nvd-clojure breaks when setting a custom url for the datafeed key in config.

[Benjamin-deToy]

Description

nvd-clojure breaks when setting a custom url for the datafeed key in config. (for using an alternative mirror to NVD)

This key functions when running dependencycheck.sh --nvdDatafeed="https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache"

So, im assuming theres an issue on the nvd-clojure side.

config:
"nvd-api": {"datafeed": {"url": "https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache" }}

gives this output:

[2025-02-19 09:45:52.436] [WARN] org.owasp.dependencycheck.data.update.NvdApiDataSource - NVD cache last checked not present; updating the entire database. This could occur if you are switching back and forth from using the API vs a datafeed or if you are using a database created prior to ODC 9.x
[2025-02-19 09:45:52.846] [ERROR] org.owasp.dependencycheck.data.update.nvd.api.DownloadTask - Error downloading NVD CVE - https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/nvdcve-2012.json.gz Reason: Cannot invoke "org.owasp.dependencycheck.utils.Settings.getString(String)" because "this.settings" is null
[2025-02-19 09:45:52.846] [ERROR] org.owasp.dependencycheck.data.update.nvd.api.DownloadTask - Error downloading NVD CVE - https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/nvdcve-2011.json.gz Reason: Cannot invoke "org.owasp.dependencycheck.utils.Settings.getString(String)" because "this.settings" is null
[2025-02-19 09:45:52.846] [ERROR] org.owasp.dependencycheck.Engine - The execution of the download was interrupted
org.owasp.dependencycheck.data.update.exception.UpdateException: The execution of the download was interrupted
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processDownload(NvdApiDataSource.java:283)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processDatafeed(NvdApiDataSource.java:172)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:115)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:903)
	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:708)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:634)
	at nvd.task.check$scan_and_analyze$fn__793.invoke(check.clj:52)
	at nvd.task.check$scan_and_analyze.invokeStatic(check.clj:51)
	at nvd.task.check$scan_and_analyze.invoke(check.clj:46)
	at nvd.task.check$impl.invokeStatic(check.clj:89)
	at nvd.task.check$impl.invoke(check.clj:81)
	at nvd.task.check$_main.invokeStatic(check.clj:148)
	at nvd.task.check$_main.doInvoke(check.clj:100)
	at clojure.lang.RestFn.invoke(RestFn.java:424)
	at clojure.lang.Var.invoke(Var.java:390)
	at user$eval138.invokeStatic(form-init13965492341897137316.clj:1)
	at user$eval138.invoke(form-init13965492341897137316.clj:1)
	at clojure.lang.Compiler.eval(Compiler.java:7700)
	at clojure.lang.Compiler.eval(Compiler.java:7690)
	at clojure.lang.Compiler.load(Compiler.java:8165)
	at clojure.lang.Compiler.loadFile(Compiler.java:8103)
	at clojure.main$load_script.invokeStatic(main.clj:476)
	at clojure.main$init_opt.invokeStatic(main.clj:478)
	at clojure.main$init_opt.invoke(main.clj:478)
	at clojure.main$initialize.invokeStatic(main.clj:509)
	at clojure.main$null_opt.invokeStatic(main.clj:543)
	at clojure.main$null_opt.invoke(main.clj:540)
	at clojure.main$main.invokeStatic(main.clj:665)
	at clojure.main$main.doInvoke(main.clj:617)
	at clojure.lang.RestFn.applyTo(RestFn.java:140)
	at clojure.lang.Var.applyTo(Var.java:707)
	at clojure.main.main(main.java:40)
Caused by: java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "org.owasp.dependencycheck.utils.Settings.getString(String)" because "this.settings" is null
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processDownload(NvdApiDataSource.java:273)
	... 31 more
Caused by: java.lang.NullPointerException: Cannot invoke "org.owasp.dependencycheck.utils.Settings.getString(String)" because "this.settings" is null
	at org.owasp.dependencycheck.utils.Downloader.fetchFile(Downloader.java:446)
	at org.owasp.dependencycheck.data.update.nvd.api.DownloadTask.call(DownloadTask.java:88)
	at org.owasp.dependencycheck.data.update.nvd.api.DownloadTask.call(DownloadTask.java:39)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1575)
[2025-02-19 09:45:52.846] [ERROR] org.owasp.dependencycheck.data.update.nvd.api.DownloadTask - Error downloading NVD CVE - https://dependency-check.github.io/DependencyCheck_Builder/nvd_cache/nvdcve-2010.json.gz Reason: Cannot invoke "org.owasp.dependencycheck.utils.Settings.getString(String)" because "this.settings" is null
[2025-02-19 09:45:52.967] [WARN] org.owasp.dependencycheck.data.update.EngineVersionCheck - 

*********************************************************
The OWASP DependencyCheck project has moved to https://github.com/dependency-check/DependencyCheck/. Please update any automation that points to the old repository.
*********************************************************

[2025-02-19 09:45:57.113] [WARN] org.owasp.dependencycheck.Engine - Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[2025-02-19 09:45:57.113] [ERROR] org.owasp.dependencycheck.Engine - Unable to continue dependency-check analysis.

Version

4.0.0

Java version

java version "21.0.6" 2025-01-21 LTS

Installation compliance

• I have read again and made sure that I'm following exactly the instructions for my tool of choice (Leiningen, Clojure CLI, Clojure CLI Tool).
• I understand that false positives can be skipped locally and should be reported to DependencyCheck.

[aikebah]

@rm-hull In version 12 the Downloader class needs to have its singleton initialized once before the various uses. In Java that would come down to

Downloader.getInstance().configure(settings);

[tobias]

I have a fork that configures the Downloader to allow datafeeds to work if you would like to use that: [org.clojars.tcrawley/nvd-clojure "4.1.0"]. It also updates the dependency-check-core dependency to 12.1.0.

@vemv I'm happy to provide a PR with those changes if you like. I'm also happy to help maintain this project if it would be helpful to have a second pair of hands.

[vemv]

Thanks, yes, I don't have the capacity to maintain the project atm.

PRs that keep the build green and don't fundamentally change how things work are most welcome!

[tobias]

Thanks @vemv! I created #183, but I suspect the tests will now fail, as:

• dependency-check-core >= 11.0.0 requires Java 11, and the test matrix tests with Java 8
• dependency-check-core >= 10.0.2 requires an NVD api token

But we can discuss those issue on that PR.