From 358367ef9ed6ab1a05e5172931304b00dc71be4e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Fri, 28 Oct 2016 18:58:27 -0400 Subject: [PATCH] updated documentation to resolve issues #523 and #561 --- .../org/owasp/dependencycheck/utils/Downloader.java | 6 +++--- src/site/markdown/data/index.md | 5 ++++- src/site/markdown/data/tlsfailure.md | 10 ++++++++++ 3 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 src/site/markdown/data/tlsfailure.md diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java index 01c3fb4fc..12806f039 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java @@ -152,9 +152,9 @@ public final class Downloader { conn = null; } if ("Connection reset".equalsIgnoreCase(ex.getMessage())) { - final String msg = format("TLS Connection Reset%nThis is a known issue for somme JRE/JDK; please see " + - "https://github.com/jeremylong/DependencyCheck/issues/561%nUntil this issue is resolved please " + - "consider trying a different JRE/JDK.", url.toString()); + final String msg = format("TLS Connection Reset%nPlease see " + + "http://jeremylong.github.io/DependencyCheck/general/tlsfailures.html " + + "for more information regarding how to resolve the issue.", url.toString()); LOGGER.error(msg); throw new DownloadFailedException(msg, ex); } diff --git a/src/site/markdown/data/index.md b/src/site/markdown/data/index.md index dac9b591a..5981f1c0d 100644 --- a/src/site/markdown/data/index.md +++ b/src/site/markdown/data/index.md @@ -6,13 +6,16 @@ constraints. Local NVD Database ---------------------------------- -OWASP dependency-check maintains a local copy of the NVD data hosted by NIST. By default, +OWASP dependency-check maintains a local copy of the NVD CVE data hosted by NIST. By default, a local [H2 database](http://www.h2database.com/html/main.html) instance is used. As each instance maintains its own copy of the NVD the machine will need access to nvd.nist.gov in order to download the NVD data feeds. While the initial download of the NVD data feed is large, if after the initial download the tool is run at least once every seven days only two small XML files containing the recent modifications will need to be downloaded. +In some installations OpenJDK may not be able to download the NVD CVE data. Please see the +[TLS Failures article](./tlsfailure.html) for more information. + If your build servers are using dependency-check and are unable to access the Internet you have a few options: diff --git a/src/site/markdown/data/tlsfailure.md b/src/site/markdown/data/tlsfailure.md new file mode 100644 index 000000000..d3c148928 --- /dev/null +++ b/src/site/markdown/data/tlsfailure.md @@ -0,0 +1,10 @@ +NVD CVE Download Failures +========================= +In some installations of the JRE (such as OpenJDK on CentOS/RHEL/Amazon Linux) do not +have the correct libraries to support EC cryptography. If you run into problems running +dependency-check you may need to install Bouncy Castle and configure Java to use the +more robust cryptographic provider. + +Helpful Links +* [Stackoverflow discussion](http://stackoverflow.com/a/33521718/1995422) +* [Bouncy Castle](https://www.bouncycastle.org/java.html) \ No newline at end of file