Error for all users due to insufficient column width in the database

[antonmos]

Description

nvd-clojure fails for all users due to

[2023-01-06 18:41:00.353] ERROR Engine - Unable to continue dependency-check analysis.
Encountered errors while analyzing: One or more exceptions occurred during analysis:
	UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
		caused by DatabaseException: Error updating 'CVE-2020-36569'
		caused by JdbcBatchUpdateException: Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:
INSERT INTO software (cveid, cpeEntryId, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable) VALUES (?, ?, ?, ?, ?, ?, ?) [22001-214]

This is caused by jeremylong/DependencyCheck#5220 and fixed in https://github.com/jeremylong/DependencyCheck/releases/tag/v7.4.4

Reproduction steps

run nvd clojure

Stacktrace

[2023-01-06 18:41:00.349] ERROR Engine - org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:157)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:114)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call(ProcessTask.java:41)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:817)
at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse(NvdCveParser.java:114)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON(ProcessTask.java:141)
at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles(ProcessTask.java:154)
... 6 more
Caused by: org.h2.jdbc.JdbcBatchUpdateException: Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:
INSERT INTO software (cveid, cpeEntryId, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable) VALUES (?, ?, ?, ?, ?, ?, ?) [22001-214]
at org.h2.jdbc.JdbcPreparedStatement.executeBatch(JdbcPreparedStatement.java:1269)
at org.apache.commons.dbcp2.DelegatingStatement.executeBatch(DelegatingStatement.java:241)
at org.apache.commons.dbcp2.DelegatingStatement.executeBatch(DelegatingStatement.java:241)
at org.owasp.dependencycheck.data.nvdcve.CveDB.executeBatch(CveDB.java:1242)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerabilityInsertSoftware(CveDB.java:1092)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:810)
... 9 more
[2023-01-06 18:41:00.353] WARN Engine - Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[2023-01-06 18:41:00.353] ERROR Engine - Unable to continue dependency-check analysis.
Encountered errors while analyzing: One or more exceptions occurred during analysis:
UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
caused by DatabaseException: Error updating 'CVE-2020-36569'
caused by JdbcBatchUpdateException: Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:
INSERT INTO software (cveid, cpeEntryId, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable) VALUES (?, ?, ?, ?, ?, ?, ?) [22001-214]
NoDataException: No documents exist
#error {
:cause Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:
INSERT INTO software (cveid, cpeEntryId, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable) VALUES (?, ?, ?, ?, ?, ?, ?) [22001-214]
:via
[{:type org.owasp.dependencycheck.data.update.exception.UpdateException
:message org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
:at [org.owasp.dependencycheck.data.update.nvd.ProcessTask processFiles ProcessTask.java 157]}
{:type org.owasp.dependencycheck.data.nvdcve.DatabaseException
:message Error updating 'CVE-2020-36569'
:at [org.owasp.dependencycheck.data.nvdcve.CveDB updateVulnerability CveDB.java 817]}
{:type org.h2.jdbc.JdbcBatchUpdateException
:message Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:
INSERT INTO software (cveid, cpeEntryId, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable) VALUES (?, ?, ?, ?, ?, ?, ?) [22001-214]
:at [org.h2.jdbc.JdbcPreparedStatement executeBatch JdbcPreparedStatement.java 1269]}]
:trace
[[org.h2.jdbc.JdbcPreparedStatement executeBatch JdbcPreparedStatement.java 1269]
[org.apache.commons.dbcp2.DelegatingStatement executeBatch DelegatingStatement.java 241]
[org.apache.commons.dbcp2.DelegatingStatement executeBatch DelegatingStatement.java 241]
[org.owasp.dependencycheck.data.nvdcve.CveDB executeBatch CveDB.java 1242]
[org.owasp.dependencycheck.data.nvdcve.CveDB updateVulnerabilityInsertSoftware CveDB.java 1092]
[org.owasp.dependencycheck.data.nvdcve.CveDB updateVulnerability CveDB.java 810]
[org.owasp.dependencycheck.data.update.nvd.NvdCveParser parse NvdCveParser.java 114]
[org.owasp.dependencycheck.data.update.nvd.ProcessTask importJSON ProcessTask.java 141]
[org.owasp.dependencycheck.data.update.nvd.ProcessTask processFiles ProcessTask.java 154]
[org.owasp.dependencycheck.data.update.nvd.ProcessTask call ProcessTask.java 114]
[org.owasp.dependencycheck.data.update.nvd.ProcessTask call ProcessTask.java 41]
[java.util.concurrent.FutureTask run FutureTask.java 264]
[java.util.concurrent.ThreadPoolExecutor runWorker ThreadPoolExecutor.java 1128]
[java.util.concurrent.ThreadPoolExecutor$Worker run ThreadPoolExecutor.java 628]
[java.lang.Thread run Thread.java 829]]}
#error {
:cause No documents exist
:via
[{:type org.owasp.dependencycheck.exception.NoDataException
:message No documents exist
:at [org.owasp.dependencycheck.Engine ensureDataExists Engine.java 1141]}]
:trace
[[org.owasp.dependencycheck.Engine ensureDataExists Engine.java 1141]
[org.owasp.dependencycheck.Engine analyzeDependencies Engine.java 619]
[nvd.task.check$scan_and_analyze$fn__793 invoke check.clj 53]
[nvd.task.check$scan_and_analyze invokeStatic check.clj 52]
[nvd.task.check$scan_and_analyze invoke check.clj 47]
[nvd.task.check$impl invokeStatic check.clj 90]
[nvd.task.check$impl invoke check.clj 82]
[nvd.task.check$_main invokeStatic check.clj 147]
[nvd.task.check$_main doInvoke check.clj 98]
[clojure.lang.RestFn invoke RestFn.java 421]
[nvd.task$check invokeStatic task.clj 31]
[nvd.task$check invoke task.clj 28]
[clojure.lang.AFn applyToHelper AFn.java 154]
[clojure.lang.AFn applyTo AFn.java 144]
[clojure.lang.Var applyTo Var.java 705]
[clojure.core$apply invokeStatic core.clj 667]
[clojure.core$apply invoke core.clj 662]
[clojure.run.exec$exec invokeStatic exec.clj 48]
[clojure.run.exec$exec doInvoke exec.clj 39]
[clojure.lang.RestFn invoke RestFn.java 423]
[clojure.run.exec$_main$fn__205 invoke exec.clj 180]
[clojure.run.exec$_main invokeStatic exec.clj 176]
[clojure.run.exec$_main doInvoke exec.clj 139]
[clojure.lang.RestFn applyTo RestFn.java 137]
[clojure.lang.Var applyTo Var.java 705]
[clojure.core$apply invokeStatic core.clj 667]
[clojure.main$main_opt invokeStatic main.clj 514]
[clojure.main$main_opt invoke main.clj 510]
[clojure.main$main invokeStatic main.clj 664]
[clojure.main$main doInvoke main.clj 616]
[clojure.lang.RestFn applyTo RestFn.java 137]
[clojure.lang.Var applyTo Var.java 705]
[clojure.main main main.java 40]]}

Version

2.11.0

Java version

openjdk version "11.0.10" 2021-01-19
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.10+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.10+9, mixed mode)

Installation compliance

• I have read again and made sure that I'm following exactly the instructions for my tool of choice (Leiningen, Clojure CLI, Clojure CLI Tool).
• I understand that false positives can be skipped locally and should be reported to DependencyCheck.

[antonmos]

#155 is the fix

[vemv]

Thanks! I'll cut a release this weekend.

[antonmos]

@vemv sorry to bother you, but all of our builds are affected. When do you think you can get to this? Thank you in advance!

[vemv]

#155 (comment)

[jean-lopes]

My understanding is that we have a local database with CVE's. The error we are being affected by is a incompatibility of some field length. I am guessing they changed this field value on the NVD side, you know how to check this?

Error updating 'CVE-2020-36569'
		caused by DatabaseException: Error updating 'CVE-2020-36569'
		caused by JdbcBatchUpdateException: Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:

[vemv]

Please create a new issue, specifying the nvd-clojure version you're using (yesterday's release being the only supported one now)