Gradle task dependencyCheckUpdate fails with org.owasp....UpdateException: Error updating the NVD Data

[Arc-E-Tect]

Precondition

• I checked the issues list for existing open or closed reports of the same problem.

Describe the bug
Running the Gradle task dependencyCheckUpdate locally on my Windows 11 laptop fails with org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data

Version of dependency-check used
The problem occurs using version 12.1.1 of the gradle (cli, gradle plugin, maven plugin, etc.)

Log file
CLI output:

> Task :app:dependencyCheckUpdate
Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:399)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:117)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:903)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:875)
        at org.owasp.dependencycheck.gradle.tasks.Update.update(Update.groovy:56)
        at java.base@17.0.13/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base@17.0.13/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base@17.0.13/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base@17.0.13/java.lang.reflect.Method.invoke(Method.java:569)
        at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:125)
        at org.gradle.api.internal.project.taskfactory.StandardTaskAction.doExecute(StandardTaskAction.java:58)
        at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:51)
        at org.gradle.api.internal.project.taskfactory.StandardTaskAction.execute(StandardTaskAction.java:29)
        at org.gradle.api.internal.tasks.execution.TaskExecution$3.run(TaskExecution.java:244)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:30)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$1.execute(DefaultBuildOperationRunner.java:27)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:67)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:60)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:167)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:60)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.run(DefaultBuildOperationRunner.java:48)
        at org.gradle.api.internal.tasks.execution.TaskExecution.executeAction(TaskExecution.java:229)
        at org.gradle.api.internal.tasks.execution.TaskExecution.executeActions(TaskExecution.java:212)
        at org.gradle.api.internal.tasks.execution.TaskExecution.executeWithPreviousOutputFiles(TaskExecution.java:195)
        at org.gradle.api.internal.tasks.execution.TaskExecution.execute(TaskExecution.java:162)
        at org.gradle.internal.execution.steps.ExecuteStep.executeInternal(ExecuteStep.java:105)
        at org.gradle.internal.execution.steps.ExecuteStep.access$000(ExecuteStep.java:44)
        at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:59)
        at org.gradle.internal.execution.steps.ExecuteStep$1.call(ExecuteStep.java:56)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:210)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:205)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:67)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:60)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:167)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:60)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:54)
        at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:56)
        at org.gradle.internal.execution.steps.ExecuteStep.execute(ExecuteStep.java:44)
        at org.gradle.internal.execution.steps.CancelExecutionStep.execute(CancelExecutionStep.java:42)
        at org.gradle.internal.execution.steps.TimeoutStep.executeWithoutTimeout(TimeoutStep.java:75)
        at org.gradle.internal.execution.steps.TimeoutStep.execute(TimeoutStep.java:55)
        at org.gradle.internal.execution.steps.PreCreateOutputParentsStep.execute(PreCreateOutputParentsStep.java:50)
        at org.gradle.internal.execution.steps.PreCreateOutputParentsStep.execute(PreCreateOutputParentsStep.java:28)
        at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:67)
        at org.gradle.internal.execution.steps.RemovePreviousOutputsStep.execute(RemovePreviousOutputsStep.java:37)
        at org.gradle.internal.execution.steps.BroadcastChangingOutputsStep.execute(BroadcastChangingOutputsStep.java:61)
        at org.gradle.internal.execution.steps.BroadcastChangingOutputsStep.execute(BroadcastChangingOutputsStep.java:26)
        at org.gradle.internal.execution.steps.CaptureOutputsAfterExecutionStep.execute(CaptureOutputsAfterExecutionStep.java:69)
        at org.gradle.internal.execution.steps.CaptureOutputsAfterExecutionStep.execute(CaptureOutputsAfterExecutionStep.java:46)
        at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:40)
        at org.gradle.internal.execution.steps.ResolveInputChangesStep.execute(ResolveInputChangesStep.java:29)
        at org.gradle.internal.execution.steps.BuildCacheStep.executeWithoutCache(BuildCacheStep.java:189)
        at org.gradle.internal.execution.steps.BuildCacheStep.lambda$execute$1(BuildCacheStep.java:75)
        at org.gradle.internal.Either$Right.fold(Either.java:175)
        at org.gradle.internal.execution.caching.CachingState.fold(CachingState.java:62)
        at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:73)
        at org.gradle.internal.execution.steps.BuildCacheStep.execute(BuildCacheStep.java:48)
        at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:46)
        at org.gradle.internal.execution.steps.StoreExecutionStateStep.execute(StoreExecutionStateStep.java:35)
        at org.gradle.internal.execution.steps.SkipUpToDateStep.executeBecause(SkipUpToDateStep.java:75)
        at org.gradle.internal.execution.steps.SkipUpToDateStep.lambda$execute$2(SkipUpToDateStep.java:53)
        at java.base@17.0.13/java.util.Optional.orElseGet(Optional.java:364)
        at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:53)
        at org.gradle.internal.execution.steps.SkipUpToDateStep.execute(SkipUpToDateStep.java:35)
        at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:37)
        at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsFinishedStep.execute(MarkSnapshottingInputsFinishedStep.java:27)
        at org.gradle.internal.execution.steps.ResolveIncrementalCachingStateStep.executeDelegate(ResolveIncrementalCachingStateStep.java:49)
        at org.gradle.internal.execution.steps.ResolveIncrementalCachingStateStep.executeDelegate(ResolveIncrementalCachingStateStep.java:27)
        at org.gradle.internal.execution.steps.AbstractResolveCachingStateStep.execute(AbstractResolveCachingStateStep.java:71)
        at org.gradle.internal.execution.steps.AbstractResolveCachingStateStep.execute(AbstractResolveCachingStateStep.java:39)
        at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:65)
        at org.gradle.internal.execution.steps.ResolveChangesStep.execute(ResolveChangesStep.java:36)
        at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:107)
        at org.gradle.internal.execution.steps.ValidateStep.execute(ValidateStep.java:56)
        at org.gradle.internal.execution.steps.AbstractCaptureStateBeforeExecutionStep.execute(AbstractCaptureStateBeforeExecutionStep.java:64)
        at org.gradle.internal.execution.steps.AbstractCaptureStateBeforeExecutionStep.execute(AbstractCaptureStateBeforeExecutionStep.java:43)
        at org.gradle.internal.execution.steps.AbstractSkipEmptyWorkStep.executeWithNonEmptySources(AbstractSkipEmptyWorkStep.java:125)
        at org.gradle.internal.execution.steps.AbstractSkipEmptyWorkStep.execute(AbstractSkipEmptyWorkStep.java:56)
        at org.gradle.internal.execution.steps.AbstractSkipEmptyWorkStep.execute(AbstractSkipEmptyWorkStep.java:36)
        at org.gradle.internal.execution.steps.legacy.MarkSnapshottingInputsStartedStep.execute(MarkSnapshottingInputsStartedStep.java:38)
        at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:36)
        at org.gradle.internal.execution.steps.LoadPreviousExecutionStateStep.execute(LoadPreviousExecutionStateStep.java:23)
        at org.gradle.internal.execution.steps.HandleStaleOutputsStep.execute(HandleStaleOutputsStep.java:75)
        at org.gradle.internal.execution.steps.HandleStaleOutputsStep.execute(HandleStaleOutputsStep.java:41)
        at org.gradle.internal.execution.steps.AssignMutableWorkspaceStep.lambda$execute$0(AssignMutableWorkspaceStep.java:35)
        at org.gradle.api.internal.tasks.execution.TaskExecution$4.withWorkspace(TaskExecution.java:289)
        at org.gradle.internal.execution.steps.AssignMutableWorkspaceStep.execute(AssignMutableWorkspaceStep.java:31)
        at org.gradle.internal.execution.steps.AssignMutableWorkspaceStep.execute(AssignMutableWorkspaceStep.java:22)
        at org.gradle.internal.execution.steps.ChoosePipelineStep.execute(ChoosePipelineStep.java:40)
        at org.gradle.internal.execution.steps.ChoosePipelineStep.execute(ChoosePipelineStep.java:23)
        at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.lambda$execute$2(ExecuteWorkBuildOperationFiringStep.java:67)
        at java.base@17.0.13/java.util.Optional.orElseGet(Optional.java:364)
        at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:67)
        at org.gradle.internal.execution.steps.ExecuteWorkBuildOperationFiringStep.execute(ExecuteWorkBuildOperationFiringStep.java:39)
        at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:46)
        at org.gradle.internal.execution.steps.IdentityCacheStep.execute(IdentityCacheStep.java:34)
        at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:48)
        at org.gradle.internal.execution.steps.IdentifyStep.execute(IdentifyStep.java:35)
        at org.gradle.internal.execution.impl.DefaultExecutionEngine$1.execute(DefaultExecutionEngine.java:64)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.executeIfValid(ExecuteActionsTaskExecuter.java:127)
        at org.gradle.api.internal.tasks.execution.ExecuteActionsTaskExecuter.execute(ExecuteActionsTaskExecuter.java:116)
        at org.gradle.api.internal.tasks.execution.ProblemsTaskPathTrackingTaskExecuter.execute(ProblemsTaskPathTrackingTaskExecuter.java:41)
        at org.gradle.api.internal.tasks.execution.FinalizePropertiesTaskExecuter.execute(FinalizePropertiesTaskExecuter.java:46)
        at org.gradle.api.internal.tasks.execution.ResolveTaskExecutionModeExecuter.execute(ResolveTaskExecutionModeExecuter.java:51)
        at org.gradle.api.internal.tasks.execution.SkipTaskWithNoActionsExecuter.execute(SkipTaskWithNoActionsExecuter.java:57)
        at org.gradle.api.internal.tasks.execution.SkipOnlyIfTaskExecuter.execute(SkipOnlyIfTaskExecuter.java:74)
        at org.gradle.api.internal.tasks.execution.CatchExceptionTaskExecuter.execute(CatchExceptionTaskExecuter.java:36)
        at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.executeTask(EventFiringTaskExecuter.java:77)
        at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:55)
        at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter$1.call(EventFiringTaskExecuter.java:52)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:210)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:205)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:67)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:60)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:167)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:60)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:54)
        at org.gradle.api.internal.tasks.execution.EventFiringTaskExecuter.execute(EventFiringTaskExecuter.java:52)
        at org.gradle.execution.plan.LocalTaskNodeExecutor.execute(LocalTaskNodeExecutor.java:42)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:331)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$InvokeNodeExecutorsAction.execute(DefaultTaskExecutionGraph.java:318)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.lambda$execute$0(DefaultTaskExecutionGraph.java:314)
        at org.gradle.internal.operations.CurrentBuildOperationRef.with(CurrentBuildOperationRef.java:85)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:314)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph$BuildOperationAwareExecutionAction.execute(DefaultTaskExecutionGraph.java:303)
        at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.execute(DefaultPlanExecutor.java:459)
        at org.gradle.execution.plan.DefaultPlanExecutor$ExecutorWorker.run(DefaultPlanExecutor.java:376)
        at org.gradle.execution.plan.DefaultPlanExecutor.process(DefaultPlanExecutor.java:111)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph.executeWithServices(DefaultTaskExecutionGraph.java:138)
        at org.gradle.execution.taskgraph.DefaultTaskExecutionGraph.execute(DefaultTaskExecutionGraph.java:123)
        at org.gradle.execution.SelectedTaskExecutionAction.execute(SelectedTaskExecutionAction.java:35)
        at org.gradle.execution.DryRunBuildExecutionAction.execute(DryRunBuildExecutionAction.java:51)
        at org.gradle.execution.BuildOperationFiringBuildWorkerExecutor$ExecuteTasks.call(BuildOperationFiringBuildWorkerExecutor.java:54)
        at org.gradle.execution.BuildOperationFiringBuildWorkerExecutor$ExecuteTasks.call(BuildOperationFiringBuildWorkerExecutor.java:43)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:210)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$CallableBuildOperationWorker.execute(DefaultBuildOperationRunner.java:205)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:67)
        at org.gradle.internal.operations.DefaultBuildOperationRunner$2.execute(DefaultBuildOperationRunner.java:60)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:167)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.execute(DefaultBuildOperationRunner.java:60)
        at org.gradle.internal.operations.DefaultBuildOperationRunner.call(DefaultBuildOperationRunner.java:54)
        at org.gradle.execution.BuildOperationFiringBuildWorkerExecutor.execute(BuildOperationFiringBuildWorkerExecutor.java:40)
        at org.gradle.internal.build.DefaultBuildLifecycleController.lambda$executeTasks$10(DefaultBuildLifecycleController.java:313)
        at org.gradle.internal.model.StateTransitionController.doTransition(StateTransitionController.java:266)
        at org.gradle.internal.model.StateTransitionController.lambda$tryTransition$8(StateTransitionController.java:177)
        at org.gradle.internal.work.DefaultSynchronizer.withLock(DefaultSynchronizer.java:46)
        at org.gradle.internal.model.StateTransitionController.tryTransition(StateTransitionController.java:177)
        at org.gradle.internal.build.DefaultBuildLifecycleController.executeTasks(DefaultBuildLifecycleController.java:304)
        at org.gradle.internal.build.DefaultBuildWorkGraphController$DefaultBuildWorkGraph.runWork(DefaultBuildWorkGraphController.java:220)
        at org.gradle.internal.work.DefaultWorkerLeaseService.withLocks(DefaultWorkerLeaseService.java:263)
        at org.gradle.internal.work.DefaultWorkerLeaseService.runAsWorkerThread(DefaultWorkerLeaseService.java:127)
        at org.gradle.composite.internal.DefaultBuildController.doRun(DefaultBuildController.java:181)
        at org.gradle.composite.internal.DefaultBuildController.access$000(DefaultBuildController.java:50)
        at org.gradle.composite.internal.DefaultBuildController$BuildOpRunnable.lambda$run$0(DefaultBuildController.java:198)
        at org.gradle.internal.operations.CurrentBuildOperationRef.with(CurrentBuildOperationRef.java:85)
        at org.gradle.composite.internal.DefaultBuildController$BuildOpRunnable.run(DefaultBuildController.java:198)
        at java.base@17.0.13/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
        at java.base@17.0.13/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
        at org.gradle.internal.concurrent.AbstractManagedExecutor$1.run(AbstractManagedExecutor.java:48)
        at java.base@17.0.13/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base@17.0.13/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base@17.0.13/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.NullPointerException: Cannot read the array length because "bytes" is null
        at java.base/java.lang.String.<init>(String.java:1387)
        at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient._next(NvdCveClient.java:440)
        at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:379)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:355)
        ... 162 more

> Task :app:dependencyCheckUpdate FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':app:dependencyCheckUpdate'.
> Error updating the NVD Data

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

BUILD FAILED in 3m 16s
1 actionable task: 1 executed
PS C:\Users\ieisi\IdeaProjects\SoftwareEngineeringDoneRight-Code\red-thread>

Expected behavior
The NVD database updated

Additional context
I am running the same build in a GitHub Actions workflow without issues.

I've deleted the NVD cache by running dependencyCheckPurge and by manually deleting the NVD cache on my laptop. Neither action resulted in changed behavior.

Example repo that shows this behavior: https://github.com/Arc-E-Tect/arc-e-tect_phonebook

[jeremylong]

Unable to reproduce.

$ gradle dependencyCheckAnalyze
Starting a Gradle Daemon, 1 incompatible Daemon could not be reused, use --status for details

> Task :dependencyCheckAnalyze
Verifying dependencies for project Arc-E-Tect_Phonebook
Checking for updates and analyzing dependencies for vulnerabilities
Explicitly loaded driver org.h2.Driver from classpath; if JDBCv4 service loading is supported by the driver you should remove the dbDriver configuration
An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key
<-------------> 0% EXECUTING [1m 25s]
> IDLE
> IDLE
> IDLE
> IDLE
> IDLE
> IDLE
> :dependencyCheckAnalyze
> IDLE

This did eventually succeed on my system. It just takes a very long time - see the above warning about the missing NVD API key. You've got a couple of options - get an API key or configure dependency-check to use the NVD data feed. See #7514 (comment) (although you would have to configure this in the build.gradle as opposed to a CLI arg - just look at the documentation).

[Arc-E-Tect]

I do have an NVD API key, as you can see, the output I included doesn't show the warning that an NVD API Key was not provided.

When I don't specify it, the process does take very long, but it works as the output below shows

Starting a Gradle Daemon (subsequent builds will be faster)

> Task :app:dependencyCheckAnalyze
Verifying dependencies for project app
Checking for updates and analyzing dependencies for vulnerabilities
An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key
Generating report for project app
Found 2 vulnerabilities in project app

One or more dependencies were identified with known vulnerabilities in app:

android-json-0.0.20131108.vaadin1.jar (pkg:maven/com.vaadin.external.google/android-json@0.0.20131108.vaadin1, cpe:2.3:a:json-java_project:json-java:0.0.20131108.din1:*:*:*:*:*:*:*) : CVE-2022-45688, CVE-2023-5072

See the dependency-check report for more details.

Region [NODEAUDIT] : Not alive and dispose was called, filename: NODEAUDIT
Region [CENTRAL] : Not alive and dispose was called, filename: CENTRAL
Region [POM] : Not alive and dispose was called, filename: POM

As soon as I specify the key, I get the above shown stacktrace almost immediately.

I am using the code below in my Gradle build file. I did debug this and the correct NVD API Key is being used. When I put the real value in, instead of using an environment variable, I get the same result. Note that I run the same build file in a GitHub action, and then it all works.

dependencyCheck {
    nvd.apiKey = System.getenv('NVD_APIKEY_SEDR')
    nvd.delay = 16000
    analyzers.assemblyEnabled = false
}

Any thoughts?

Iwan

[jeremylong]

Likely an issue with the API key. Can you run the following and get JSON output without an error?

curl -H "Accept: application/json" -H "apiKey: ########-####-####-####-############" -v https://services.nvd.nist.gov/rest/json/cves/2.0\?cpeName\=cpe:2.3:o:microsoft:windows_10:1607:\*:\*:\*:\*:\*:\*:\*

[Arc-E-Tect]

Thanks.

I tried that and getting the following output when using my API Key, which I obviously masked below.

* Host services.nvd.nist.gov:443 was resolved.
* IPv6: (none)
* IPv4: 172.65.90.25, 172.65.90.26, 172.65.90.24, 172.65.90.27
*   Trying 172.65.90.25:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Connected to services.nvd.nist.gov (172.65.90.25) port 443
* using HTTP/1.x
> GET /rest/json/cves/2.0\?cpeName\=cpe:2.3:o:microsoft:windows_10:1607:\*:\*:\*:\*:\*:\*:\* HTTP/1.1
> Host: services.nvd.nist.gov
> User-Agent: curl/8.12.1
> Accept: application/json
> apiKey: ########-####-####-####-############
>
* Request completely sent off
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 400 Bad Request
< Date: Mon, 09 Jun 2025 19:03:27 GMT
< Content-Length: 0
< Connection: keep-alive
< x-frame-options: SAMEORIGIN
< access-control-allow-origin: *
< access-control-allow-headers: accept, apiKey, content-type, origin, x-requested-with
< access-control-allow-methods: GET, HEAD, OPTIONS
< access-control-allow-credentials: false
< strict-transport-security: max-age=31536000
< cf-cache-status: DYNAMIC
< Set-Cookie: __cf_bm=K1XtN1Q2_YijFEXLOGq4zib_eA0_grqN2tQsOyIz5Ec-1749495807-1.0.1.1-qYl3LfW_.c5EhlcZLS3Dx1kNHdd.pVcw9UJ48oHIFS2l9NCfa3GIbEL5vjK1ZOg1S51cBIYypFm23C9PKnOUlgyJK0GbojPdeTTjjBC3cD4; path=/; expires=Mon, 09-Jun-25 19:33:27 GMT; domain=.nist.gov; HttpOnly; Secure; SameSite=None
< Set-Cookie: _cfuvid=ItWBUvjEc4uzhfJ45IMrQGIpirGMQpM9dq3no5quVHs-1749495807994-0.0.1.1-604800000; path=/; domain=.nist.gov; HttpOnly; Secure; SameSite=None
< Server: cloudflare
< CF-RAY: 94d2e39ea8a11107-ORD
<
* Connection #0 to host services.nvd.nist.gov left intact

I was triggered by the line < HTTP/1.1 400 Bad Request so I requested a new API Key from NIST and ran the CURL again, but got the same output.

I don't know if the output is as expected, but it at least is not a 404 which I am used to get when using an invalid API Key.

As I mentioned, I am using the exact same buildscript in a GitHub Action workflow, and I use the same API Key.

I noticed that after running without the NVD API Key, the local database is updated completely, and I don't get that exception thrown. But when I delete the local database, and run it again, I do get the exception.
It seems that, on my system at least, updating the local database fails when using the API Key.

I am using Windows 11, version 24H2 (OS Build 26100.4061).

PS C:\> java -version
openjdk version "17.0.13" 2024-10-15 LTS
OpenJDK Runtime Environment Corretto-17.0.13.11.1 (build 17.0.13+11-LTS)
OpenJDK 64-Bit Server VM Corretto-17.0.13.11.1 (build 17.0.13+11-LTS, mixed mode, sharing)

PS C:\> ./gradlew --version

------------------------------------------------------------
Gradle 8.14.2
------------------------------------------------------------

Build time:    2025-06-05 13:32:01 UTC
Revision:      30db2a3bdfffa9f8b40e798095675f9dab990a9a

Kotlin:        2.0.21
Groovy:        3.0.24
Ant:           Apache Ant(TM) version 1.10.15 compiled on August 25 2024
Launcher JVM:  17.0.13 (Amazon.com Inc. 17.0.13+11-LTS)
Daemon JVM:    C:\Program Files\Amazon Corretto\jdk17.0.13_11 (no JDK specified, using current Java home)
OS:            Windows 11 10.0 amd64

[jeremylong]

With the CURL command - did you get any JSON output? You should see a LARGE amount of json output after the headers. If you don't see that there is something wrong with the API key. Note, some users have issues obtaining an API key by clicking the link in the email from the NVD in their mail client. Instead, they have to copy the link and paste it into the browser to correctly obtain the API key.

[Arc-E-Tect]

I do get JSON data when I run:

curl -H "Accept: application/json" -H "apiKey: 2e0ae6b6-d505-4ace-89d8-9243d860d012" -v https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*

The \ should be removed on Windows PowerShell it seems.

Still getting the exception when running the Gradle dependencyCheckAnalyze task.

As mentioned before, the exception is thrown only when new data is retrieved from NVD, when I update the data without the API key, which takes all night, I don't get an exception. When I then run the dependencyCheckAnalyze task, there is no problem.

Which lets me believe that the problem is in retrieving data from NVD. Which is also implied by the exception:

org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:399)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:117)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:903)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:875)

I am on Windows 11, latest patches installed.
Gralde 8.14.2
OWASP dependency check plugin version 12.1.3

[raphaelmatori]

I'm getting the same error here.
Any luck with that?

[Arc-E-Tect]

No solution yet, fortunately it does work in my GitHub workflows, so I do have the scans available, but would like to be able to run locally as well.

[raphaelmatori]

For me, it doesn't work on Github.
I had to comment out the vulnerability scan in the pipeline to make it run (it's a personal project anyway)
But thanks anyway

[Arc-E-Tect]

I can confirm that it doesn't work on GitHub either. I can also confirm that on my brand new MacBook Pro with the latest OS patches, I get the same problem.

[cleydyr]

Affected user here as well.

I discovered that my API key was somehow invalid. I requested a new one and changed and everything worked fine.

I don't know if this is due to a recent, slight, change in how the NVD API works now, but they give us a HTTP 404 status with a message=Invalid apiKey response header.

[INFO] Checking for updates
[DEBUG] rate limited call delay: 5000
[DEBUG] rate limited call delay: 5000
[DEBUG] rate limited call delay: 5000
[DEBUG] rate limited call delay: 5000
[DEBUG] requesting URI: https://services.nvd.nist.gov/rest/json/cves/2.0?resultsPerPage=2000&startIndex=0
[DEBUG] Ticket taken At: 15:50:44; count: 1; by 91
[DEBUG] Requested At: 15:50:44; URI: /rest/json/cves/2.0?resultsPerPage=2000&startIndex=0
[DEBUG] Ticket returned At: 15:50:45; count: 2; by 91
[DEBUG] Status Code: 404
[DEBUG] Reason: Not Found
[DEBUG] Response Headers:
[DEBUG] Key : date ,Value : Sun, 06 Jul 2025 13:50:45 GMT
[DEBUG] Key : content-length ,Value : 0
[DEBUG] Key : message ,Value : Invalid apiKey.
[DEBUG] Key : x-frame-options ,Value : SAMEORIGIN
[DEBUG] Key : access-control-allow-origin ,Value : *
[DEBUG] Key : access-control-allow-headers ,Value : accept, apiKey, content-type, origin, x-requested-with
[DEBUG] Key : access-control-allow-methods ,Value : GET, HEAD, OPTIONS
[DEBUG] Key : access-control-allow-credentials ,Value : false
[DEBUG] Key : strict-transport-security ,Value : max-age=31536000
[DEBUG] Key : cf-cache-status ,Value : DYNAMIC
[DEBUG] Key : set-cookie ,Value : __cf_bm=4AHVkWus1AN.ELMdY5vkl43tDZzQyBf_1OYJXon0afY-1751809845-1.0.1.1-MR23PpjebegmDM4Bx8RtwaC930qcKRGguBQZR56dz4ke7H9DlHuRxpG8bK.TR2GwqKgT_JwYzOMsaG3hCbBdO2G.w6XozKLr3zIsGGA3Z34; path=/; expires=Sun, 06-Jul-25 14:20:45 GMT; domain=.nist.gov; HttpOnly; Secure; SameSite=None
[DEBUG] Key : set-cookie ,Value : _cfuvid=8unnG9CY8agpqmyQw8ElDZL5jv35wca4s9GykiMxqck-1751809845064-0.0.1.1-604800000; path=/; domain=.nist.gov; HttpOnly; Secure; SameSite=None
[DEBUG] Key : server ,Value : cloudflare
[DEBUG] Key : cf-ray ,Value : 95af92aab8ac618d-ORD
[ERROR] Error updating the NVD Data

[jeremylong]

Cannot reproduce as when I curl that URL I get JSON back:

$ curl -H "Accept: application/json" https://services.nvd.nist.gov/rest/json/cves/2.0\?resultsPerPage\=2000\&startIndex\=0
{"resultsPerPage":2000,"startIndex":0,"totalResults":300519,"format":"NVD_CVE","version":"2.0","timestamp":"2025-07-06T17:45:31.946","vulnerabilities":[{"cve":{"id":"CVE-1999-0095","sourceIdentifier":"cve@mitre.org","published":"1988-10-01T04:00:00.000","lastModified":"2025-04-03T01:03:51.193","vulnStatus":"Deferred","cveTags":[],"descriptions":
...

A better option might be to configure the NVD Datafeed URL as:

--nvdDatafeed https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-\{0\}.json.gz 

Now that this is available we do have plans to use the datafeed.