-
-
Notifications
You must be signed in to change notification settings - Fork 528
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency-Track NVD API mirroring for Dependency-Check #3293
Comments
@tomkuipers To my understanding, dependency-check 9.x will not work with dependencytrack's NVD mirror functionality, because only NVD API 1.1 (data feeds) are made available for other tools. I suspect I'm struggling with the same scenario
and now want to switch to (not working or haven't found a solution yet)
This issue maybe relevant for you as well: jeremylong/DependencyCheck#6277 |
@aggeboe Thank you for referencing the dependency-check issue. We have the same scenario indeed. |
It might be best that DT adopts to working with the cache created by |
If DT is concerned to avoid EOL-ing the NVD API 1.1 (data feeds) at CI implementations of dependency-check V9+ have to change its use anyway, as dependency-check V9+'s use of command line arguments changed with the support of NIST NVD apiv2 support, |
But that would mean the introduction of another piece of infrastructure. I would rather like DT to function as this central cache, just like before with dependency-track 4.9.x and dependency-check 8.x.
Class |
@tomkuipers +1 Thus, we really hoped that a similiar mechanism would be in place for the NVD API 2.0 in DT 4.10.0, for it to continue to function as a central cache. |
…ia API again Addresses DependencyTrack#3293 Signed-off-by: nscuro <nscuro@protonmail.com>
For those not following the linked DependencyCheck thread, what we'll do on the DT side is to provide an optional feature which can be used to emulate the NVD's REST API: jeremylong/DependencyCheck#6277 (comment) Dependency-Check 9.0.5 now supports customization of the REST API URL, so once this is implemented in DT, you'll be able to point DC to DT's emulated API endpoint. |
@nscuro Thanks for all your hard work, really looking forward to release |
I'm also looking forward to version |
On Moday I installed 4.10.0 and set up the new NIST Rest API.
is this related to the OP issue? |
Yesterday I installed 4.10.0 and set up the new NIST Rest API. |
@Kretikus Does it ever complete successfully? There should be a log line stating:
Unfortunately due to the way the API was designed, we cannot store intermediate last modification timestamps, it's only possible at the very end of the mirror operation... @officerNordberg Can you share your configuration in the UI? What toggles did you enable / disable? I've gotten some feedback via Slack already that the way it's structured is confusing so I'll definitely get that improved. As an FYI we did get confirmation from the NVD via email that feeds will not be retired as planned on 18th. I asked about a public statement but haven't yet gotten feedback. But I want you to know that, as per my current knowledge, you will not be cut off from NVD updates if the REST API integration doesn't work for you right now. |
@nscuro got the same heads up on the predictable further delay of the feed retirement through yocto/linux foundation this morning. I have all 3 toggles enabled, I have tried just enabling API as well as just the first two without the "Additionally..." toggle. |
@nscuro @officerNordberg Thanks for the heads up, regarding the feed retirement delay! Much appreciated! |
@nscuro I should have realized that configuring it requires a restart afterward. I don't know why I didn't expect that but, yup, that did it. |
The NVD setting should not require a restart. The decision of which source to use is happening dynamically at runtime. ... but I think change of schedule does, because tasks are scheduled on startup based on what is configured at that moment in time. So yeah that doesn't make testing this any easier because impact can't be observed immediately. Yet another reason for adding the ability to manually trigger tasks. |
@Kretikus try restarting, not only did the restart fix my missing EventSubscription for the ApiTask but once my mirror completed, the Last updated fields remained empty until I restarted yet again. |
An official update has been posted here: https://groups.google.com/a/list.nist.gov/g/nvd-news/c/aofnAd3HP2g
For everyone experiencing issues with the new REST API integration, you can safely switch back to the previous feed-based way of mirroring. |
Sounds like (I hope), they're gonna reinstate some kind of batch download feeds. |
Yes, here is the log from today:
A restart showed now a date, but with a wrong time. The times above are CET (UTC+1) and the screenshot in the front-end shows: |
My last update seems to only
|
Checking. Looks like the property in question is loaded from the ORMs cache even though it shouldn't, and cache has been explicitly disabled for it...
The time in the frontend does not represent the time when |
Yup, the last modification timestamp requiring a restart to take effect is caused by inconsistencies of the ORM's L2 cache. Fixed in #3322 and backported to 4.10.1 in #3323. If anyone is feeling adventurous, you can disable the L2 cache system-wide via |
Sorry folks, the cache implementation did not make it to 4.10.1. I'll assign this to 4.11; We can still decide to pre-pone the release to 4.10.x once it's fully implemented. |
@nscuro I guess this means, it will not make it to |
Current Behavior
Previously I used the NVD mirroring feature to speed up dependency-check using parameters
-DcveUrlModified=https://my.dependency-track.host/mirror/nvd/nvdcve-1.1-modified.json.gz -DcveUrlBase=https://my.dependency-track.host/mirror/nvd/nvdcve-1.1-%d.json.gz
.Using dependency-check parameter
nvdDatafeedUrl
results in error[ERROR] Unable to download the NVD API cache.properties
.On what endpoint is the NVD API mirroring made available? How can a third party tool use the NVD API mirroring functionality?
Steps to Reproduce
Enable National Vulnerability Database mirroring
,Enable mirroring via API
,Additionally download feeds
and provide anAPI key
.NistMirrorTask
andNistApiMirrorTask
have run successfully:mvn org.owasp:dependency-check-maven:9.0.4:aggregate -DnvdDatafeedUrl=https://my.dependency-track.host/mirror/nvd -Dformats=ALL
[ERROR] Unable to download the NVD API cache.properties org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to download the NVD API cache.properties
Expected Behavior
I expected to be able to use the mirror functionality in DT in dependency-check just like the formerly downloaded feeds. How should I integrate both OWASP software projects?
What endpoint should be used for NVD mirroring via API for consumption in third party tools (dependency-check)?
I could not find any documentation apart from a tooltip in the settings
Feeds will not be parsed, but made available to other clients at /mirror/nvd
.Dependency-Track Version
4.10.0
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
N/A
Checklist
The text was updated successfully, but these errors were encountered: