Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE Download Updates #3722

Merged
merged 8 commits into from
Oct 11, 2021
Merged

CVE Download Updates #3722

merged 8 commits into from
Oct 11, 2021

Conversation

jeremylong
Copy link
Owner

  1. Make the CVE start year configurable.
  2. Add NVD CVE cache so if some downloads work but the update ultimate fails - re-running the update will use the cached data.
  3. Add 3 attempts to download JSON files from the NVD with a wait between each attempt.

@boring-cyborg boring-cyborg bot added ant changes to ant cli changes to the cli core changes to core documentation site documentation maven changes to the maven plugin labels Oct 11, 2021
@jeremylong jeremylong added this to the 6.4.0 milestone Oct 11, 2021
@jeremylong
Copy link
Owner Author

This change plus the wait timeout should resolve #3710.

@boring-cyborg boring-cyborg bot added the utils changes to utils label Oct 11, 2021
github-actions[bot]
github-actions bot reviewed Oct 11, 2021
View reviewed changes
maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -1267,6 +1273,7 @@ private ExceptionCollection collectDependencyManagementDependencies(Engine engin
* @return a collection of exceptions that may have occurred while resolving
* and scanning the dependencies
*/
//CSOFF: OperatorWrap
private ExceptionCollection collectMavenDependencies(Engine engine, MavenProject project,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reporter: Checkstyle
Rule: com.puppycrawl.tools.checkstyle.checks.sizes.MethodLengthCheck
Severity: ERROR
File: maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java L1277

Method length is 171 lines (max allowed is 160).

github-actions[bot]
github-actions bot reviewed Oct 11, 2021
View reviewed changes
core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCache.java
}
final File nvdFile = new File(cache, filename);
FileUtils.copyFile(file, nvdFile);
nvdFile.setLastModified(Instant.now().toEpochMilli());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reporter: Spotbugs
Rule: RV_RETURN_VALUE_IGNORED_BAD_PRACTICE
Severity: INFO
File: core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCache.java L103
Source: org.owasp.dependencycheck.data.update.nvd.NvdCache

Method ignores exceptional return value <p> This method returns a value that is not checked. The return value should be checked since it can indicate an unusual or unexpected function execution. For example, the <code>File.delete()</code> method returns false if the file could not be successfully deleted (rather than throwing an Exception). If you don't check the result, you won't notice if the method invocation signals unexpected behavior by returning an atypical return value. </p>

@jeremylong jeremylong merged commit b2e7f95 into main Oct 11, 2021
@aikebah aikebah mentioned this pull request Oct 13, 2021
Closed
@jeremylong jeremylong deleted the cveRateLimits branch October 25, 2021 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
ant changes to ant cli changes to the cli core changes to core documentation site documentation maven changes to the maven plugin utils changes to utils
Projects
None yet
Milestone
6.4.0
Development

Successfully merging this pull request may close these issues.
1 participant
@jeremylong