NVD mirroring error

[mdouble]

Current Behavior

NVD mirroring seems not to work for a while.

From our logfile:

2024-08-12 09:30:52,563 INFO [NistApiMirrorTask] Mirroring CVEs that were modified since 2024-06-27T23:15:50Z
2024-08-12 09:30:53,662 ERROR [NistApiMirrorTask] An unexpected error occurred while mirroring the contents of the National Vulnerability Database
io.github.jeremylong.openvulnerability.client.nvd.NvdApiException: NVD Returned Status Code: 403
at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:352)
at org.dependencytrack.tasks.NistApiMirrorTask.inform(NistApiMirrorTask.java:166)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
2024-08-12 09:30:53,662 INFO [NistApiMirrorTask] Mirroring of 0 CVEs completed in PT1.0990885S

NVD Feeds URL is https://nvd.nist.gov/feeds
API endpoint is https://services.nvd.nist.gov/rest/json/cves/2.0

API key was updated. Still the same behavior.

Steps to Reproduce

1. see above

Expected Behavior

Mirroring works. No errors in log.

Dependency-Track Version

4.10.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

See: https://docs.dependencytrack.org/changelog/#v4-11-5

This release primarily addresses an inability to mirror the NVD via its REST API. The NVD REST API recently experienced increased load, causing service disruptions. Dependency-Track users who opted into API mirroring will have seen symptoms of this as NvdApiException: NVD Returned Status Code: 503 errors in the logs.

To reduce load on their systems, NIST started to block requests with a certain User-Agent header, which Dependency-Track happens to use. Upgrading to v4.11.5 will allow Dependency-Track to no longer be subject to this block.

Users who can’t immediately update, yet are reliant on NVD data being current, can switch back to the feed file based mirroring by disabling Enable mirroring via API in the administration panel.

[mdouble]

Is this the same issue? Returned status code above is "403 Forbidden" while 4.11.5 resolves "503 Service Unavailable".

[nscuro]

The 503s were caused by excessive load of NVD servers, which NIST acted on by blocking all clients with a specific User-Agent header. This block will manifest in 403 responses.

Please upgrade to 4.11.5 or later.

[mdouble]

Upgrade to 4.11.7 resolved issue.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.