How to ignore Maven dependency-check failure on missing nvd file

北战南征 提交于 2020-01-03 08:55:10

问题


I tried to perform a release of my project today using the Maven release plugin. It failed due to the dependency-check-maven plugin's attempt to download the 2020 version of the CVD file, which hasn't yet been uploaded:

Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.meta; received 404 -- resource not found

A brief perusal of the NVD Data Feeds page shows that file hasn't been uploaded yet.

Obviously I could wait about 24 hours and this problem will probably go away; however, I'm still interested in knowing how I could override this URL to release my project today. I've tried some command line options including variations on:

mvn dependency-check:check -DcveUrlBase=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2019.json.gz

However, they still result in errors. I know I can skip this check but would prefer to still check all the files prior to 2020.

This issue suggests creating a local repository with the nist-data-mirror plugin, but that seems like a lot of overhead vs. waiting 24 hours.

Are there any command line or easily-reverted pom.xml edits that will allow me to release my project today?

EDIT: This has been reported as an issue at the plugin site.


回答1:


I would suggest to keep the suggestions in the github issue that you also mention. I have also given a suggestion that might work with having the data temporary on 2019 for the update. I don't know this is an option for you?

https://github.com/jeremylong/DependencyCheck/issues/2403



来源:https://stackoverflow.com/questions/59555889/how-to-ignore-maven-dependency-check-failure-on-missing-nvd-file

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!