Feed for CVE 1.1 not available #5225
Description
Current Behavior
I'm tried to start the docker container of version 4.13.3 on a new VM.
It seams that the CVE feeds of version 1.1 are not available, in addition the login in the frontend doesn't work. But it might be following error.
apiserver-1 | 2025-08-25 10:41:36,329 INFO [EmbeddedJettyServer] alpine-executable-war v3.2.0 (e93877d0-df20-4fb1-94d1-18aaaff5eb24) built on: 2025-04-02T10:25:57Z
apiserver-1 | 2025-08-25 10:41:38,140 INFO [Config] --------------------------------------------------------------------------------
apiserver-1 | 2025-08-25 10:41:38,141 INFO [Config] OS Name: Linux
apiserver-1 | 2025-08-25 10:41:38,142 INFO [Config] OS Version: 6.12.41+deb13-amd64
apiserver-1 | 2025-08-25 10:41:38,142 INFO [Config] OS Arch: amd64
apiserver-1 | 2025-08-25 10:41:38,142 INFO [Config] CPU Cores: 4
apiserver-1 | 2025-08-25 10:41:38,146 INFO [Config] Max Memory: 6.2 GB (6,668,419,072.0 bytes)
apiserver-1 | 2025-08-25 10:41:38,146 INFO [Config] Java Vendor: Eclipse Adoptium
apiserver-1 | 2025-08-25 10:41:38,147 INFO [Config] Java Version: 21.0.7+6-LTS
apiserver-1 | 2025-08-25 10:41:38,147 INFO [Config] Java Home: /opt/java/openjdk
apiserver-1 | 2025-08-25 10:41:38,147 INFO [Config] Java Temp: /tmp
apiserver-1 | 2025-08-25 10:41:38,147 INFO [Config] User: dtrack
apiserver-1 | 2025-08-25 10:41:38,147 INFO [Config] User Home: /data/
apiserver-1 | 2025-08-25 10:41:38,147 INFO [Config] --------------------------------------------------------------------------------
apiserver-1 | 2025-08-25 10:41:38,147 INFO [Config] Initializing Configuration
apiserver-1 | 2025-08-25 10:41:38,148 INFO [Config] System property alpine.application.properties not specified
apiserver-1 | 2025-08-25 10:41:38,148 INFO [Config] Loading application.properties from classpath
apiserver-1 | 2025-08-25 10:41:38,152 INFO [Config] --------------------------------------------------------------------------------
apiserver-1 | 2025-08-25 10:41:38,152 INFO [Config] Application: Dependency-Track
apiserver-1 | 2025-08-25 10:41:38,152 INFO [Config] Version: 4.13.3
apiserver-1 | 2025-08-25 10:41:38,152 INFO [Config] Built-on: 2025-08-04T12:52:10Z
apiserver-1 | 2025-08-25 10:41:38,152 INFO [Config] --------------------------------------------------------------------------------
apiserver-1 | 2025-08-25 10:41:38,152 INFO [Config] Framework: Alpine
apiserver-1 | 2025-08-25 10:41:38,153 INFO [Config] Version : 3.2.0
apiserver-1 | 2025-08-25 10:41:38,153 INFO [Config] Built-on: 2025-04-02T10:25:57Z
apiserver-1 | 2025-08-25 10:41:38,153 INFO [Config] --------------------------------------------------------------------------------
apiserver-1 | 2025-08-25 10:41:38,243 INFO [RequirementsVerifier] Initializing requirements verifier
apiserver-1 | 2025-08-25 10:41:38,243 INFO [UpgradeInitializer] Initializing upgrade framework
apiserver-1 | 2025-08-25 10:41:47,294 INFO [PersistenceManagerFactory] Initializing persistence framework
apiserver-1 | 2025-08-25 10:41:47,302 INFO [PersistenceManagerFactory] Creating transactional connection pool
apiserver-1 | 2025-08-25 10:41:47,356 INFO [PersistenceManagerFactory] Creating non-transactional connection pool
apiserver-1 | 2025-08-25 10:41:55,770 INFO [HealthCheckInitializer] Registering health checks
apiserver-1 | 2025-08-25 10:41:55,772 INFO [DefaultObjectGenerator] Initializing default object generator
apiserver-1 | 2025-08-25 10:41:55,773 INFO [DefaultObjectGenerator] Synchronizing permissions to datastore
apiserver-1 | 2025-08-25 10:41:56,037 INFO [DefaultObjectGenerator] Synchronizing SPDX license definitions to datastore
apiserver-1 | 2025-08-25 10:42:05,399 INFO [DefaultObjectGenerator] Synchronizing default repositories to datastore
apiserver-1 | 2025-08-25 10:42:05,476 INFO [DefaultObjectGenerator] Synchronizing config properties to datastore
apiserver-1 | 2025-08-25 10:42:05,776 INFO [DefaultObjectGenerator] Synchronizing notification publishers to datastore
apiserver-1 | 2025-08-25 10:42:06,011 INFO [EventSubsystemInitializer] Initializing asynchronous event subsystem
apiserver-1 | 2025-08-25 10:42:06,048 INFO [NotificationSubsystemInitializer] Initializing notification service
apiserver-1 | 2025-08-25 10:42:06,051 INFO [IndexSubsystemInitializer] Building lucene indexes if required
apiserver-1 | 2025-08-25 10:42:06,064 INFO [IndexManager] Checking the health of index PROJECT
apiserver-1 | 2025-08-25 10:42:06,132 INFO [IndexManager] The index PROJECT is healthy
apiserver-1 | 2025-08-25 10:42:06,135 INFO [IndexManager] Checking the health of index COMPONENT
apiserver-1 | 2025-08-25 10:42:06,139 INFO [IndexManager] The index COMPONENT is healthy
apiserver-1 | 2025-08-25 10:42:06,139 INFO [IndexManager] Checking the health of index SERVICECOMPONENT
apiserver-1 | 2025-08-25 10:42:06,143 INFO [IndexManager] The index SERVICECOMPONENT is healthy
apiserver-1 | 2025-08-25 10:42:06,144 INFO [IndexManager] Checking the health of index VULNERABILITY
apiserver-1 | 2025-08-25 10:42:06,148 INFO [IndexManager] The index VULNERABILITY is healthy
apiserver-1 | 2025-08-25 10:42:06,151 INFO [IndexManager] Checking the health of index LICENSE
apiserver-1 | 2025-08-25 10:42:06,359 INFO [IndexManager] The index LICENSE is healthy
apiserver-1 | 2025-08-25 10:42:06,360 INFO [IndexManager] Checking the health of index VULNERABLESOFTWARE
apiserver-1 | 2025-08-25 10:42:06,361 INFO [IndexManager] The index VULNERABLESOFTWARE is healthy
apiserver-1 | 2025-08-25 10:42:06,383 INFO [AlpineServlet] Starting Dependency-Track
apiserver-1 | 2025-08-25 10:42:09,723 INFO [AlpineServlet] Dependency-Track is ready
apiserver-1 | 2025-08-25 10:42:09,725 INFO [NvdMirrorServlet] Initializing NVD mirror
apiserver-1 | 2025-08-25 10:42:09,726 INFO [FileSystemResourceServlet] Initializing filesystem resource servlet
frontend-1 | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
frontend-1 | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
frontend-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
frontend-1 | 10-listen-on-ipv6-by-default.sh: info: IPv6 listen already enabled
frontend-1 | /docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
frontend-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
frontend-1 | 20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf
frontend-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-oidc-configuration.sh
frontend-1 | 30-oidc-configuration.sh: info: effective config: {"API_BASE_URL":"http://localhost:8081","API_WITH_CREDENTIALS":null,"OIDC_CLIENT_ID":null,"OIDC_FLOW":null,"OIDC_ISSUER":null,"OIDC_LOGIN_BUTTON_TEXT":null,"OIDC_SCOPE":"openid profile email"}
frontend-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
frontend-1 | /docker-entrypoint.sh: Configuration complete; ready for start up
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: using the "epoll" event method
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: nginx/1.27.5
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: built by gcc 14.2.0 (Alpine 14.2.0)
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: OS: Linux 6.12.41+deb13-amd64
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1073741816:1073741816
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: start worker processes
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: start worker process 35
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: start worker process 36
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: start worker process 37
frontend-1 | 2025/08/25 10:42:14 [notice] 1#1: start worker process 38
apiserver-1 | 2025-08-25 10:42:16,039 INFO [PortfolioMetricsUpdateTask] Executing portfolio metrics update
apiserver-1 | 2025-08-25 10:42:16,043 INFO [VulnerabilityMetricsUpdateTask] Executing metrics update on vulnerability database
apiserver-1 | 2025-08-25 10:42:16,166 INFO [OsvDownloadTask] Google OSV mirroring is disabled. No ecosystem selected.
apiserver-1 | 2025-08-25 10:42:16,167 INFO [ClearComponentAnalysisCacheTask] Clearing ComponentAnalysisCache
apiserver-1 | 2025-08-25 10:42:16,183 INFO [PortfolioMetricsUpdateTask] Completed portfolio metrics update in 00:00:138
apiserver-1 | 2025-08-25 10:42:16,183 INFO [VulnerabilityMetricsUpdateTask] Completed metrics update on vulnerability database in 00:00:140
apiserver-1 | 2025-08-25 10:42:16,185 INFO [ClearComponentAnalysisCacheTask] Complete
apiserver-1 | 2025-08-25 10:43:06,049 WARN [NistMirrorTask] The NVD is planning to retire the legacy data feeds used by Dependency-Track (https://nvd.nist.gov/General/News/change-timeline); Consider enabling mirroring via NVD REST API in the settings: https://docs.dependencytrack.org/datasources/nvd/#mirroring-via-nvd-rest-api
apiserver-1 | 2025-08-25 10:43:06,050 INFO [NistMirrorTask] Starting NIST mirroring task
apiserver-1 | 2025-08-25 10:43:06,054 INFO [NistMirrorTask] Downloading files at Mon Aug 25 10:43:06 UTC 2025
apiserver-1 | 2025-08-25 10:43:06,055 INFO [NistMirrorTask] Initiating download of https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2025.json.gz
apiserver-1 | 2025-08-25 10:43:06,057 INFO [VulnDbSyncTask] Starting VulnDB mirror synchronization task
apiserver-1 | 2025-08-25 10:43:06,057 INFO [VulnDbSyncTask] VulnDB mirror directory does not exist. Skipping.
apiserver-1 | 2025-08-25 10:43:06,635 WARN [NistMirrorTask] Encountered retryable exception; Will execute retry #1 in PT1S
apiserver-1 | 2025-08-25 10:43:07,974 WARN [NistMirrorTask] Encountered retryable exception; Will execute retry #2 in PT2S
apiserver-1 | 2025-08-25 10:43:10,254 WARN [NistMirrorTask] Encountered retryable exception; Will execute retry #3 in PT4S
apiserver-1 | 2025-08-25 10:43:14,575 WARN [NistMirrorTask] Encountered retryable exception; Will execute retry #4 in PT8S
apiserver-1 | 2025-08-25 10:43:22,910 WARN [NistMirrorTask] Encountered retryable exception; Will execute retry #5 in PT16S
apiserver-1 | 2025-08-25 10:43:39,192 ERROR [NistMirrorTask] Failed after 6 retry attempts
apiserver-1 | io.github.resilience4j.retry.MaxRetriesExceeded: max retries is reached out for the result predicate check
apiserver-1 | at io.github.resilience4j.retry.internal.RetryImpl$ContextImpl.onComplete(RetryImpl.java:170)
apiserver-1 | at io.github.resilience4j.retry.Retry.lambda$decorateCheckedSupplier$1(Retry.java:138)
apiserver-1 | at io.github.resilience4j.retry.Retry.executeCheckedSupplier(Retry.java:350)
apiserver-1 | at org.dependencytrack.tasks.NistMirrorTask.doDownload(NistMirrorTask.java:305)
apiserver-1 | at org.dependencytrack.tasks.NistMirrorTask.getAllFiles(NistMirrorTask.java:217)
apiserver-1 | at org.dependencytrack.tasks.NistMirrorTask.inform(NistMirrorTask.java:195)
apiserver-1 | at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
apiserver-1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
apiserver-1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
apiserver-1 | at java.base/java.lang.Thread.run(Unknown Source)
apiserver-1 | 2025-08-25 10:43:39,194 ERROR [NistMirrorTask] Download failed : Retry 'nvd-feeds' has exhausted all attempts (6)
Steps to Reproduce
1.Start docker container via docker compose
Expected Behavior
- CVE feeds can be downloaded from nist.gov.
- Login with default credentials works
Dependency-Track Version
4.13.3
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
17.6
Browser
Google Chrome
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported