NVD download not setting read timeout for HTTP5 Client #7418
Comments
|
Note that there are several comments in #7406 where several others have experienced the same hang. |
|
The same thing happens to us too, we are unable to go beyond 36% of the update. |
|
Same here. Running v12.1.0 via Maven and keep on getting stuck: |
|
using 12.1. And it only gets to 11% |
|
I encountered the same issue, with progress halting at 43%, even after using a new NVD API Key.
|
|
is there a solution to this yet? |
|
As a workaround I followed the DB caching guide to avoid full DB downloads. As long as there are no DB format changes requiring a full DB download again this avoids the issue. |
|
@costas80 many database changes - as long as you are using the H2 database most upgrades can update the schema as well without requiring a purge. |
|
I have caching but I'm unable to finish the initial download. Max 60%... |
|
To prevent isssues like this in the future consider setting up a mirror for the NVD data. For instance, this one is used to build the dependency-check github action. There is an issue at the NVD side due to the volume of requests. The more people that use mirrors or use some other mechanism to keep the data directory persisted between executions of dependency-check the better. |
|
Is there any example on how to set up caching with and for GitHub Actions and the maven plugin? |
|
Here is an action that creates a cache in the repositories gh-pages: https://github.com/dependency-check/DependencyCheck_Builder/blob/main/.github/workflows/cache.yml Then you just point the datafeed URL to the pages URL. |
|
@jeremylong Is there a way to make the NVD-Update to be saved in Chunks? If the updater would commit changes to the local H2-DB every 10000 records, we could just restart the update when it fails, and we don't need to start from zero when we downloaded half of the whole DB previously. |
|
Is it ok to reference from https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/ or should everyone set up its own cache? |
|
I know people do reference the builder cache. It is currently maintained. |
@jeremylong There is a behavioral difference now because the Apache HTTP/5 client is being used. I believe you had a read timeout before, but since the newer version uses the HTTP/5 client and does not set the response timeout, it defaults to 0, which means it will hang indefinitely. I bet this is exhausting the NVD server-side connections because they don't seem to be timing out the connection either. |
I am attempting a switch to the builder cache... and am getting the following error with the download. The only configuration setting I changed was the NVD_API_DATAFEED_URL. What am I missing here? |
|
@Benjamin-deToy Looks like a missing initialisation... using the gradle plugin? |
|
@Benjamin-deToy it's another piece of code that uses this project's engine I think ( Downloader.getInstance().configure(settings);How such a static initializer call translates to Clojure I'll have to leave to the clojure specialists over at nvd-clojure. |
|
Hi all, is there any example of how to set up caching for dependency check in an Azure DevOps Pipeline? |
I would also appreciate this information. Currently initial download gets stuck for me so I assume cache never gets done. |
|
@donlouie @eerik-te Best to check within the azuredevops repo https://github.com/dependency-check/azuredevops/ |
|
I made the change to use the builder cache and it worked fine for me yesterday, but today I am running some more tests and I am getting errors like this one when trying to download the database from the builder cache. Any idea of what could be happening? @jeremylong @aikebah
|
|
The database has been closed [90098-232] makes me suspect there is an earlier error reported as well that indicates errors. But typically this type of errror is likely to indicate a corrupted datafile. |
|
@jeremylong @aikebah With a debugger attached, I can't reproduce the problem, but the issue seems to be in the processApi method. I think I'm getting close to figuring it out. |
|
@jeremylong @aikebah I tried testing #7437. It didn't help the situation. I attached with a debugger and could see the problem was happening somewhere in the processApi in NvdApiDataSource. I asked ChatGPT to see if it could find any areas where hangs might occur, and with the new code it created, I was finally able to get the database downloaded very smoothly with no timeouts or issues. I've attached a patch file that allowed me to get my first successful download. I've wiped out the H2 multiple times and can download with no problems. As soon as the patch is reverted, the download issues return. I don't know the codebase well enough to try to submit a pull request where the new configuration parameters are properly integrated, but here is a patch file that works, but it has hardcoded values for some of the configuration parameters that really should be plugin configuration parameters. Patch details... Introduced Retry Logic and Overall Timeout:
Added Per-Batch Processing Timeouts:
Improved Executor and Thread Management:
Enhanced Exception Handling and Logging:
Refactored Pre-Update and API Builder Configuration: Moved pre-update checks (e.g., last update timestamp and valid duration) inside the retry loop so that each attempt re-evaluates whether an update is necessary. General Code Clean-Up:
|
|
Hi @danshome, how did you install this patch? |
@devsecops-pe It's a patch to the source code; it's not something you install. You'd have to download the source code, apply the patch, and build it before deploying it to an internal repository like Nexus. I've only tested it locally, and it seems to be more stable, but it could just be a red herring since when I reverted to 12.1.0 later yesterday, I was able to get a download. I think the best option, until @jeremylong or someone who knows the codebase better than I do has time to look at it and integrate it, is that you should check out #7446 or refer to @jeremylong's post from two days ago. Here is an action that creates a cache in the repositories gh-pages: https://github.com/dependency-check/DependencyCheck_Builder/blob/main/.github/workflows/cache.yml Then you just point the datafeed URL to the pages URL. |
[ X] I checked the issues list for existing open or closed reports of the same problem.
Describe the bug
When updating the NVD CVE feed, the download process hangs indefinitely after successfully downloading a portion of the records (e.g., at 120,000/281,554). Despite repeated warnings such as “Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=130000 : 3rd time”, the update never times out or fails gracefully, leaving the build stuck. If you kill the process, then you have to start over from scratch, it would nice if it could restart after the last batch it downloaded.
Version of dependency-check used
The problem occurs using version 12.1.0 of the dependency-check CLI (or specify the plugin if applicable).
Log file
Please see the full log output here:
09:38:35 [INFO] Checking for updates
09:38:57 [INFO] NVD API has 281,554 records in this update
09:40:11 [INFO] Downloaded 10,000/281,554 (4%)
09:40:56 [INFO] Downloaded 20,000/281,554 (7%)
09:41:48 [INFO] Downloaded 30,000/281,554 (11%)
09:42:27 [WARNING] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=34000 : 3rd time
09:43:20 [INFO] Downloaded 40,000/281,554 (14%)
09:43:58 [WARNING] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=42000 : 3rd time
09:44:31 [INFO] Downloaded 50,000/281,554 (18%)
09:45:41 [INFO] Downloaded 60,000/281,554 (21%)
09:47:00 [INFO] Downloaded 70,000/281,554 (25%)
09:48:16 [INFO] Downloaded 80,000/281,554 (28%)
09:49:09 [INFO] Downloaded 90,000/281,554 (32%)
09:50:41 [INFO] Downloaded 100,000/281,554 (36%)
09:51:06 [WARNING] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=130000 : 3rd time
09:52:33 [INFO] Downloaded 110,000/281,554 (39%)
09:53:41 [INFO] Downloaded 120,000/281,554 (43%). <<--- **It's been hung here for 5 hours.
To Reproduce
Steps to reproduce the behavior:
Run a dependency-check scan that triggers an update of the NVD API feed.
Observe that the update process begins and successfully downloads a portion of the records.
Notice repeated warnings about retrying requests after a certain record count.
The process hangs indefinitely (e.g., stuck at 120,000/281,554 records) without triggering a timeout.
Expected behavior
The update process should respect a configured read timeout so that if the NVD API stops sending data, the process fails gracefully with an appropriate error message rather than hanging indefinitely. If the read times out, it should retry again; no sleep is necessary since it's already hung long enough to get a read timeout.
Additional context
It appears that while there is a CONNECTION_READ_TIMEOUT setting in URLConnectionFactory, the NvdApiDataSource and related code use Apache Http5 Client without setting the response timeout (via setResponseTimeout). As a result, if the API stops sending data, the connection never times out. A fix would involve configuring a proper response timeout when using the Http5 client and retry logic.
The text was updated successfully, but these errors were encountered: