Error scanning after latest update

[puredanger]

After updating to the latest version, I'm getting an error running a clj-watson scan. This is in the context of https://github.com/clojure/tools.deps:

$ clj -M:cve
...usual stuff...
INFO: Finished configuration in 52 ms.
Downloading/Updating database.
** ERROR: **
Exception: #error {
 :cause Function "MERGE_KNOWNEXPLOITED" not found; SQL statement:
CALL merge_knownexploited(?,?,?,?,?,?,?,?,?) [90022-214]
 :via
 [{:type org.owasp.dependencycheck.data.update.exception.UpdateException
   :message org.owasp.dependencycheck.data.nvdcve.DatabaseException: org.h2.jdbc.JdbcSQLSyntaxErrorException: Function "MERGE_KNOWNEXPLOITED" not found; SQL statement:
CALL merge_knownexploited(?,?,?,?,?,?,?,?,?) [90022-214]
   :at [org.owasp.dependencycheck.data.update.KnownExploitedDataSource update KnownExploitedDataSource.java 93]}
  {:type org.owasp.dependencycheck.data.nvdcve.DatabaseException
   :message org.h2.jdbc.JdbcSQLSyntaxErrorException: Function "MERGE_KNOWNEXPLOITED" not found; SQL statement:
CALL merge_knownexploited(?,?,?,?,?,?,?,?,?) [90022-214]
   :at [org.owasp.dependencycheck.data.nvdcve.CveDB getPreparedStatement CveDB.java 410]}
  {:type org.h2.jdbc.JdbcSQLSyntaxErrorException
   :message Function "MERGE_KNOWNEXPLOITED" not found; SQL statement:
CALL merge_knownexploited(?,?,?,?,?,?,?,?,?) [90022-214]
   :at [org.h2.message.DbException getJdbcSQLException DbException.java 632]}]
 :trace
 [[org.h2.message.DbException getJdbcSQLException DbException.java 632]
  [org.h2.message.DbException getJdbcSQLException DbException.java 477]
  [org.h2.message.DbException get DbException.java 223]
  [org.h2.message.DbException get DbException.java 199]
  [org.h2.command.Parser getFunctionAliasWithinPath Parser.java 2519]
  [org.h2.command.Parser readTableFunction Parser.java 2012]
  [org.h2.command.Parser parseCall Parser.java 6996]
  [org.h2.command.Parser parsePrepared Parser.java 765]
  [org.h2.command.Parser parse Parser.java 689]
  [org.h2.command.Parser parse Parser.java 661]
  [org.h2.command.Parser prepareCommand Parser.java 569]
  [org.h2.engine.SessionLocal prepareLocal SessionLocal.java 631]
  [org.h2.engine.SessionLocal prepareCommand SessionLocal.java 554]
  [org.h2.jdbc.JdbcConnection prepareCommand JdbcConnection.java 1116]
  [org.h2.jdbc.JdbcPreparedStatement <init> JdbcPreparedStatement.java 92]
  [org.h2.jdbc.JdbcConnection prepareStatement JdbcConnection.java 288]
  [org.apache.commons.dbcp2.DelegatingConnection prepareStatement DelegatingConnection.java 713]
  [org.apache.commons.dbcp2.DelegatingConnection prepareStatement DelegatingConnection.java 713]
  [org.owasp.dependencycheck.data.nvdcve.CveDB getPreparedStatement CveDB.java 402]
  [org.owasp.dependencycheck.data.nvdcve.CveDB updateKnownExploitedVulnerabilities CveDB.java 1128]
  [org.owasp.dependencycheck.data.update.KnownExploitedDataSource update KnownExploitedDataSource.java 85]
  [org.owasp.dependencycheck.Engine doUpdates Engine.java 906]
  [org.owasp.dependencycheck.Engine doUpdates Engine.java 878]
  [jdk.internal.reflect.NativeMethodAccessorImpl invoke0 NativeMethodAccessorImpl.java -2]
  [jdk.internal.reflect.NativeMethodAccessorImpl invoke NativeMethodAccessorImpl.java 62]
  [jdk.internal.reflect.DelegatingMethodAccessorImpl invoke DelegatingMethodAccessorImpl.java 43]
  [java.lang.reflect.Method invoke Method.java 566]
  [clojure.lang.Reflector invokeMatchingMethod Reflector.java 167]
  [clojure.lang.Reflector invokeNoArgInstanceMember Reflector.java 438]
  [clj_watson.controller.dependency_check.scanner$update_download_database invokeStatic scanner.clj 14]
  [clj_watson.controller.dependency_check.scanner$update_download_database invoke scanner.clj 11]
  [clj_watson.controller.dependency_check.scanner$build_engine invokeStatic scanner.clj 30]
  [clj_watson.controller.dependency_check.scanner$build_engine invoke scanner.clj 27]
  [clj_watson.controller.dependency_check.scanner$scan_jars invokeStatic scanner.clj 37]
  [clj_watson.controller.dependency_check.scanner$scan_jars invoke scanner.clj 36]
  [clj_watson.controller.dependency_check.scanner$start_BANG_ invokeStatic scanner.clj 48]
  [clj_watson.controller.dependency_check.scanner$start_BANG_ invoke scanner.clj 47]
  [clj_watson.entrypoint$eval11227$fn__11229 invoke entrypoint.clj 29]
  [clojure.lang.MultiFn invoke MultiFn.java 229]
  [clj_watson.entrypoint$scan invokeStatic entrypoint.clj 41]
  [clj_watson.entrypoint$scan invoke entrypoint.clj 40]
  [cli_matic.core$invoke_subcmd invokeStatic core.cljc 546]
  [cli_matic.core$invoke_subcmd invoke core.cljc 525]
  [cli_matic.core$run_cmd_STAR_ invokeStatic core.cljc 589]
  [cli_matic.core$run_cmd_STAR_ invoke core.cljc 560]
  [cli_matic.core$run_cmd invokeStatic core.cljc 601]
  [cli_matic.core$run_cmd invoke core.cljc 591]
  [clj_watson.cli$_main invokeStatic cli.clj 47]
  [clj_watson.cli$_main doInvoke cli.clj 46]
  [clojure.lang.RestFn applyTo RestFn.java 137]
  [clojure.lang.Var applyTo Var.java 705]
  [clojure.core$apply invokeStatic core.clj 667]
  [clojure.main$main_opt invokeStatic main.clj 514]
  [clojure.main$main_opt invoke main.clj 510]
  [clojure.main$main invokeStatic main.clj 664]
  [clojure.main$main doInvoke main.clj 616]
  [clojure.lang.RestFn applyTo RestFn.java 137]
  [clojure.lang.Var applyTo Var.java 705]
  [clojure.main main main.java 40]]}



Dec 28, 2023 1:41:53 PM org.apache.commons.jcs3.engine.control.CompositeCacheManager
INFO: Shutdown hook activated. Shutdown was not called. Shutting down JCS.

[seancorfield]

Latest version? 4.1.3 or 5.0.0

NIST has required users of its NVD database to switch to the new API, from the old data feeds. 4.1.3 still uses the data feeds, 5.0.0 uses the API. To use the API, you need a key per the README, however there's a small bug in how the clj-watson.properties file is read (see #43).

You can work around it in 5.0.0 by specifying -w and the same relative path to where the file would be on the classpath.

Or you can depend on :git/sha "76b687f3eb807ab55632c69ef2c011886513efef" which is the PR that fixes it and will be part of the 5.0.1 release, once @mthbernardes either approves my PRs or removes the requirement for at least one reviewer (since none of the reviewers are currently responding to PR review requests).

Once the PR/merge/push process is simplified, I'll be taking the project over. I started my own fork to create the 5.0.0 release but @mthbernardes and I agree that keeping it under clj-holmes would be better.

[puredanger]

I had switched to 5.0.0. I saw the API stuff and do have a clj-watson.properties file with an api key on the classpath. It did not seem like the error I got was related to the API stuff though?

[puredanger]

I switched to the sha above and got the same error.

[seancorfield]

You may have to rm -rf /tmp/db to get a clean database (cache) setup at this point.

[seancorfield]

I'll add a Troubleshooting section to the README with this information in it (and maybe other things).

[seancorfield]

The README already mentioned the /tmp/db folder but only in passing as part of the DependencyCheck section, so I added a note to the Quick Start about deleting it, if it seems to be causing problems.