Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to v9.0.0: what to use as proxy-cache URL? #6126

Closed
lathspell opened this issue Nov 23, 2023 · 6 comments
Closed

Upgrade to v9.0.0: what to use as proxy-cache URL? #6126

lathspell opened this issue Nov 23, 2023 · 6 comments
Labels
question

Comments

@lathspell
Copy link

lathspell commented Nov 23, 2023
edited
Loading

We have a proxy/cache server that mirrors https://nvd.nist.gov/feeds/json/cve/1.1/ and that we access using:

cve.urlModified = "https://nvd.foo.com/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz"
cve.urlBase = "https://nvd.foo.com/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz"

If I understand correctly this approach will no longer work as NIST is switching from files to an HTTP API.

So we would have to configure a valid API key and then maybe use a standard Gradle proxy to reach nist.gov from a network which cannot access the Internet directly?
@jeremylong
Copy link
Collaborator

You would need to create a new cache using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data

With 9.0.0 we are using the 2.0 JSON schema data that the NVD API provides. The new property would be:

nvd. datafeedUrl = "https://internal.server/cache/nvdcve-{0}.json.gz"

@lathspell
Copy link
Author

Thanks for the quick reply, we'll try!

@EugenMayer
Copy link
Contributor

@jeremylong sorry to necro the issue, but i'am not sure i understood it.

We are using

urlModified = "https://our-server.tld/nvdcve-1.1-modified.json.gz"
urlBase = "https://our-server.tld/nvdcve-1.1-%d.json.gz"

right now.

Since we currently base our server on https://github.com/EugenMayer/nist-data-mirror i assume we cannot just switch to

nvd {
  datafeedUrl = "https://our-server.tld/nvdcve-{0}.json.gz"
}

But we rather have to switch to https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz to match the new cache format?

Is there any dockerized version of it in general? I would love to

Am i right to assume that there is yet no dockerized version of vulnz?

@jeremylong
Copy link
Collaborator

There is not yet a dockerized version of the vulnz tool to keep an updated NVD. One of the challenges will be the API KEY requirements - or you go with a really large delay? Once the first data load is done it shouldn't matter, but that first load is going to be more difficult.

@EugenMayer
Copy link
Contributor

I cannot see why an API key makes the dockerization any less parctical, just an ENV var that is passed into the cotainer, which is used when it is present.

IMHO Seems like the move the new API seems a little rough at the moment, forcing people into an ecosystem that is not yet on par with the old. I assume we should have supported both api formats in DependencyCheck for the time being.

That said, is there interesting in joining efforts in creating the dockerization

@jeremylong
Copy link
Collaborator

Initial PR on dockerization is here: jeremylong/open-vulnerability-cli#87

I haven't had time to look into it yet as I've been dealing with other issues.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EugenMayer @lathspell @jeremylong