如何忽略丢失的nvd文件的Maven依赖项检查失败 [英] How to ignore Maven dependency-check failure on missing nvd file

问题描述

我今天尝试使用Maven发布插件来发布项目.由于 dependency-check-maven 插件尝试下载2020而失败尚未上传的CVD文件的版本:

I tried to perform a release of my project today using the Maven release plugin. It failed due to the dependency-check-maven plugin's attempt to download the 2020 version of the CVD file, which hasn't yet been uploaded:

无法下载图元文件: https://nvd.nist.gov/feeds/json /cve/1.1/nvdcve-1.1-2020.meta ；已收到 404-找不到资源

Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.meta; received 404 -- resource not found

对 NVD数据供稿页面的简短阅读显示已上传.

A brief perusal of the NVD Data Feeds page shows that file hasn't been uploaded yet.

显然，我可以等待大约24小时，而这个问题可能会消失；但是，我仍然对知道如何覆盖此URL以今天发布项目感兴趣.我尝试了一些命令行选项，包括:

Obviously I could wait about 24 hours and this problem will probably go away; however, I'm still interested in knowing how I could override this URL to release my project today. I've tried some command line options including variations on:

mvn依赖项检查:check -DcveUrlBase = https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2019.json.gz

但是，它们仍然会导致错误.我知道我可以跳过此检查，但还是希望在2020年之前仍然检查所有文件.

However, they still result in errors. I know I can skip this check but would prefer to still check all the files prior to 2020.

此问题建议使用

This issue suggests creating a local repository with the nist-data-mirror plugin, but that seems like a lot of overhead vs. waiting 24 hours.

是否有任何命令行或易于还原的pom.xml编辑使我今天可以发布项目?

Are there any command line or easily-reverted pom.xml edits that will allow me to release my project today?

在插件站点上，这已报告为问题.

推荐答案

我的建议是创建一个单独的作业来更新数据库，以免检查您的依赖关系，这样，当更新失败时，仍然可以进行检查.这有两个额外的优点，第一，检查依赖项的速度更快，因为您不必每次都建立数据库，第二，减少了对NVD的请求，从而节省了资源.

My suggestion is to create a seperate job for updating the database from checking your dependencies, this way when updating fails the check can still occur. This has 2 extra advantages, first, checking of the dependencies is faster as you do not have to build up your database every time and, second, less requests have to go to the NVD which saves them resources.

NVD现在还发布了2020 CVE，所以现在不需要修复/解决方法，但是他创建了修复程序

NVD now also publishes the 2020 CVE's so no fix/workaround is needed for now, but he has created a fix https://github.com/jeremylong/DependencyCheck/commit/217da90bd6991125087f0be3a60a60763194ecf1 which will be included in the upcoming release and this will fix the problem before 2021 when we might encounter this again.

我也建议将建议保留在您还提到的github问题中.当然，这里仍然可以进行讨论.

I would also suggest to keep the suggestions in the github issue that you also mention. Discussions can of-course still happen here.

https://github.com/jeremylong/DependencyCheck/issues/2403

这篇关于如何忽略丢失的nvd文件的Maven依赖项检查失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！