stevespringett / nist-data-mirror Goto Github PK
View Code? Open in Web Editor NEWA simple Java command-line utility to mirror the CVE JSON data from NIST.
License: Apache License 2.0
A simple Java command-line utility to mirror the CVE JSON data from NIST.
License: Apache License 2.0
After starting the nist-data-mirror Docker container (docker run -it --rm -p 80:80 sspringett/nvdmirror
), several file downloads fail with the following error message:
2019-10-18 19:50:12,011 INFO success: initialize_htdocs entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
java.util.zip.ZipException: Not in GZIP format
at java.util.zip.GZIPInputStream.readHeader(GZIPInputStream.java:165)
at java.util.zip.GZIPInputStream.<init>(GZIPInputStream.java:79)
at java.util.zip.GZIPInputStream.<init>(GZIPInputStream.java:91)
at us.springett.nistdatamirror.NistDataMirror.uncompress(NistDataMirror.java:225)
at us.springett.nistdatamirror.NistDataMirror.doDownload(NistDataMirror.java:214)
at us.springett.nistdatamirror.NistDataMirror.mirror(NistDataMirror.java:128)
at us.springett.nistdatamirror.NistDataMirror.main(NistDataMirror.java:70)
Hello
I use the last release of nist-data-mirror but I'm facing a strange issue. The file from nvdcve-2.0-2005 to nvdcve-2.0-2007.xml.gz and nvdcve-2.0-2009.xml.gz ar not downloaded.
Any idea please ?
-rwxrwxrwx 1 dependency dependency 12M juin 14 11:43 nvdcve-2.0-2004.xml
-rwxrwxrwx 1 dependency dependency 849K juin 14 11:43 nvdcve-2.0-2004.xml.gz
-rwxrwxrwx 1 dependency dependency 31M juin 14 11:43 nvdcve-2.0-2008.xml
-rwxrwxrwx 1 dependency dependency 2,2M juin 14 11:43 nvdcve-2.0-2008.xml.gz
-rwxrwxrwx 1 dependency dependency 46M juin 14 11:43 nvdcve-2.0-2010.xml
-rwxrwxrwx 1 dependency dependency 2,9M juin 14 11:43 nvdcve-2.0-2010.xml.gz
-rwxrwxrwx 1 dependency dependency 109M juin 14 11:43 nvdcve-2.0-2011.xml
-rwxrwxrwx 1 dependency dependency 6,1M juin 14 11:43 nvdcve-2.0-2011.xml.gz
-rwxrwxrwx 1 dependency dependency 44M juin 14 11:44 nvdcve-2.0-2012.xml
-rwxrwxrwx 1 dependency dependency 2,6M juin 14 11:44 nvdcve-2.0-2012.xml.gz
-rwxrwxrwx 1 dependency dependency 45M juin 14 11:44 nvdcve-2.0-2013.xml
-rwxrwxrwx 1 dependency dependency 2,7M juin 14 11:44 nvdcve-2.0-2013.xml.gz
-rwxrwxrwx 1 dependency dependency 44M juin 14 11:44 nvdcve-2.0-2014.xml
-rwxrwxrwx 1 dependency dependency 2,8M juin 14 11:44 nvdcve-2.0-2014.xml.gz
-rwxrwxrwx 1 dependency dependency 40M juin 14 11:44 nvdcve-2.0-2015.xml
-rwxrwxrwx 1 dependency dependency 2,4M juin 14 11:44 nvdcve-2.0-2015.xml.gz
-rwxrwxrwx 1 dependency dependency 55M juin 14 11:44 nvdcve-2.0-2016.xml
-rwxrwxrwx 1 dependency dependency 3,3M juin 14 11:44 nvdcve-2.0-2016.xml.gz
-rwxrwxrwx 1 dependency dependency 161M juin 14 11:44 nvdcve-2.0-2017.xml
-rwxrwxrwx 1 dependency dependency 8,9M juin 14 11:44 nvdcve-2.0-2017.xml.gz
-rwxrwxrwx 1 dependency dependency 221M juin 14 11:44 nvdcve-2.0-2018.xml
-rwxrwxrwx 1 dependency dependency 13M juin 14 11:44 nvdcve-2.0-2018.xml.gz
-rwxrwxrwx 1 dependency dependency 76M juin 14 11:44 nvdcve-2.0-2019.xml
-rwxrwxrwx 1 dependency dependency 4,0M juin 14 11:44 nvdcve-2.0-2019.xml.gz
-rwxrwxrwx 1 dependency dependency 8,0M juin 14 17:10 nvdcve-2.0-modified.xml
-rwxrwxrwx 1 dependency dependency 457K juin 14 17:10 nvdcve-2.0-modified.xml.gz
Thanks
Somehow Dependency Check does this (I haven't examined the source closely enough to see exactly how). It would be a nice optimization, so my cron job doesn't have be wasteful of network resources.
When I set the crond command to debug crond -s /var/spool/cron/crontabs -f -d -l 8
in src/docker/conf/supervisord.conf
the logs show that the mirror script is run twice: once for user root
and once for user mirror
. Is this behaviour intended?
I can confirm that the user mirror
is not necessary for the setup. I build the image without the user mirror
and the cron is running only for user root
. The files are served the same way as before. I also deployed the helm chart to k8s and can confirm that it works, too. I can target the k8s mirror when using dependency-check
without any issues.
From the Dockerfile (line 24-33):
# obsolete # ENV user=mirror
RUN apk update && \
apk add --no-cache openjdk8-jre dcron nss supervisor && \
# obsolete # addgroup -S $user && \
# obsolete # adduser -S $user -G $user && \
mkdir -p /tmp/nvd && \
# obsolete # chown -R $user:$user /tmp/nvd && \
# obsolete # chown -R $user:$user /usr/local/apache2/htdocs && \
rm -v /usr/local/apache2/htdocs/index.html
From src/docker/conf/supervisord.conf
(line 17-23):
[program:initialize_htdocs]
command=/mirror.sh
autorestart=false
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
# obsolete # user=mirror
--cveUrl12Modified http://server:8090/nvd-mirror/nvdcve-Modified.xml.gz --cveUrl20Modified http://server:8090/nvd-mirror/nvdcve-2.0-Modified.xml.gz --cveUrl12Base http://server:8090/nvd-mirror/nvdcve-%d.xml.gz --cveUrl20Base http://server:8090/nvd-mirror/nvdcve-2.0-%d.xml.gz
Here the datails from execution:
2018-03-19T14:43:02.9352768Z [INFO] Checking for updates
2018-03-19T14:43:02.9352768Z [INFO] starting getUpdatesNeeded() ...
2018-03-19T14:43:03.1384018Z [INFO] Download Started for NVD CVE - Modified
2018-03-19T14:43:03.3727768Z [INFO] Download Complete for NVD CVE - Modified (234 ms)
2018-03-19T14:43:03.3727768Z [INFO] Processing Started for NVD CVE - Modified
2018-03-19T14:43:04.0915268Z [WARN] Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
2018-03-19T14:43:04.0915268Z [INFO] Analysis Started
2018-03-19T14:43:07.4040268Z [INFO] Finished Archive Analyzer (3 seconds)
2018-03-19T14:43:07.4196518Z [INFO] Finished File Name Analyzer (0 seconds)
2018-03-19T14:43:10.3102768Z [INFO] Finished Assembly Analyzer (2 seconds)
2018-03-19T14:43:10.3259018Z [INFO] Finished Dependency Merging Analyzer (0 seconds)
2018-03-19T14:43:10.3259018Z [INFO] Finished Version Filter Analyzer (0 seconds)
2018-03-19T14:43:10.4352768Z [INFO] Finished Hint Analyzer (0 seconds)
2018-03-19T14:43:13.1384018Z [INFO] Created CPE Index (2 seconds)
2018-03-19T14:43:13.1384018Z [INFO] Skipping CPE Analysis for npm
2018-03-19T14:43:14.0446518Z [INFO] Finished CPE Analyzer (3 seconds)
2018-03-19T14:43:14.1384018Z [INFO] Finished False Positive Analyzer (0 seconds)
2018-03-19T14:43:14.2790268Z [INFO] Finished Cpe Suppression Analyzer (0 seconds)
2018-03-19T14:43:14.3884018Z [INFO] Finished NVD CVE Analyzer (0 seconds)
2018-03-19T14:43:14.4352768Z [INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
2018-03-19T14:43:14.4821518Z [INFO] Finished Dependency Bundling Analyzer (0 seconds)
2018-03-19T14:43:14.5915268Z [INFO] Analysis Complete (10 seconds)
2018-03-19T14:43:14.9040268Z [ERROR] org.xml.sax.SAXException: Error updating 'CVE-2004-0558'
2018-03-19T14:43:14.9040268Z org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2004-0558'
On the startup of the container the entry.sh tries to replace the default port 80 with the internal used port 8080. On restart it tries to do that again and breaks the config by doing so.
At the Moment on second startup the 'Listen' line is 'Listen 808080'
I think the sed command should be changed to:
sed -i 's/^Listen 80$/Listen 8080/g' /usr/local/apache2/conf/httpd.conf
Is this reliable?
In the light of issues like #38: What is the recommended way to use this tool when downloads can fail?
Is it safe to use this tool without risking to corrupt an existing mirror directory? If I have used the tool successfully to mirror the JSON files into a directory nist/
, will this directory still contain the data in a usable way even if running this tool again fails?
Edit: If I look at the code
the target file is directly opened for writing. This can potentially corrupt it. Maybe a temporary file could be used instead?
The mirror script uses below command which takes http proxy host and port. But the HELM template is not providing option to supply these environment variables.
java -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -jar -Dhttp.proxyHost="${proxy_host}" -Dhttp.proxyPort="${proxy_port}" /usr/local/bin/nist-data-mirror.jar /tmp/nvd
Please allow these values to be supplied through values.yaml. It would be good if we even add additional env variables if consumer needed it.
I recently opened an issue for the DependencyCheck, and therefore found that I've been facing issues with the nist-data-mirror.
After following the instructions for the Docker container, when I run curl http://localhost
I see the following:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<ul><li><a href="nvdcve-1.1-2002.meta"> nvdcve-1.1-2002.meta</a></li>
<li><a href="nvdcve-1.1-2003.meta"> nvdcve-1.1-2003.meta</a></li>
<li><a href="nvdcve-1.1-2004.meta"> nvdcve-1.1-2004.meta</a></li>
<li><a href="nvdcve-1.1-2005.meta"> nvdcve-1.1-2005.meta</a></li>
<li><a href="nvdcve-1.1-2006.meta"> nvdcve-1.1-2006.meta</a></li>
<li><a href="nvdcve-1.1-2007.meta"> nvdcve-1.1-2007.meta</a></li>
<li><a href="nvdcve-1.1-2008.meta"> nvdcve-1.1-2008.meta</a></li>
<li><a href="nvdcve-1.1-2009.meta"> nvdcve-1.1-2009.meta</a></li>
<li><a href="nvdcve-1.1-2010.meta"> nvdcve-1.1-2010.meta</a></li>
<li><a href="nvdcve-1.1-2011.meta"> nvdcve-1.1-2011.meta</a></li>
<li><a href="nvdcve-1.1-2012.meta"> nvdcve-1.1-2012.meta</a></li>
<li><a href="nvdcve-1.1-2013.meta"> nvdcve-1.1-2013.meta</a></li>
<li><a href="nvdcve-1.1-2014.meta"> nvdcve-1.1-2014.meta</a></li>
<li><a href="nvdcve-1.1-2015.meta"> nvdcve-1.1-2015.meta</a></li>
<li><a href="nvdcve-1.1-2016.meta"> nvdcve-1.1-2016.meta</a></li>
<li><a href="nvdcve-1.1-2017.json"> nvdcve-1.1-2017.json</a></li>
<li><a href="nvdcve-1.1-2017.json.gz"> nvdcve-1.1-2017.json.gz</a></li>
<li><a href="nvdcve-1.1-2017.meta"> nvdcve-1.1-2017.meta</a></li>
<li><a href="nvdcve-1.1-2018.meta"> nvdcve-1.1-2018.meta</a></li>
<li><a href="nvdcve-1.1-2019.json"> nvdcve-1.1-2019.json</a></li>
<li><a href="nvdcve-1.1-2019.json.gz"> nvdcve-1.1-2019.json.gz</a></li>
<li><a href="nvdcve-1.1-2019.meta"> nvdcve-1.1-2019.meta</a></li>
<li><a href="nvdcve-1.1-2020.json"> nvdcve-1.1-2020.json</a></li>
<li><a href="nvdcve-1.1-2020.json.gz"> nvdcve-1.1-2020.json.gz</a></li>
<li><a href="nvdcve-1.1-2020.meta"> nvdcve-1.1-2020.meta</a></li>
<li><a href="nvdcve-1.1-2021.json"> nvdcve-1.1-2021.json</a></li>
<li><a href="nvdcve-1.1-2021.json.gz"> nvdcve-1.1-2021.json.gz</a></li>
<li><a href="nvdcve-1.1-2021.meta"> nvdcve-1.1-2021.meta</a></li>
<li><a href="nvdcve-1.1-2022.json"> nvdcve-1.1-2022.json</a></li>
<li><a href="nvdcve-1.1-2022.json.gz"> nvdcve-1.1-2022.json.gz</a></li>
<li><a href="nvdcve-1.1-2022.meta"> nvdcve-1.1-2022.meta</a></li>
<li><a href="nvdcve-1.1-modified.json"> nvdcve-1.1-modified.json</a></li>
<li><a href="nvdcve-1.1-modified.json.gz"> nvdcve-1.1-modified.json.gz</a></li>
<li><a href="nvdcve-1.1-modified.meta"> nvdcve-1.1-modified.meta</a></li>
</ul>
</body></html>
However, on the Docker container itself, I see the following files:
/tmp/nvd # ls
nvdcve-1.1-2002.json nvdcve-1.1-2009.json.gz nvdcve-1.1-2016.meta
nvdcve-1.1-2002.json.gz nvdcve-1.1-2009.meta nvdcve-1.1-2017.json
nvdcve-1.1-2002.meta nvdcve-1.1-2010.json nvdcve-1.1-2017.json.gz
nvdcve-1.1-2003.json nvdcve-1.1-2010.json.gz nvdcve-1.1-2017.meta
nvdcve-1.1-2003.json.gz nvdcve-1.1-2010.meta nvdcve-1.1-2018.json
nvdcve-1.1-2003.meta nvdcve-1.1-2011.json nvdcve-1.1-2018.json.gz
nvdcve-1.1-2004.json nvdcve-1.1-2011.json.gz nvdcve-1.1-2018.meta
nvdcve-1.1-2004.json.gz nvdcve-1.1-2011.meta nvdcve-1.1-2019.json
nvdcve-1.1-2004.meta nvdcve-1.1-2012.json nvdcve-1.1-2019.json.gz
nvdcve-1.1-2005.json nvdcve-1.1-2012.json.gz nvdcve-1.1-2019.meta
nvdcve-1.1-2005.json.gz nvdcve-1.1-2012.meta nvdcve-1.1-2020.json
nvdcve-1.1-2005.meta nvdcve-1.1-2013.json nvdcve-1.1-2020.json.gz
nvdcve-1.1-2006.json nvdcve-1.1-2013.json.gz nvdcve-1.1-2020.meta
nvdcve-1.1-2006.json.gz nvdcve-1.1-2013.meta nvdcve-1.1-2021.json
nvdcve-1.1-2006.meta nvdcve-1.1-2014.json nvdcve-1.1-2021.json.gz
nvdcve-1.1-2007.json nvdcve-1.1-2014.json.gz nvdcve-1.1-2021.meta
nvdcve-1.1-2007.json.gz nvdcve-1.1-2014.meta nvdcve-1.1-2022.json
nvdcve-1.1-2007.meta nvdcve-1.1-2015.json nvdcve-1.1-2022.json.gz
nvdcve-1.1-2008.json nvdcve-1.1-2015.json.gz nvdcve-1.1-2022.meta
nvdcve-1.1-2008.json.gz nvdcve-1.1-2015.meta nvdcve-1.1-modified.json
nvdcve-1.1-2008.meta nvdcve-1.1-2016.json nvdcve-1.1-modified.json.gz
nvdcve-1.1-2009.json nvdcve-1.1-2016.json.gz nvdcve-1.1-modified.meta
Why would the container not be fully mirroring the files in /tmp/nvd
? I'd expect to see all these files available when I reach localhost.
The check for proxy system properties is not sufficient. There should not only be a null
check but also a check for empty strings:
This is because in the mirror.sh
script which is executed in the Docker environment the proxy properties are always being set. In case no proxy_host
or proxy_port
environment variable is set the http.proxyHost
or http.proxyPort
JVM properties are set to an empty string:
Hi, i am trying to incorporate the commands into a GitHub actions script but i am getting the "Unable to access jarfile nist-data-mirror.jar" error, did anyone manage to run it on GitHub actions please?
- name: build the .jar file
run: |
mkdir mirror-dir
mvn clean package
java -jar nist-data-mirror.jar mirror-dir
ls -al
shell: bash
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 32.450 s
[INFO] Finished at: 2022-06-03T13:03:31Z
[INFO] ------------------------------------------------------------------------
Error: Unable to access jarfile nist-data-mirror.jar
As OpenShift does not support using the root user, it is not possible to deploy the Docker image to OpenShift. It fails with the followig error:
It seems that supervisord is configured to run as root:
https://github.com/stevespringett/nist-data-mirror/blob/master/src/docker/conf/supervisord.conf#L3
I see that the project uses System.out
to print out messages, for example:
As a result, an application that uses the library doesn't have much control over this messages. It would be better to use a logger. If this improvement sounds good, I can open a pull request that introduces log4j. Please let me know what you think.
Please can you provide the .jar for version 1.5.0 under releases?
Problem 1:
The java command which runs to update the mirror is failing due to certificates issue. We have our internal proxy which uses internal CA which needs to be installed in host machine.
#java -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -jar -Dhttp.proxyHost="${proxy_host}" -Dhttp.proxyPort="${proxy_port}" /usr/local/bin/nist-data-mirror.jar /tmp/nvd
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2011.meta
Download failed : java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
Solutions:
For solution 2, helm chart should support additional volume.
Problem 2:
The java command for downloading mirror failed. The reason for this, the nvd.nist.gov is not resolvable. This is due to the nature of base image
Not able to resolve hostname
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz
Download failed : nvd.nist.gov
bash-4.4# nslookup nvd.nist.gov
nslookup: can't resolve '(null)': Name does not resolve
nslookup: can't resolve 'nvd.nist.gov': Name does not resolve
bash-4.4# nslookup nvd.nist.gov.
nslookup: can't resolve '(null)': Name does not resolve
Name: nvd.nist.gov.
Address 1: 54.85.30.225 ec2-54-85-30-225.compute-1.amazonaws.com
Address 2: 2600:1f18:268d:1d01:f609:5e91:8a48:f546
Solution:
Change dns config (/etc/resolve.conf) with proper ndots value.
HELM chart should support configuring dns config
Downloading and uncompressing from scratch takes almost 3 minutes on my machine. Initial profiling showed that InputStreams and OutputStreams are not buffered.
To cut down download sizes and to speed up download times, please could the ability to download JSON or XML files only be added?
11:11:27 Exception in thread "main" java.lang.UnsupportedClassVersionError: us/springett/nistdatamirror/NistDataMirror : Unsupported major.minor version 52.0
11:11:27 at java.lang.ClassLoader.defineClass1(Native Method)
11:11:27 at java.lang.ClassLoader.defineClass(ClassLoader.java:808)
11:11:27 at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
11:11:27 at java.net.URLClassLoader.defineClass(URLClassLoader.java:443)
11:11:27 at java.net.URLClassLoader.access$100(URLClassLoader.java:65)
11:11:27 at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
11:11:27 at java.net.URLClassLoader$1.run(URLClassLoader.java:349)
11:11:27 at java.security.AccessController.doPrivileged(Native Method)
11:11:27 at java.net.URLClassLoader.findClass(URLClassLoader.java:348)
11:11:27 at java.lang.ClassLoader.loadClass(ClassLoader.java:430)
11:11:27 at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:323)
11:11:27 at java.lang.ClassLoader.loadClass(ClassLoader.java:363)
11:11:27 at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482)```
Hello,
OpenJDK7 is still supported until June 2020
https://access.redhat.com/articles/1299013
Would you mind releasing a jar that still works with 1.7 ?
Thank you
Could you consider in preparation for DependencyCheck v5.0.0 release to prepare a relase of nist-data-mirror as well?
#16
It looks like the json 1.0 feeds are no longer supported. This was announced here.
Looks like they finally decided to take the old feeds offline.
Since nist-data-mirror tries to download both versions, an error level is reported once it has finished.
Hello,
we are currently facing a weird issue with our nist-data-mirror for approx. a week.
The file nvdcve-1.12013.json.gz gets corrupt and cannot be extracted:
$ gunzip nvdcve-1.1-2013.json.gz
gzip: nvdcve-1.1-2013.json.gz: unexpected end of file
When the file is corrupt and we run nist-data-mirror 1.6.0 on our data folder we are getting the following output:
[Thu Oct 6 09:16:08 CEST 2022]
Downloading files at Thu Oct 06 09:16:08 CEST 2022
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta
Download succeeded nvdcve-1.1-modified.meta
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-recent.meta
Download succeeded nvdcve-1.1-recent.meta
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta
Download succeeded nvdcve-1.1-2002.meta
File 2002 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2003.meta
Download succeeded nvdcve-1.1-2003.meta
File 2003 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2004.meta
Download succeeded nvdcve-1.1-2004.meta
File 2004 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2005.meta
Download succeeded nvdcve-1.1-2005.meta
File 2005 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2006.meta
Download succeeded nvdcve-1.1-2006.meta
File 2006 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2007.meta
Download succeeded nvdcve-1.1-2007.meta
File 2007 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2008.meta
Download succeeded nvdcve-1.1-2008.meta
File 2008 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2009.meta
Download succeeded nvdcve-1.1-2009.meta
File 2009 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.meta
Download succeeded nvdcve-1.1-2010.meta
File 2010 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2011.meta
Download succeeded nvdcve-1.1-2011.meta
File 2011 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2012.meta
Download succeeded nvdcve-1.1-2012.meta
File 2012 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.meta
Download succeeded nvdcve-1.1-2013.meta
File 2013 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.meta
Download succeeded nvdcve-1.1-2013.meta
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.meta
Download succeeded nvdcve-1.1-2013.meta
The File 2013 is corrupted
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2014.meta
Download succeeded nvdcve-1.1-2014.meta
File 2014 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2015.meta
Download succeeded nvdcve-1.1-2015.meta
File 2015 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2016.meta
Download succeeded nvdcve-1.1-2016.meta
File 2016 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2017.meta
Download succeeded nvdcve-1.1-2017.meta
File 2017 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2018.meta
Download succeeded nvdcve-1.1-2018.meta
File 2018 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2019.meta
Download succeeded nvdcve-1.1-2019.meta
File 2019 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.meta
Download succeeded nvdcve-1.1-2020.meta
File 2020 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2021.meta
Download succeeded nvdcve-1.1-2021.meta
File 2021 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2022.meta
Download succeeded nvdcve-1.1-2022.meta
File 2022 is valid.
So it reports that the file is corrupted; but I have no idea what has caused the corruption and how to solve it.
We have a cronjob that is running the nist-data-mirror every hour.
I already deleted all nvdcve-1.1-2013* files and rerun the nist-data-mirror:
...
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2011.meta
Download succeeded nvdcve-1.1-2011.meta
File 2011 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2012.meta
Download succeeded nvdcve-1.1-2012.meta
File 2012 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.meta
Download succeeded nvdcve-1.1-2013.meta
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.json.gz
Download succeeded nvdcve-1.1-2013.json.gz
java.io.EOFException: Unexpected end of ZLIB input stream
at java.base/java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:245)
at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:159)
at java.base/java.util.zip.GZIPInputStream.read(GZIPInputStream.java:118)
at java.base/java.io.FilterInputStream.read(FilterInputStream.java:107)
at us.springett.nistdatamirror.NistDataMirror.uncompress(NistDataMirror.java:263)
at us.springett.nistdatamirror.NistDataMirror.doDownload(NistDataMirror.java:249)
at us.springett.nistdatamirror.NistDataMirror.downloadVersionForYear(NistDataMirror.java:191)
at us.springett.nistdatamirror.NistDataMirror.mirror(NistDataMirror.java:155)
at us.springett.nistdatamirror.NistDataMirror.main(NistDataMirror.java:87)
File 2013 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.meta
Download succeeded nvdcve-1.1-2013.meta
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.meta
Download succeeded nvdcve-1.1-2013.meta
The File 2013 is corrupted
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2014.meta
Download succeeded nvdcve-1.1-2014.meta
File 2014 is valid.
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2015.meta
Download succeeded nvdcve-1.1-2015.meta
File 2015 is valid.
...
So the download fron the nist-data-mirror failed. I did a manual download from the same server and it worked without problem:
$ wget https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.json.gz
--2022-10-06 09:33:35-- https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2013.json.gz
Resolving nvd.nist.gov (nvd.nist.gov)... 18.235.227.114, 2600:1f18:268d:1d01:f609:5e91:8a48:f546
Connecting to nvd.nist.gov (nvd.nist.gov)|18.235.227.114|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2449748 (2.3M) [application/x-gzip]
Saving to: โnvdcve-1.1-2013.json.gzโ
100%[=======================================================================================================================>] 2,449,748 2.38MB/s in 1.0s
2022-10-06 09:33:37 (2.38 MB/s) - โnvdcve-1.1-2013.json.gzโ saved [2449748/2449748]
Any advice and help would be appreciated.
Greetings, Rainer
hi ,
How can I solve this? I use the latest version of NVD-Data-Mirror.
C:\Users\Administrator\Downloads>java -Djdk.http.auth.tunneling.disabledSchemes=
"" -Djdk.http.auth.proxying.disabledSchemes="" -Dhttps.proxyHost=10.1.54.181 -Dh
ttps.proxyPort=1080 -jar nist-data-mirror.jar C:\nvd\
Downloading files at Mon Feb 22 16:41:35 ULAT 2021
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta
Download succeeded nvdcve-1.1-modified.meta
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
Download succeeded nvdcve-1.1-modified.json.gz
java.io.EOFException: Unexpected end of ZLIB input stream
at java.util.zip.InflaterInputStream.fill(Unknown Source)
at java.util.zip.InflaterInputStream.read(Unknown Source)
at java.util.zip.GZIPInputStream.read(Unknown Source)
at java.io.FilterInputStream.read(Unknown Source)
at us.springett.nistdatamirror.NistDataMirror.uncompress(NistDataMirror.
java:232)
at us.springett.nistdatamirror.NistDataMirror.doDownload(NistDataMirror.
java:218)
at us.springett.nistdatamirror.NistDataMirror.mirror(NistDataMirror.java
:139)
at us.springett.nistdatamirror.NistDataMirror.main(NistDataMirror.java:8
4)
Downloading https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2002.meta
Thanks!
Currently the downlod fails:
$ java -version
openjdk version "13" 2019-09-17
OpenJDK Runtime Environment AdoptOpenJDK (build 13+33)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 13+33, mixed mode, sharing)
$ java -jar nist-data-mirror-1.3.0.jar nist-mirror json
Downloading files at Mon Sep 30 09:03:50 CEST 2019
Downloading https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-modified.meta
Download failed : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Firefox 69.0.1 has no problems accessing this and other URLs.
Hello,
the NVD recently changed their JSON data feed to version 1.1 to support CVSSv3.1, as per this announcement: https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release
The announcement claims, that the 1.0 feeds are no longer available. They can still be reached for now, but contain incomplete CVE data (e.g.: CVE-2019-16942, which only contains CVSSv2 data in the 1.0 feed as per the time of my issue request).
Therefore it would be great if this library would support the mirroring of the new JSON data feed.
Best regards
I have build nist-data-mirror docker container. All nvdcve*.json and nvdcve*.xml files downloaded in container under /tmp/nvd
Now question is : How can use this data with OWASP Dependency Check?
In which config file i need to mentioned below settings? is it on my nist-data-mirror container or client side?
cveUrl12Modified=http://hostname/mirror/nvd/nvdcve-modified.xml.gz
cveUrl20Modified=http://hostname/mirror/nvd/nvdcve-2.0-modified.xml.gz
cveUrl12Base=http://hostname/mirror/nvd/nvdcve-%d.xml.gz
cveUrl20Base=http://hostname/mirror/nvd/nvdcve-2.0-%d.xml.gz
Hello,
Usually I have this error : Fatal exception(s) analyzing Core RH: Unable to continue dependency-check analysis.
[ERROR] Unable to connect to the database
So I think to mirrir the CPE/CVE to have local access
But I don't unterstand how can I add it ! help please
(what is the utility of the database H2 in dependency check , ii contain just the CVE to check the vulnerability ?? )
The NIST data mirror is often used in conjunction with dependency-check. Now that dependency-check utilizes RetireJS to analyze JS files - should the data-mirror be updated to also mirror the RetireJS Repository?
The only reason I am posting the question as opposed to just submitting a PR is that this is titled "NIST" data mirror. Thoughts?
Somehow Dependency Check does this (I haven't examined the source closely enough to see exactly how). It would be a nice optimization, so my cron job doesn't have be wasteful of network resources.
Hi,
I am running the mirror via sspringett/nvdmirror:1.3.0
. It was running fine at first, but it seems to not function properly now (i.e the cron task is running on schedule, but it constantly exits with a failure).
This is the log file from the container:
Jun 6 07:26:01 36971edcecc1 crond: crond 4.5 dillon's cron daemon, started with loglevel notice
Jun 6 08:00:16 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
/tmp/nvd/nvdcve-1.0-modified.meta
/tmp/nvd/nvdcve-1.0-2002.meta
...trimmed...
/tmp/nvd/nvdcve-1.0-2019.json
Jun 6 12:00:16 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
/tmp/nvd/nvdcve-1.0-modified.meta
/tmp/nvd/nvdcve-modified.xml.gz
...trimmed...
/tmp/nvd/nvdcve-1.0-2019.meta
Jun 6 16:00:11 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 6 20:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
/tmp/nvd/nvdcve-1.0-modified.meta
/tmp/nvd/nvdcve-modified.xml.gz
...trimmed...
/tmp/nvd/nvdcve-1.0-2019.meta
Jun 7 00:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
/tmp/nvd/nvdcve-1.0-modified.meta
/tmp/nvd/nvdcve-modified.xml.gz
...trimmed...
/tmp/nvd/nvdcve-1.0-2019.meta
Jun 7 04:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
/tmp/nvd/nvdcve-1.0-modified.meta
/tmp/nvd/nvdcve-modified.xml.gz
...trimmed...
/tmp/nvd/nvdcve-1.0-2019.meta
Jun 7 08:00:16 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 7 12:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 7 16:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 7 20:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 8 00:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 8 04:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 8 08:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 8 12:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 8 16:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 8 20:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 9 00:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 9 04:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 9 08:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 9 12:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 9 16:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 9 20:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 10 00:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 10 04:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 10 08:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 10 12:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 10 16:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 10 20:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 11 00:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 11 04:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 11 08:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 11 12:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 11 16:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 11 20:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 12 00:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Jun 12 04:00:01 36971edcecc1 crond: exit status 1 from user mirror /mirror.sh >> /var/log/cron.log 2>&1
Listing of files in the temp directory used by the mirror:
/tmp/nvd # ls -hlrt
total 2758696
-rw-r--r-- 1 root root 600.7K Jun 6 07:20 nvdcve-2004.xml.gz
-rw-r--r-- 1 root root 4.6M Jun 6 07:20 nvdcve-2004.xml
-rw-r--r-- 1 root root 848.2K Jun 6 07:20 nvdcve-2.0-2004.xml.gz
-rw-r--r-- 1 root root 11.3M Jun 6 07:20 nvdcve-2.0-2004.xml
-rw-r--r-- 1 root root 961.4K Jun 6 07:20 nvdcve-1.0-2004.json.gz
-rw-r--r-- 1 root root 15.0M Jun 6 07:20 nvdcve-1.0-2004.json
-rw-r--r-- 1 root root 938.7K Jun 6 07:20 nvdcve-2005.xml.gz
-rw-r--r-- 1 root root 7.3M Jun 6 07:20 nvdcve-2005.xml
-rw-r--r-- 1 root root 1.3M Jun 6 07:20 nvdcve-2.0-2005.xml.gz
-rw-r--r-- 1 root root 17.4M Jun 6 07:20 nvdcve-2.0-2005.xml
-rw-r--r-- 1 root root 1.5M Jun 6 07:20 nvdcve-1.0-2005.json.gz
-rw-r--r-- 1 root root 23.1M Jun 6 07:20 nvdcve-1.0-2005.json
-rw-r--r-- 1 root root 1.5M Jun 6 07:20 nvdcve-2006.xml.gz
-rw-r--r-- 1 root root 12.1M Jun 6 07:20 nvdcve-2006.xml
-rw-r--r-- 1 root root 2.0M Jun 6 07:20 nvdcve-2.0-2006.xml.gz
-rw-r--r-- 1 root root 27.3M Jun 6 07:20 nvdcve-2.0-2006.xml
-rw-r--r-- 1 root root 2.3M Jun 6 07:21 nvdcve-1.0-2006.json.gz
-rw-r--r-- 1 root root 34.7M Jun 6 07:21 nvdcve-1.0-2006.json
-rw-r--r-- 1 root root 1.5M Jun 6 07:21 nvdcve-2007.xml.gz
-rw-r--r-- 1 root root 11.2M Jun 6 07:21 nvdcve-2007.xml
-rw-r--r-- 1 root root 1.9M Jun 6 07:21 nvdcve-2.0-2007.xml.gz
-rw-r--r-- 1 root root 25.0M Jun 6 07:21 nvdcve-2.0-2007.xml
-rw-r--r-- 1 root root 2.3M Jun 6 07:21 nvdcve-1.0-2007.json.gz
-rw-r--r-- 1 root root 33.1M Jun 6 07:21 nvdcve-1.0-2007.json
-rw-r--r-- 1 root root 1.3M Jun 6 07:21 nvdcve-2009.xml.gz
-rw-r--r-- 1 root root 11.3M Jun 6 07:21 nvdcve-2009.xml
-rw-r--r-- 1 root root 2.1M Jun 6 07:21 nvdcve-2.0-2009.xml.gz
-rw-r--r-- 1 root root 30.6M Jun 6 07:21 nvdcve-2.0-2009.xml
-rw-r--r-- 1 root root 2.4M Jun 6 07:21 nvdcve-1.0-2009.json.gz
-rw-r--r-- 1 root root 42.5M Jun 6 07:21 nvdcve-1.0-2009.json
-rw-r--r-- 1 root root 1.3M Jun 6 07:21 nvdcve-2010.xml.gz
-rw-r--r-- 1 root root 14.9M Jun 6 07:21 nvdcve-2010.xml
-rw-r--r-- 1 root root 2.8M Jun 6 07:21 nvdcve-2.0-2010.xml.gz
-rw-r--r-- 1 root root 45.6M Jun 6 07:21 nvdcve-2.0-2010.xml
-rw-r--r-- 1 root root 3.2M Jun 6 07:22 nvdcve-1.0-2010.json.gz
-rw-r--r-- 1 root root 67.0M Jun 6 07:22 nvdcve-1.0-2010.json
-rw-r--r-- 1 root root 159.9M Jun 6 08:00 nvdcve-1.0-2017.json
-rw-r--r-- 1 root root 5.5M Jun 6 08:01 nvdcve-2018.xml.gz
-rw-r--r-- 1 root root 61.4M Jun 6 08:01 nvdcve-2018.xml
-rw-r--r-- 1 root root 11.8M Jun 6 08:01 nvdcve-2.0-2018.xml.gz
-rw-r--r-- 1 root root 215.6M Jun 6 08:01 nvdcve-2.0-2018.xml
-rw-r--r-- 1 root root 8.4M Jun 6 08:01 nvdcve-1.0-2018.json.gz
-rw-r--r-- 1 root root 209.4M Jun 6 08:01 nvdcve-1.0-2018.json
-rw-r--r-- 1 root root 1.7M Jun 6 08:01 nvdcve-2019.xml.gz
-rw-r--r-- 1 root root 20.5M Jun 6 08:01 nvdcve-2019.xml
-rw-r--r-- 1 root root 3.7M Jun 6 08:01 nvdcve-2.0-2019.xml.gz
-rw-r--r-- 1 root root 71.7M Jun 6 08:01 nvdcve-2.0-2019.xml
-rw-r--r-- 1 root root 2.6M Jun 6 08:01 nvdcve-1.0-2019.json.gz
-rw-r--r-- 1 root root 63.9M Jun 6 08:02 nvdcve-1.0-2019.json
-rw-r--r-- 1 root root 1.1M Jun 6 12:00 nvdcve-2002.xml.gz
-rw-r--r-- 1 root root 8.4M Jun 6 12:00 nvdcve-2002.xml
-rw-r--r-- 1 root root 1.4M Jun 6 12:00 nvdcve-2.0-2002.xml.gz
-rw-r--r-- 1 root root 18.7M Jun 6 12:00 nvdcve-2.0-2002.xml
-rw-r--r-- 1 root root 1.6M Jun 6 12:00 nvdcve-1.0-2002.json.gz
-rw-r--r-- 1 root root 24.7M Jun 6 12:00 nvdcve-1.0-2002.json
-rw-r--r-- 1 root root 312.8K Jun 6 12:00 nvdcve-2003.xml.gz
-rw-r--r-- 1 root root 2.3M Jun 6 12:00 nvdcve-2003.xml
-rw-r--r-- 1 root root 428.2K Jun 6 12:00 nvdcve-2.0-2003.xml.gz
-rw-r--r-- 1 root root 5.4M Jun 6 12:00 nvdcve-2.0-2003.xml
-rw-r--r-- 1 root root 476.2K Jun 6 12:00 nvdcve-1.0-2003.json.gz
-rw-r--r-- 1 root root 6.9M Jun 6 12:00 nvdcve-1.0-2003.json
-rw-r--r-- 1 root root 1.5M Jun 6 12:00 nvdcve-2008.xml.gz
-rw-r--r-- 1 root root 12.8M Jun 6 12:00 nvdcve-2008.xml
-rw-r--r-- 1 root root 2.2M Jun 6 12:00 nvdcve-2.0-2008.xml.gz
-rw-r--r-- 1 root root 30.9M Jun 6 12:00 nvdcve-2.0-2008.xml
-rw-r--r-- 1 root root 2.5M Jun 6 12:00 nvdcve-1.0-2008.json.gz
-rw-r--r-- 1 root root 40.6M Jun 6 12:00 nvdcve-1.0-2008.json
-rw-r--r-- 1 root root 3.0M Jun 6 12:00 nvdcve-2011.xml.gz
-rw-r--r-- 1 root root 29.8M Jun 6 12:00 nvdcve-2011.xml
-rw-r--r-- 1 root root 6.1M Jun 6 12:00 nvdcve-2.0-2011.xml.gz
-rw-r--r-- 1 root root 108.8M Jun 6 12:00 nvdcve-2.0-2011.xml
-rw-r--r-- 1 root root 6.6M Jun 6 12:00 nvdcve-1.0-2011.json.gz
-rw-r--r-- 1 root root 182.1M Jun 6 12:00 nvdcve-1.0-2011.json
-rw-r--r-- 1 root root 1.2M Jun 6 12:00 nvdcve-2012.xml.gz
-rw-r--r-- 1 root root 14.3M Jun 6 12:00 nvdcve-2012.xml
-rw-r--r-- 1 root root 2.5M Jun 6 12:00 nvdcve-2.0-2012.xml.gz
-rw-r--r-- 1 root root 43.2M Jun 6 12:00 nvdcve-2.0-2012.xml
-rw-r--r-- 1 root root 2.9M Jun 6 12:00 nvdcve-1.0-2012.json.gz
-rw-r--r-- 1 root root 1.3M Jun 6 12:00 nvdcve-2013.xml.gz
-rw-r--r-- 1 root root 61.9M Jun 6 12:00 nvdcve-1.0-2012.json
-rw-r--r-- 1 root root 15.1M Jun 6 12:00 nvdcve-2013.xml
-rw-r--r-- 1 root root 2.6M Jun 6 12:00 nvdcve-2.0-2013.xml.gz
-rw-r--r-- 1 root root 43.5M Jun 6 12:00 nvdcve-2.0-2013.xml
-rw-r--r-- 1 root root 3.0M Jun 6 12:00 nvdcve-1.0-2013.json.gz
-rw-r--r-- 1 root root 61.6M Jun 6 12:00 nvdcve-1.0-2013.json
-rw-r--r-- 1 root root 1.6M Jun 6 12:00 nvdcve-2014.xml.gz
-rw-r--r-- 1 root root 16.5M Jun 6 12:00 nvdcve-2014.xml
-rw-r--r-- 1 root root 2.7M Jun 6 12:00 nvdcve-2.0-2014.xml.gz
-rw-r--r-- 1 root root 43.3M Jun 6 12:00 nvdcve-2.0-2014.xml
-rw-r--r-- 1 root root 3.0M Jun 6 12:00 nvdcve-1.0-2014.json.gz
-rw-r--r-- 1 root root 59.6M Jun 6 12:00 nvdcve-1.0-2014.json
-rw-r--r-- 1 root root 1.5M Jun 6 12:00 nvdcve-2015.xml.gz
-rw-r--r-- 1 root root 15.8M Jun 6 12:00 nvdcve-2015.xml
-rw-r--r-- 1 root root 2.3M Jun 6 12:00 nvdcve-2.0-2015.xml.gz
-rw-r--r-- 1 root root 39.4M Jun 6 12:00 nvdcve-2.0-2015.xml
-rw-r--r-- 1 root root 2.6M Jun 6 12:00 nvdcve-1.0-2015.json.gz
-rw-r--r-- 1 root root 52.4M Jun 6 12:00 nvdcve-1.0-2015.json
-rw-r--r-- 1 root root 165 Jun 7 04:00 nvdcve-1.0-2019.meta
-rw-r--r-- 1 root root 166 Jun 7 04:00 nvdcve-1.0-2018.meta
-rw-r--r-- 1 root root 162 Jun 7 08:00 nvdcve-1.0-modified.meta
-rw-r--r-- 1 root root 296.6K Jun 7 08:00 nvdcve-modified.xml.gz
-rw-r--r-- 1 root root 2.7M Jun 7 08:00 nvdcve-modified.xml
-rw-r--r-- 1 root root 541.8K Jun 7 08:00 nvdcve-2.0-modified.xml.gz
-rw-r--r-- 1 root root 9.1M Jun 7 08:00 nvdcve-2.0-modified.xml
-rw-r--r-- 1 root root 432.3K Jun 7 08:00 nvdcve-1.0-modified.json.gz
-rw-r--r-- 1 root root 8.9M Jun 7 08:00 nvdcve-1.0-modified.json
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2006.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2005.meta
-rw-r--r-- 1 root root 163 Jun 7 08:00 nvdcve-1.0-2004.meta
-rw-r--r-- 1 root root 162 Jun 7 08:00 nvdcve-1.0-2003.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2002.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2010.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2009.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2008.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2007.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2014.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2013.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2012.meta
-rw-r--r-- 1 root root 166 Jun 7 08:00 nvdcve-1.0-2011.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2016.meta
-rw-r--r-- 1 root root 165 Jun 7 08:00 nvdcve-1.0-2015.meta
-rw-r--r-- 1 root root 1.7M Jun 7 08:00 nvdcve-2016.xml.gz
-rw-r--r-- 1 root root 20.0M Jun 7 08:00 nvdcve-2016.xml
-rw-r--r-- 1 root root 3.3M Jun 7 08:00 nvdcve-2.0-2016.xml.gz
-rw-r--r-- 1 root root 54.6M Jun 7 08:00 nvdcve-2.0-2016.xml
-rw-r--r-- 1 root root 3.4M Jun 7 08:00 nvdcve-1.0-2016.json.gz
-rw-r--r-- 1 root root 71.7M Jun 7 08:00 nvdcve-1.0-2016.json
-rw-r--r-- 1 root root 166 Jun 7 08:00 nvdcve-1.0-2017.meta
-rw-r--r-- 1 root root 4.1M Jun 7 08:00 nvdcve-2017.xml.gz
-rw-r--r-- 1 root root 46.1M Jun 7 08:00 nvdcve-2017.xml
-rw-r--r-- 1 root root 8.8M Jun 7 08:00 nvdcve-2.0-2017.xml.gz
-rw-r--r-- 1 root root 160.1M Jun 7 08:00 nvdcve-2.0-2017.xml
-rw-r--r-- 1 root root 4.5M Jun 7 08:01 nvdcve-1.0-2017.json.gz
Using wget
to download works ok (just confirm it's not my network issue):
/dev/shm # wget https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz
Connecting to nvd.nist.gov (18.235.227.114:443)
nvdcve-modified.xml. 100% |***********************************************************************************************************************************************| 282k 0:00:00 ETA
I understand that NVD does not have unlimited bandwidth and will throttle or block.
Is there any workaround I can use for a more reliable mirroring?
Thank you for your time.
Hi,
I'm having an issue when using version 1.4.0 of the docker image.
After populating /tmp/nvd
, the application is unable to copy the files over to /usr/local/apache2/htdocs
.
mkdir -p /tmp/target/docs/
docker run -dit \
--name mirror \
-p 80:80 \
--mount type=bind,source=/tmp/target/docs/,target=/usr/local/apache2/htdocs \
sspringett/nvdmirror:1.4.0
2020-01-07 10:15:55,354 INFO Set uid to user 0 succeeded
2020-01-07 10:15:55,355 INFO supervisord started with pid 1
2020-01-07 10:15:56,357 INFO spawned: 'httpd' with pid 8
2020-01-07 10:15:56,358 INFO spawned: 'crond' with pid 9
2020-01-07 10:15:56,359 INFO spawned: 'initialize_htdocs' with pid 10
Updating...
crond 4.5 dillon's cron daemon, started with loglevel notice
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message
[Tue Jan 07 10:15:56.384458 2020] [mpm_event:notice] [pid 8:tid 140323194153832] AH00489: Apache/2.4.39 (Unix) configured -- resuming normal operations
[Tue Jan 07 10:15:56.384489 2020] [core:notice] [pid 8:tid 140323194153832] AH00094: Command line: 'httpd -D FOREGROUND'
2020-01-07 10:15:57,385 INFO success: httpd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2020-01-07 10:15:57,385 INFO success: crond entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2020-01-07 10:15:57,385 INFO success: initialize_htdocs entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
/tmp/nvd/nvdcve-1.0-modified.meta
cp: can't create '/usr/local/apache2/htdocs/nvdcve-1.0-modified.meta': Permission denied
... snipped ...
/tmp/nvd/nvdcve-1.1-2020.json
cp: can't create '/usr/local/apache2/htdocs/nvdcve-1.1-2020.json': Permission denied
2020-01-07 10:22:44,156 INFO exited: initialize_htdocs (exit status 1; not expected)
# ps -ef
PID USER TIME COMMAND
1 root 0:00 {supervisord} /usr/bin/python2 /usr/bin/supervisord -n -c /etc/supervisor/conf.d/supervisord.conf -l
8 root 0:00 httpd -DFOREGROUND
9 root 0:00 crond -s /var/spool/cron/crontabs -f
25 daemon 0:00 httpd -DFOREGROUND
26 daemon 0:00 httpd -DFOREGROUND
27 daemon 0:00 httpd -DFOREGROUND
122 root 0:00 /bin/bash
323 root 0:00 ps -ef
# ls -lah /tmp/
total 20
drwxrwxrwt 6 root root 4.0K Jan 7 10:15 .
drwxr-xr-x 51 root root 4.0K Jan 7 10:19 ..
drwxr-xr-x 2 root root 4.0K Jan 7 10:30 cron.fObHDd
drwxr-xr-x 2 mirror mirror 4.0K Jan 7 10:22 hsperfdata_mirror
drwxr-xr-x 2 mirror mirror 4.0K Jan 7 10:22 nvd
total 48
drwxr-xr-x 15 www-data www-data 4.0K Jan 7 10:15 .
drwxr-xr-x 15 root root 4.0K Jan 7 10:15 ..
drwxr-xr-x 2 root root 4.0K May 11 2019 bin
drwxr-xr-x 2 root root 4.0K May 11 2019 build
drwxr-xr-x 2 root root 4.0K May 11 2019 cgi-bin
drwxr-xr-x 4 root root 4.0K Oct 18 19:50 conf
drwxr-xr-x 3 root root 4.0K May 11 2019 error
drwxrwxr-x 2 1000 1000 4.0K Jan 7 10:15 htdocs
drwxr-xr-x 3 root root 4.0K May 11 2019 icons
drwxr-xr-x 2 root root 4.0K May 11 2019 include
drwxr-xr-x 2 root root 4.0K Jan 7 10:15 logs
drwxr-xr-x 2 root root 4.0K May 11 2019 modules
Thank you for your time.
I had a successful execution but nothing gets uploaded to my Nexus repo.
My init.gradle
allprojects {
apply plugin: 'maven'
repositories {
maven { url "http://localhost:8081/nexus/content/groups/public" }
mavenCentral()
}
configurations {
deployerJars
}
dependencies {
deployerJars "org.apache.maven.wagon:wagon-http:2.5"
}
uploadArchives {
repositories.mavenDeployer {
configuration = configurations.deployerJars
repository(url: "http://localhost:8081/nexus/content/repositories/NVD") {
authentication(userName: "admin", password: "admin123")
}
snapshotRepository(url: "http://localhost:8081/nexus/content/repositories/NVD") {
authentication(userName: "admin", password: "admin123")
}
}
}
}
$ gradle -I init.gradle clean UploadArchives
:clean
:compileJava
warning: [options] bootstrap class path not set in conjunction with -source 1.7
1 warning
:processResources UP-TO-DATE
:classes
:jar
:uploadArchives
BUILD SUCCESSFUL
I get the following error when I try to build this project locally with IBM Java 8
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project nist-data-mirror: Compilation failure
[ERROR] /tmp/nist-data-mirror/src/main/java/us/springett/nistdatamirror/NistDataMirror.java:[19,52] package com.sun.org.apache.xpath.internal.operations does not exist
I can work around it by removing the unused import of com.sun.org.apache.xpath.internal.operations.Bool in the NistDataMirror.java file. Since it's not actually used, I would think it could simply be removed in the main codebase and then the project would again be compilable with any jdk.
Hello,
This is not a real issue. I just wated to share a tip so jar works on java 8 when using a proxy with authentication (thanks release 1.5.0).
Just add -Djdk.http.auth.tunneling.disabledSchemes="" in the command line before calling jar file.
Lines 289 and 293 have hardcoded Windows file separators that are causing dependency check jobs to fail on OSX and Linux environments.
After building the Docker container and starting it as described in the readme the log prints the following line which states that the mirror crontab setting is being ignored:
Oct 1 08:27:54 nist-data-mirror.somewhere.net crond: ignoring /etc/crontabs/mirror (non-existent user)
Hi Steve,
I would like to enquire, with regards to nist-data-mirror, how can one make use of the downloaded xml/json files with OWASP Dependency Check?
From what I understand, Dependency Check makes use of a h2.db file to run the scan but this project(nist-data-mirror) gets a local copy of NIST vulnerability data in the form of xml/json files. How are the 2 projects tied together and what steps must i take in order to integrate the downloaded xml/json files via this project into Dependency Check?
I hope to hear from you soon.
Hi
One question about mirroring. What is the final artifact from this step? Is it a h2.db file?
I would like to mirror the DB with this tool, and then, run Dependency check against it.
If the artifact that comes after this step is not a h2.db file, how do i run Dependency check against this artifact?
Thanks
Hi @stevespringett
what do you recommend as a the frequency for the nist data mirror. Should i be running the script once every 24 hrs or more frequently?
Hi
Is there any possibility of releasing this as a binary to bintray or github releases?
Just FYI, bintray has free releases for open source projects and is a good way of getting JARs / WARs etc. into maven central (this is optional).
Thanks!
As of now, the update process is started once every 15 minutes. If nvd.nist.gov slows down for some reason (I've seen dramatic slowdowns a couple days ago), we can have two or more update processes running concurrently. I suggest doing something like this instead:
flock -n /tmp/nvd.lock /mirror.sh
so that the spawned process immediately exits if there is another one running.
In chart
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.