Pipelines fails due to NoDataException / UpdateException: Error updating the NVD Data

[RikNorakomi]

When trying to run the dependencyCheckAggregate task locally the dependency reports are generated correctly.

I am having issues running them in an Azure DevOps pipeline though:

The pipeline failse due to the following:

Checking for updates and analyzing dependencies for vulnerabilities
Checking for updates
Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:399)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:117)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:903)
	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:708)

...
		at java.base@17.0.15/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.NullPointerException: Cannot read the array length because "bytes" is null
	at java.base/java.lang.String.<init>(String.java:1387)
	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient._next(NvdCveClient.java:440)
	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:379)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:355)
...

Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
	UpdateException: Error updating the NVD Data
		caused by NullPointerException: Cannot read the array length because "bytes" is null
	NoDataException: No documents exist
	at org.owasp.dependencycheck.Engine.throwFatalExceptionCollection(Engine.java:1178)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:640)
	at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:103)

1. And I have my gradle file configured as followed:

configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
    nvd.apiKey = [myApiKey]
    format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString()
    outputDirectory = "$projectDir/build/reports/owasp-report"
}

2. Alternatively I have tried configuring autoUpdate = false but this also leads to a NoDataException:

Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
	NoDataException: Autoupdate is disabled and the database does not exist
	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:720)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:634)
	at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:103)

How do I fix this?

[jeremylong]

I would suggest configuring the NVD datafeed option instead of the API key. Use this datafeed: https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-\{0\}.json.gz

[RikNorakomi]

And where can I find info on how to do that?

Nevermind... figured it out.
For those running into similar issues. For example:

configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
    nvd.datafeedUrl = "https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-recent.json.gz"
    ...
}

[RikNorakomi]

Even with using datafeedUrl configuration instead of apiKey the build fails. E.g.:

`
...
Download Started for NVD Cache - https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-recent.json.gz
Failed to process CVE-2025-7119
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Unable to retrieve id for new vulnerability for 'CVE-2025-7119'
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateOrInsertVulnerability(CveDB.java:1394)
at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability(CveDB.java:1093)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.updateCveDb(NvdApiProcessor.java:119)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:102)
at org.owasp.dependencycheck.data.update.nvd.api.NvdApiProcessor.call(NvdApiProcessor.java:40)
at java.base@17.0.15/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base@17.0.15/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base@17.0.15/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base@17.0.15/java.lang.Thread.run(Thread.java:840)
Caused by: org.h2.jdbc.JdbcSQLIntegrityConstraintViolationException: Unique index or primary key violation: "PUBLIC.CONSTRAINT_INDEX_7 ON PUBLIC.VULNERABILITY(CVE NULLS FIRST) VALUES ( /* 1 */ 'CVE-2025-7119' )"; SQL statement:
INSERT INTO VULNERABILITY (description, v2Severity, v2ExploitabilityScore, v2ImpactScore, v2AcInsufInfo, v2ObtainAllPrivilege, v2ObtainUserPrivilege, v2ObtainOtherPrivilege, v2UserInteractionRequired, v2Score, v2AccessVector, v2AccessComplexity, v2Authentication, v2ConfidentialityImpact, v2IntegrityImpact, v2AvailabilityImpact, v2Version, v3ExploitabilityScore, v3ImpactScore, v3AttackVector, v3AttackComplexity, v3PrivilegesRequired, v3UserInteraction, v3Scope, v3ConfidentialityImpact, v3IntegrityImpact, v3AvailabilityImpact, v3BaseScore, v3BaseSeverity, v3Version, v4version, v4attackVector, v4attackComplexity, v4attackRequirements, v4privilegesRequired, v4userInteraction, v4vulnConfidentialityImpact, v4vulnIntegrityImpact, v4vulnAvailabilityImpact, v4subConfidentialityImpact, v4subIntegrityImpact, v4subAvailabilityImpact, v4exploitMaturity,v4confidentialityRequirement, v4integrityRequirement, v4availabilityRequirement,v4modifiedAttackVector, v4modifiedAttackComplexity, v4modifiedAttackRequirements,v4modifiedPrivilegesRequired, v4modifiedUserInteraction, v4modifiedVulnConfidentialityImpact,v4modifiedVulnIntegrityImpact, v4modifiedVulnAvailabilityImpact, v4modifiedSubConfidentialityImpact,v4modifiedSubIntegrityImpact, v4modifiedSubAvailabilityImpact, v4safety, v4automatable, v4recovery, v4valueDensity, v4vulnerabilityResponseEffort, v4providerUrgency, v4baseScore, v4baseSeverity, v4threatScore,v4threatSeverity, v4environmentalScore, v4environmentalSeverity, v4source, v4type, cve) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) [23505-232]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:520)
at org.h2.message.DbException.getJdbcSQLException(DbException.java:489)

...
...
at org.gradle.internal.concurrent.AbstractManagedExecutor$1.run(AbstractManagedExecutor.java:48)
Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
AnalysisException: Could not connect to Central search. Analysis failed.
caused by IOException: Finally failed connecting to Central search. Giving up after 7 tries.
caused by ForbiddenException: Forbidden access to MavenCentral https://search.maven.org/solrsearch/select?q=1:9b399677b15fb15a6b459bffcd972b6a6820097e&wt=xml - Server status: 403 - Server reason: Forbidden
caused by ForbiddenException: https://search.maven.org/solrsearch/select?q=1:9b399677b15fb15a6b459bffcd972b6a6820097e&wt=xml - Server status: 403 - Server reason: Forbidden
AnalysisException: Could not connect to Central search. Analysis failed.
caused by IOException: Finally failed connecting to Central search. Giving up after 7 tries.
caused by ForbiddenException: Forbidden access to MavenCentral https://search.maven.org/solrsearch/select?q=1:949815ba980251c4b13c6e737de534e9cbc68166&wt=xml - Server status: 403 - Server reason: Forbidden
caused by ForbiddenException: https://search.maven.org/solrsearch/select?q=1:949815ba980251c4b13c6e737de534e9cbc68166&wt=xml - Server status: 403 - Server reason: Forbidden
AnalysisException: Could not connect to Central search. Analysis failed.
caused by IOException: Finally failed connecting to Central search. Giving up after 7 tries.
caused by ForbiddenException: Forbidden access to MavenCentral https://search.maven.org/solrsearch/select?q=1:81f2092d9a8999e725ac29e9863fb99997647d7b&wt=xml - Server status: 403 - Server reason: Forbidden
caused by ForbiddenException: https://search.maven.org/solrsearch/select?q=1:81f2092d9a8999e725ac29e9863fb99997647d7b&wt=xml - Server status: 403 - Server reason: Forbidden
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:690)
at org.owasp.dependencycheck.gradle.tasks.AbstractAnalyze.analyze(AbstractAnalyze.groovy:103)
... 150 more
`

[jeremylong]

Why would you set the datafeed URL to "recent" - the value should be https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-{0}.json.gz (you may need to escape the curly braces depending on how it is being configured).