmeet avatar Mar 11 '24 10:03 inosmeet