cve caching from NVD due to an introduced 'cveTags' property #6896
Comments
|
Just upgrade to 10.0.2 or later as you should've noticed in the pinned issue #6817 |
|
@aikebah We are using the latest release in our dockerfile and still facing the same error RUN wget --progress=dot --no-check-certificate -O /opt/dependency-check.zip https://github.com/jeremylong/DependencyCheck/releases/download/v10.0.3/dependency-check-10.0.3-release.zip |
|
@sajid19test most likely you then have multiple versions unpacked in /opt/dependency-check/ causing an outdated vulnz-cli jar file to be before the vulnz-cli jar distributed with 10.0.3 Make sure you unpack into an empty folder |
|
@aikebah has to be added to and other impacted/dependency file |
|
@sajid19test The symptoms indicate that you have an outdated version of CveItem in the classpath on your run. Whereas that class in open-vulnerability-clients 6.1.7 (the version packaged with ODC 10.0.3) has an annotation for ignoring any unknown json properties (as well as definition for the cveTags property) |
|
@aikebah We are creating a docker image where dependency check is added with the latest release and use to run below command /opt/dependency-check/bin/dependency-check.sh --out owasp-dependency-check --enableExperimental --format ALL --disableYarnAudit -s . --nvdDatafeed $url -d owasp-data I am not sure if we are making any changes to the dependency check. However, will reverify your findings |
|
@sajid19test FYI the items that form the classpath in the standard distribution dependency-check.sh script (given your location of invocation:
So if you have an env variable CLASSPATH_PREFIX and in that is an older version of the open-vulnerability-client jar-file or you placed a copy in the plugins folder it would be seen earlier than the version packaged with the distribution |
The Dependency check is failing
/opt/dependency-check/bin/dependency-check.sh --out owasp-dependency-check --enableExperimental --format ALL --disableYarnAudit -s . --nvdDatafeed $url -d owasp-data
Error:-
[ERROR] java.util.concurrent.ExecutionException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "cveTags" (class io.github.jeremylong.openvulnerability.client.nvd.CveItem), not marked as ignorable (18 known properties: "metrics", "sourceIdentifier", "evaluatorSolution", "cisaRequiredAction", "cisaExploitAdd", "published", "evaluatorComment", "vulnStatus", "evaluatorImpact", "descriptions", "id", "vendorComments", "weaknesses", "lastModified", "references", "cisaActionDue", "cisaVulnerabilityName", "configurations"])
at [Source: REDACTED (
StreamReadFeature.INCLUDE_SOURCE_IN_LOCATIONdisabled); line: 1, column: 332] (through reference chain: io.github.jeremylong.openvulnerability.client.nvd.DefCveItem["cve"]->io.github.jeremylong.openvulnerability.client.nvd.CveItem["cveTags"])org.owasp.dependencycheck.data.update.exception.UpdateException: java.util.concurrent.ExecutionException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "cveTags" (class io.github.jeremylong.openvulnerability.client.nvd.CveItem), not marked as ignorable (18 known properties: "metrics", "sourceIdentifier", "evaluatorSolution", "cisaRequiredAction", "cisaExploitAdd", "published", "evaluatorComment", "vulnStatus", "evaluatorImpact", "descriptions", "id", "vendorComments", "weaknesses", "lastModified", "references", "cisaActionDue", "cisaVulnerabilityName", "configurations"])
at [Source: REDACTED (
StreamReadFeature.INCLUDE_SOURCE_IN_LOCATIONdisabled); line: 1, column: 332] (through reference chain: io.github.jeremylong.openvulnerability.client.nvd.DefCveItem["cve"]->io.github.jeremylong.openvulnerability.client.nvd.CveItem["cveTags"])The text was updated successfully, but these errors were encountered: