github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 15:53:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

updated documentation to resolve issues #523 and #561

Browse Source
This commit is contained in:
Jeremy Long
2016-10-28 18:58:27 -04:00
parent a12bc44ecd
commit 358367ef9e
3 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -152,9 +152,9 @@ public final class Downloader {
conn = null;
}
if ("Connection reset".equalsIgnoreCase(ex.getMessage())) {
final String msg = format("TLS Connection Reset%nThis is a known issue for somme JRE/JDK; please see " +
"https://github.com/jeremylong/DependencyCheck/issues/561%nUntil this issue is resolved please " +
"consider trying a different JRE/JDK.", url.toString());
final String msg = format("TLS Connection Reset%nPlease see "
+ "http://jeremylong.github.io/DependencyCheck/general/tlsfailures.html "
+ "for more information regarding how to resolve the issue.", url.toString());
LOGGER.error(msg);
throw new DownloadFailedException(msg, ex);
}

5
src/site/markdown/data/index.md
View File

@@ -6,13 +6,16 @@ constraints.
Local NVD Database
----------------------------------
OWASP dependency-check maintains a local copy of the NVD data hosted by NIST. By default,
OWASP dependency-check maintains a local copy of the NVD CVE data hosted by NIST. By default,
a local [H2 database](http://www.h2database.com/html/main.html) instance is used.
As each instance maintains its own copy of the NVD the machine will need access
to nvd.nist.gov in order to download the NVD data feeds. While the initial download of the NVD
data feed is large, if after the initial download the tool is run at least once every seven
days only two small XML files containing the recent modifications will need to be downloaded.
In some installations OpenJDK may not be able to download the NVD CVE data. Please see the
[TLS Failures article](./tlsfailure.html) for more information.
If your build servers are using dependency-check and are unable to access the Internet you
have a few options:

10
src/site/markdown/data/tlsfailure.md Normal file
View File

@@ -0,0 +1,10 @@
NVD CVE Download Failures
=========================
In some installations of the JRE (such as OpenJDK on CentOS/RHEL/Amazon Linux) do not
have the correct libraries to support EC cryptography. If you run into problems running
dependency-check you may need to install Bouncy Castle and configure Java to use the
more robust cryptographic provider.
Helpful Links
* [Stackoverflow discussion](http://stackoverflow.com/a/33521718/1995422)
* [Bouncy Castle](https://www.bouncycastle.org/java.html)