Skip to content

[fix][ci] Upgrade OWASP Dependency Check to 12.1.0 #24084

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lhotari wants to merge 1 commit into from
Closed

[fix][ci] Upgrade OWASP Dependency Check to 12.1.0 #24084

lhotari wants to merge 1 commit into from

Conversation

@lhotari
Copy link
Member

@lhotari lhotari commented Mar 17, 2025

Motivation

Current version fails to parse NVD API's CVE data:

[INFO] Checking for updates
[INFO] NVD API has 285,363 records in this update
[INFO] Downloaded 10,000/285,363 (4%)
[INFO] Downloaded 20,000/285,363 (7%)
[INFO] Downloaded 30,000/285,363 (11%)
[INFO] Downloaded 40,000/285,363 (14%)
[INFO] Downloaded 50,000/285,363 (18%)
[INFO] Downloaded 60,000/285,363 (21%)
[INFO] Downloaded 70,000/285,363 (25%)
[INFO] Downloaded 80,000/285,363 (28%)
[INFO] Downloaded 90,000/285,363 (32%)
[INFO] Downloaded 100,000/285,363 (35%)
[INFO] Downloaded 110,000/285,363 (39%)
[INFO] Downloaded 120,000/285,363 (42%)
[INFO] Downloaded 130,000/285,363 (46%)
[INFO] Downloaded 140,000/285,363 (49%)
[INFO] Downloaded 150,000/285,363 (53%)
[INFO] Downloaded 160,000/285,363 (56%)
[INFO] Downloaded 170,000/285,363 (60%)
[INFO] Downloaded 180,000/285,363 (63%)
[INFO] Downloaded 190,000/285,363 (67%)
[INFO] Downloaded 200,000/285,363 (70%)
[INFO] Downloaded 210,000/285,363 (74%)
[INFO] Downloaded 220,000/285,363 (77%)
[INFO] Downloaded 230,000/285,363 (81%)
[INFO] Downloaded 240,000/285,363 (84%)
Error:  Failed to process CVE-2024-1719
java.lang.NullPointerException
    at java.util.stream.ReferencePipeline$7$1.accept (ReferencePipeline.java:273)
    at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:197)
    at java.util.ArrayList$ArrayListSpliterator.tryAdvance (ArrayList.java:1602)
    at java.util.stream.ReferencePipeline$7$1.accept (ReferencePipeline.java:280)
    at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:197)
    at java.util.ArrayList$ArrayListSpliterator.tryAdvance (ArrayList.java:1602)
    at java.util.stream.ReferencePipeline.forEachWithCancel (ReferencePipeline.java:129)
    at java.util.stream.AbstractPipeline.copyIntoWithCancel (AbstractPipeline.java:527)
    at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:513)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:499)
    at java.util.stream.MatchOps$MatchOp.evaluateSequential (MatchOps.java:230)
    at java.util.stream.MatchOps$MatchOp.evaluateSequential (MatchOps.java:196)
    at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234)
    at java.util.stream.ReferencePipeline.anyMatch (ReferencePipeline.java:632)
    at org.owasp.dependencycheck.data.nvdcve.CveItemOperator.testCveCpeStartWithFilter (CveItemOperator.java:228)
    at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability (CveDB.java:1098)
    at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb (NvdApiProcessor.java:119)
    at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:96)
    at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call (NvdApiProcessor.java:40)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:[113](https://github.com/apache/pulsar/actions/runs/13889055422/job/38857890154#step:9:114)6)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
    at java.lang.Thread.run (Thread.java:840)

Modifications

  • upgrade to 12.1.0 version
  • internal database format has changed in v11
    • add v11 to cache key prefix

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@lhotari lhotari added this to the 4.1.0 milestone Mar 17, 2025
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Mar 17, 2025
@lhotari
Copy link
Member Author

lhotari commented Mar 17, 2025

closing in favour of #24083

@lhotari lhotari closed this Mar 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@merlimat merlimat Awaiting requested review from merlimat

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

@nodece nodece Awaiting requested review from nodece

@dao-jun dao-jun Awaiting requested review from dao-jun

@nicoloboschi nicoloboschi Awaiting requested review from nicoloboschi

Assignees

No one assigned

Labels

area/ci area/security doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.11 release/3.3.6 release/4.0.4

Projects

None yet

Milestone

4.1.0

Development

Successfully merging this pull request may close these issues.

1 participant

@lhotari