[ X] I checked the issues list for existing open or closed reports of the same problem.
Describe the bug
When updating the NVD CVE feed, the download process hangs indefinitely after successfully downloading a portion of the records (e.g., at 120,000/281,554). Despite repeated warnings such as “Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=130000 : 3rd time”, the update never times out or fails gracefully, leaving the build stuck. If you kill the process, then you have to start over from scratch, it would nice if it could restart after the last batch it downloaded.
Version of dependency-check used
The problem occurs using version 12.1.0 of the dependency-check CLI (or specify the plugin if applicable).
Log file
Please see the full log output here:
09:38:35 [INFO] Checking for updates
09:38:57 [INFO] NVD API has 281,554 records in this update
09:40:11 [INFO] Downloaded 10,000/281,554 (4%)
09:40:56 [INFO] Downloaded 20,000/281,554 (7%)
09:41:48 [INFO] Downloaded 30,000/281,554 (11%)
09:42:27 [WARNING] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=34000 : 3rd time
09:43:20 [INFO] Downloaded 40,000/281,554 (14%)
09:43:58 [WARNING] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=42000 : 3rd time
09:44:31 [INFO] Downloaded 50,000/281,554 (18%)
09:45:41 [INFO] Downloaded 60,000/281,554 (21%)
09:47:00 [INFO] Downloaded 70,000/281,554 (25%)
09:48:16 [INFO] Downloaded 80,000/281,554 (28%)
09:49:09 [INFO] Downloaded 90,000/281,554 (32%)
09:50:41 [INFO] Downloaded 100,000/281,554 (36%)
09:51:06 [WARNING] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=130000 : 3rd time
09:52:33 [INFO] Downloaded 110,000/281,554 (39%)
09:53:41 [INFO] Downloaded 120,000/281,554 (43%). <<--- **It's been hung here for 5 hours.
To Reproduce
Steps to reproduce the behavior:
Run a dependency-check scan that triggers an update of the NVD API feed.
Observe that the update process begins and successfully downloads a portion of the records.
Notice repeated warnings about retrying requests after a certain record count.
The process hangs indefinitely (e.g., stuck at 120,000/281,554 records) without triggering a timeout.
Expected behavior
The update process should respect a configured read timeout so that if the NVD API stops sending data, the process fails gracefully with an appropriate error message rather than hanging indefinitely. If the read times out, it should retry again; no sleep is necessary since it's already hung long enough to get a read timeout.
Additional context
It appears that while there is a CONNECTION_READ_TIMEOUT setting in URLConnectionFactory, the NvdApiDataSource and related code use Apache Http5 Client without setting the response timeout (via setResponseTimeout). As a result, if the API stops sending data, the connection never times out. A fix would involve configuring a proper response timeout when using the Http5 client and retry logic.
[ X] I checked the issues list for existing open or closed reports of the same problem.
Describe the bug
When updating the NVD CVE feed, the download process hangs indefinitely after successfully downloading a portion of the records (e.g., at 120,000/281,554). Despite repeated warnings such as “Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=130000 : 3rd time”, the update never times out or fails gracefully, leaving the build stuck. If you kill the process, then you have to start over from scratch, it would nice if it could restart after the last batch it downloaded.
Version of dependency-check used
The problem occurs using version 12.1.0 of the dependency-check CLI (or specify the plugin if applicable).
Log file
Please see the full log output here:
09:38:35 [INFO] Checking for updates
09:38:57 [INFO] NVD API has 281,554 records in this update
09:40:11 [INFO] Downloaded 10,000/281,554 (4%)
09:40:56 [INFO] Downloaded 20,000/281,554 (7%)
09:41:48 [INFO] Downloaded 30,000/281,554 (11%)
09:42:27 [WARNING] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=34000 : 3rd time
09:43:20 [INFO] Downloaded 40,000/281,554 (14%)
09:43:58 [WARNING] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=42000 : 3rd time
09:44:31 [INFO] Downloaded 50,000/281,554 (18%)
09:45:41 [INFO] Downloaded 60,000/281,554 (21%)
09:47:00 [INFO] Downloaded 70,000/281,554 (25%)
09:48:16 [INFO] Downloaded 80,000/281,554 (28%)
09:49:09 [INFO] Downloaded 90,000/281,554 (32%)
09:50:41 [INFO] Downloaded 100,000/281,554 (36%)
09:51:06 [WARNING] Retrying request /rest/json/cves/2.0?resultsPerPage=2000&startIndex=130000 : 3rd time
09:52:33 [INFO] Downloaded 110,000/281,554 (39%)
09:53:41 [INFO] Downloaded 120,000/281,554 (43%). <<--- **It's been hung here for 5 hours.
To Reproduce
Steps to reproduce the behavior:
Run a dependency-check scan that triggers an update of the NVD API feed.
Observe that the update process begins and successfully downloads a portion of the records.
Notice repeated warnings about retrying requests after a certain record count.
The process hangs indefinitely (e.g., stuck at 120,000/281,554 records) without triggering a timeout.
Expected behavior
The update process should respect a configured read timeout so that if the NVD API stops sending data, the process fails gracefully with an appropriate error message rather than hanging indefinitely. If the read times out, it should retry again; no sleep is necessary since it's already hung long enough to get a read timeout.
Additional context
It appears that while there is a CONNECTION_READ_TIMEOUT setting in URLConnectionFactory, the NvdApiDataSource and related code use Apache Http5 Client without setting the response timeout (via setResponseTimeout). As a result, if the API stops sending data, the connection never times out. A fix would involve configuring a proper response timeout when using the Http5 client and retry logic.