Describe the bug
NVD has updated their current datafeeds to the JSON 1.1 format. DependencyCheck should start consuming these. JSON 1.0 feeds appear still available and up-to-date, but only 1.1 format feeds are officially published.
** Version of dependency-check used **
The problem occurs using version 5.2.2 of DependencyCheck
To Reproduce
- Run dependencycheck in a new environment
- Observe downloads taking the 1.0 datafeeds
Expected behavior
DependencyCheck downloading the current NVD datafeeds as published on their website
Additional context
According to the publication on their website the v1.1 version of JSON feeds reached final state on 9 Sep. Based on the changelog my suspicion is that it only requires an update of the URLs and the NVD json schemas.
At that time the current JSON 1.0 data feeds will no longer available.
Is what they state in the announcement, but that has been proven to be not entirely the case as when I just checked the meta of the 1.0 JSON feeds it was a) still there and b) up-to-date with the 1.1 feed. Nevertheless continued use of the 1.0 feeds is a ticking timebomb as somewhere in the future NVD will cease publishing the 1.0 feeds.
I'll make an attempt at fixing this and if successful will publish the PR.
Will use this ticket for further discussion if needed.
Describe the bug
NVD has updated their current datafeeds to the JSON 1.1 format. DependencyCheck should start consuming these. JSON 1.0 feeds appear still available and up-to-date, but only 1.1 format feeds are officially published.
** Version of dependency-check used **
The problem occurs using version 5.2.2 of DependencyCheck
To Reproduce
Expected behavior
DependencyCheck downloading the current NVD datafeeds as published on their website
Additional context
According to the publication on their website the v1.1 version of JSON feeds reached final state on 9 Sep. Based on the changelog my suspicion is that it only requires an update of the URLs and the NVD json schemas.
Is what they state in the announcement, but that has been proven to be not entirely the case as when I just checked the meta of the 1.0 JSON feeds it was a) still there and b) up-to-date with the 1.1 feed. Nevertheless continued use of the 1.0 feeds is a ticking timebomb as somewhere in the future NVD will cease publishing the 1.0 feeds.
I'll make an attempt at fixing this and if successful will publish the PR.
Will use this ticket for further discussion if needed.