-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Downloads after NVD init don't seem to be using proxy settings correctly #6800
Comments
The correct env var is Your log above shows the below, so it never tried to call NVD.
|
It was a typo - I am using JAVA_TOOL_OPTIONS |
Well the error implies it is talking to your proxy, hence getting Depending on your proxy configuration, there are many reasons this could happen, e.g the proxy happens to whitelist or allow through the NVD API host, but not |
i can download from cisa.gov or github.io with the same proxy settings from the command line, so this rules out that the proxy is having some specific issues with these URLs. |
OK, that's useful info, but folks would still need to know what you're supplying to ODC and which specific variant you are running. |
i am not sure what you mean with "supplying to ODC"? - I have a dotnet project and I am trying to run the dependency-check.bat CLI on windows. I followed the CLI documentation which explains how to pass in the proxy relevant settings via the JAVA_TOOL_OPTIONS. It seems to me as if the NVD download requests are using the proxy information, whereas all other requests don't. I have to run the CLI cmd with --disableRetireJS --disableKnownExploited so that I get passed those. |
What is the specific value of JAVA_TOOL_OPTIONS you are using and how are you exposing it to the CLI? What commands are you using? How can someone else replicate your problem reliably without having to guess what you are doing and replicate your precise proxy or runtime environment (which is not disclosed)? While you may be right that a core proxy functionality is fundamentally broken, given the very wide user base of ODC it seems more likely that you’re doing something wrong, there is something specific to your environment that is wrong - or the documentation is misleading. If you don’t explain precisely what you’re doing or include logs that show what you say is happening (NVD API working), we can’t easily get anywhere. |
My JAVA_TOOL_OPTIONS are like this, and set as environment variables:
The CLI tool is started like this: As I already stated before, the NVD downloads went fine with these settings. If I drop the |
Does this work for you (of course updating the proxy?
|
Yes, you stated/told, but you didn't show via logs. I wouldn't ask to see if I didn't think it was useful to eliminate problems or assumptions about how ODC works, this is why I asked:
Anyway, good luck to you. |
Yes, that's working, but I had to switch to another proxy url to make it work with curl whereas it was working fine with Did I mention that I hate proxies 😄 |
Unforunately, it's the same result like before, now also showing that the NVD downloads work properly:
|
Sounds like an environment issue? possibly one of the proxies blocks access to some resources? I know some users have had to work with the networking team to allow the connections on the proxy. |
Well, as I wrote already: I can |
You can also host these files inside your network - see https://jeremylong.github.io/DependencyCheck/data/index.html |
So, looking at this page: https://jeremylong.github.io/DependencyCheck/data/proxy.html Is it fair to assume that if Also, the page https://jeremylong.github.io/DependencyCheck/data/proxy.html mentions legacy proxy config. I am wondering if that is required if |
Yes, correctly setting the |
So I kept digging into this. I finally decided to start a local px instance to simply use localhost:3128 without authentication. Result: it is working. As soon as I revert to directly using the corporate proxy including auth username and password it will fail again. So for some reason the authentication information is not used in all requests correctly or there are some other settings that are not configured correctly when using BASIC authentication for proxy. BTW I also learned that it doesn't make a difference whether I am using |
Could it also be that your network team has different rules for nvd.nist.gov (seen by them as a trusted source; anonymous proxy access allowed) versus github (seen by them as a risky site, so people should authenticate on the proxy (and maybe even be part of certain user-groups) before being granted access to information stored there) After all it's not uncommon for enterprise proxies to have various categories of sites with different access grants from the internal network. |
Managed to reproduce locally with a customized squid-proxy docker container at localhost. I'll dive deeper into it. |
That's great news! thanks for further looking into it. |
Authenticating proxy even fails when using the legacy configuration parameters. Only when I force the setting for @jeremylong I propose to try and swap out our custom HTTP client code customizing the standard JVM classes for the various resource downloads by the Apache HTTPClient. Need to see how that is best done, but expect I would be able to get that done somewhere this week; would be a good additional candidate for the 11.0.0 release I think |
100% agree. I've been using the HTTPClient in the open-vulnerability-client. If you can work on this - that would be great. |
Think I was a bit too optimistic regarding the amount of work to get rid of all other ways and consistently use HTTPClient within a weeks time. Nevertheless things are moving forward piece by piece. |
Describe the bug
We have a corporate proxy in place and I am providing the settings including proxy user and proxy pass through the JAVA_TOOL_OPTIONS as described in the documentation.
This works for the NVD updates, but as soon as I get to the the point where it wants to init the retireJS repo or download the publishedSupressions.xml, then I receive a 407 error from the proxy.
Version of dependency-check used
The problem occurs using version 10.0.1
Log file
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The process should download additional resources without error using the same proxy config.
Additional context
I have successfully downloaded the files manually, so it is not the proxy that blocks these specific URLs
The text was updated successfully, but these errors were encountered: