Facing the SSLHandshakeException while running the OWASP dependency checker in jenkin

Question

Error:
15:35:18 [ERROR] UpdateException: Unable to download meta file: https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta
15:35:18 [ERROR] caused by DownloadFailedException: Download failed, unable to retrieve 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta'; Error downloading file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta; unable to connect.
15:35:18 [ERROR] caused by DownloadFailedException: Error downloading file https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.meta; unable to connect.
15:35:18 [ERROR] caused by SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
15:35:18 [ERROR] caused by ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
15:35:18 [ERROR] caused by SunCertPathBuilderException: unable to find valid certification path to requested target
15:35:18 [ERROR] NoDataException: No documents exist

We have add the dependency checker plugin pom.xml

<plugin>  
         <groupId>org.owasp</groupId>  
         <artifactId>dependency-check-maven</artifactId>  
         <version>6.0.3</version>  
         <executions>  
           <execution>  
             <goals>  
               <goal>check</goal>  
             </goals>  
           </execution>  
         </executions>  
         <configuration>         
           <!-- Generate all report formats -->             
           <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>          
         </configuration>  
       </plugin>

Answer 1

This error generally means that your JVM cannot create a secure (https) connection to the server nvd.nist.gov because it does not trust the certificate provided by the server. In order to trust the server the public certificate of the server or signing authority must be in the trust store used by the JVM. by default the trust store is in %JAVA_HOME%\lib\security\cacerts, you can list it's contents with the following (windows) keytool -list -keystore "%JAVA_HOME%\lib\security\cacerts" -storepass changeit. You should see a list of certs, if digicertglobalrootg2 is not listed you need to import it to trust the server as the cert is signed by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US. What version of Java are you using? The above cert may not be included in java trust stores prior to 1.8.

Answer 2

I fixed this error on my machine by doing following steps -

1. Download meta and json files on local folder

   i) nvdcve-1.1-modified.json.gz

   ii) nvdcve-1.1-recent.json.gz

   iii) nvdcve-1.1-modified.meta

   iv) known_exploited_vulnerabilities.json

2. Configure maven plugin to downloaded files

<configuration>
<cveUrlModified>file:///C:/OWASP_DEP/nvdcve-1.1-modified.json.gz</cveUrlModified>
<cveUrlBase>file:///C:/OWASP_DEP/nvdcve-1.1-recent.json.gz</cveUrlBase>
<knownExploitedUrl>file:///C:/OWASP_DEP/known_exploited_vulnerabilities.json</knownExploitedUrl>
<retireJsUrl>file:///C:/OWASP_DEP/jsrepository.json</retireJsUrl>
</configuration>