Error updating the NVD Data

[volkhardv]

Precondition

• [ X] I checked the issues list for existing open or closed reports of the same problem.

Describe the bug
I´m using a windows machine with Java Eclipse Adoptium jdk-17.0.4.101-hotspot. Calling

dependency-check.bat --nvdApiKey <key> --scan <msbuildProjDir>
gives follwing error:

[INFO] Checking for updates
[ERROR] Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:399)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:117)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:903)
        at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:708)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:634)
        at org.owasp.dependencycheck.App.runScan(App.java:269)
        at org.owasp.dependencycheck.App.run(App.java:201)
        at org.owasp.dependencycheck.App.main(App.java:93)
Caused by: java.lang.NullPointerException: Cannot read the array length because "bytes" is null
        at java.base/java.lang.String.<init>(String.java:1385)
        at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient._next(NvdCveClient.java:418)
        at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:357)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:355)
        ... 7 common frames omitted
[INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
[WARN] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
[ERROR] Unable to continue dependency-check analysis.
[ERROR] One or more fatal errors occurred
[ERROR] Error updating the NVD Data
[ERROR] No documents exist

Version of dependency-check used
The problem occurs using version 12.1.0 of the cli

Log file

2025-08-30 20:10:36,659 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: data.directory='c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:36,662 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.jar.enabled='true'
2025-08-30 20:10:36,663 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: updater.versioncheck.enabled='true'
2025-08-30 20:10:36,663 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.msbuildproject.enabled='true'
2025-08-30 20:10:36,663 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.archive.enabled='true'
2025-08-30 20:10:36,663 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.knownexploited.enabled='true'
2025-08-30 20:10:36,673 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.python.distribution.enabled='true'
2025-08-30 20:10:36,673 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.python.package.enabled='true'
2025-08-30 20:10:36,673 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.autoconf.enabled='true'
2025-08-30 20:10:36,673 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.maveninstall.enabled='true'
2025-08-30 20:10:36,673 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.pip.enabled='true'
2025-08-30 20:10:36,673 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.pipfile.enabled='true'
2025-08-30 20:10:36,673 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.poetry.enabled='true'
2025-08-30 20:10:36,673 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.cmake.enabled='true'
2025-08-30 20:10:36,673 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.nuspec.enabled='true'
2025-08-30 20:10:36,674 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.nugetconf.enabled='true'
2025-08-30 20:10:36,674 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.assembly.enabled='true'
2025-08-30 20:10:36,674 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.bundle.audit.enabled='true'
2025-08-30 20:10:36,674 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.filename.enabled='true'
2025-08-30 20:10:36,674 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.mix.audit.enabled='true'
2025-08-30 20:10:36,674 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.openssl.enabled='true'
2025-08-30 20:10:36,674 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.composer.lock.enabled='true'
2025-08-30 20:10:36,674 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.cpanfile.enabled='true'
2025-08-30 20:10:36,675 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.golang.dep.enabled='true'
2025-08-30 20:10:36,675 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.golang.mod.enabled='true'
2025-08-30 20:10:36,675 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.dart.enabled='true'
2025-08-30 20:10:36,675 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.node.package.enabled='true'
2025-08-30 20:10:36,675 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.node.audit.enabled='true'
2025-08-30 20:10:36,675 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.yarn.audit.enabled='true'
2025-08-30 20:10:36,675 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.pnpm.audit.enabled='true'
2025-08-30 20:10:36,675 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.node.audit.use.cache='true'
2025-08-30 20:10:36,676 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.retirejs.enabled='true'
2025-08-30 20:10:36,676 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.swift.package.manager.enabled='true'
2025-08-30 20:10:36,676 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.swift.package.resolved.enabled='true'
2025-08-30 20:10:36,676 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.cocoapods.enabled='true'
2025-08-30 20:10:36,676 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.carthage.enabled='true'
2025-08-30 20:10:36,676 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.ruby.gemspec.enabled='true'
2025-08-30 20:10:36,676 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.central.enabled='true'
2025-08-30 20:10:36,677 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.central.use.cache='true'
2025-08-30 20:10:36,677 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.ossindex.enabled='true'
2025-08-30 20:10:36,677 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.ossindex.use.cache='true'
2025-08-30 20:10:36,678 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: junit.fail.on.cvss='0.0'
2025-08-30 20:10:36,678 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: analyzer.nexus.proxy='true'
2025-08-30 20:10:36,678 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: nvd.api.key='********'
2025-08-30 20:10:36,679 org.owasp.dependencycheck.utils.Settings:1075
DEBUG - Setting: hosted.suppressions.enabled='true'
2025-08-30 20:10:36,911 org.owasp.dependencycheck.App:377
DEBUG - Scanning C:/Temp/cisco
2025-08-30 20:10:36,919 org.owasp.dependencycheck.App:392
DEBUG - BaseDir: C:\Temp\cisco
2025-08-30 20:10:36,919 org.owasp.dependencycheck.App:393
DEBUG - Include: **/*
2025-08-30 20:10:36,929 org.owasp.dependencycheck.App:411
DEBUG - Found file C:\Temp\cisco\Ethical-Hacker-Kali.ova
2025-08-30 20:10:36,929 org.owasp.dependencycheck.App:411
DEBUG - Found file C:\Temp\cisco\Ethical-Hacker-Kali\Ethical-Hacker-Kali-disk001.vmdk
2025-08-30 20:10:36,930 org.owasp.dependencycheck.App:411
DEBUG - Found file C:\Temp\cisco\Ethical-Hacker-Kali\Ethical-Hacker-Kali.mf
2025-08-30 20:10:36,930 org.owasp.dependencycheck.App:411
DEBUG - Found file C:\Temp\cisco\Ethical-Hacker-Kali\Ethical-Hacker-Kali.ovf
2025-08-30 20:10:36,947 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Archive Analyzer
2025-08-30 20:10:36,947 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer File Name Analyzer
2025-08-30 20:10:36,959 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Jar Analyzer
2025-08-30 20:10:36,960 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Hint Analyzer
2025-08-30 20:10:36,963 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer CPE Analyzer
2025-08-30 20:10:36,964 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer False Positive Analyzer
2025-08-30 20:10:36,966 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Dependency Bundling Analyzer
2025-08-30 20:10:36,966 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Dependency Merging Analyzer
2025-08-30 20:10:36,967 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer NVD CVE Analyzer
2025-08-30 20:10:36,969 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Vulnerability Suppression Analyzer
2025-08-30 20:10:36,970 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Central Analyzer
2025-08-30 20:10:36,970 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Nexus Analyzer
2025-08-30 20:10:36,971 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Artifactory Analyzer
2025-08-30 20:10:36,972 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Nuspec Analyzer
2025-08-30 20:10:36,972 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Nugetconf Analyzer
2025-08-30 20:10:36,974 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer MSBuild Project Analyzer
2025-08-30 20:10:36,975 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Assembly Analyzer
2025-08-30 20:10:36,983 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer OpenSSL Source Analyzer
2025-08-30 20:10:36,988 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Node.js Package Analyzer
2025-08-30 20:10:36,989 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Node Audit Analyzer
2025-08-30 20:10:36,991 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Yarn Audit Analyzer
2025-08-30 20:10:36,991 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Pnpm Audit Analyzer
2025-08-30 20:10:36,994 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer RetireJS Analyzer
2025-08-30 20:10:36,996 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Ruby Bundle Audit Analyzer
2025-08-30 20:10:37,001 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Version Filter Analyzer
2025-08-30 20:10:37,003 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Sonatype OSS Index Analyzer
2025-08-30 20:10:37,054 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Known Exploited Vulnerability Analyzer
2025-08-30 20:10:37,056 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Unused Suppression Rule Analyzer
2025-08-30 20:10:37,056 org.owasp.dependencycheck.analyzer.AnalyzerService:113
DEBUG - Loaded Analyzer Libman Analyzer
2025-08-30 20:10:37,057 org.owasp.dependencycheck.utils.Settings:1276
DEBUG - Settings.getDataFile() - file: 'c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:37,178 org.owasp.dependencycheck.utils.Settings:1276
DEBUG - Settings.getDataFile() - file: 'c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:37,178 org.owasp.dependencycheck.utils.Settings:1533
DEBUG - Data directory: c:\Temp\dependency-check-12.1.0-release\dependency-check\data
2025-08-30 20:10:37,179 org.owasp.dependencycheck.utils.Settings:1549
DEBUG - Connection String: 'jdbc:h2:file:C:\Temp\dependency-check-12.1.0-release\dependency-check\data\odc;AUTOCOMMIT=ON;CACHE_SIZE=65536;RETENTION_TIME=1000;MAX_COMPACT_TIME=10000;'
2025-08-30 20:10:37,180 org.owasp.dependencycheck.utils.Settings:1276
DEBUG - Settings.getDataFile() - file: 'c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:37,219 org.owasp.dependencycheck.utils.WriteLock:168
DEBUG - Lock file created (main) 178b79e4b31c70c0d43e9f6d0218be91 @ 2025-08-30 20:10:37.219
2025-08-30 20:10:37,251 org.owasp.dependencycheck.data.nvdcve.DatabaseManager:143
DEBUG - Loading driver 'org.h2.Driver'
2025-08-30 20:10:37,255 org.owasp.dependencycheck.utils.Settings:1276
DEBUG - Settings.getDataFile() - file: 'c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:37,255 org.owasp.dependencycheck.utils.Settings:1533
DEBUG - Data directory: c:\Temp\dependency-check-12.1.0-release\dependency-check\data
2025-08-30 20:10:37,256 org.owasp.dependencycheck.utils.Settings:1549
DEBUG - Connection String: 'jdbc:h2:file:C:\Temp\dependency-check-12.1.0-release\dependency-check\data\odc;AUTOCOMMIT=ON;CACHE_SIZE=65536;RETENTION_TIME=1000;MAX_COMPACT_TIME=10000;'
2025-08-30 20:10:37,256 org.owasp.dependencycheck.utils.Settings:1276
DEBUG - Settings.getDataFile() - file: 'c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:37,257 org.owasp.dependencycheck.data.nvdcve.DatabaseManager:172
DEBUG - Need to create DB Structure: false
2025-08-30 20:10:37,257 org.owasp.dependencycheck.data.nvdcve.DatabaseManager:178
DEBUG - Loading database connection
2025-08-30 20:10:37,257 org.owasp.dependencycheck.data.nvdcve.DatabaseManager:179
DEBUG - Connection String: jdbc:h2:file:C:\Temp\dependency-check-12.1.0-release\dependency-check\data\odc;AUTOCOMMIT=ON;CACHE_SIZE=65536;RETENTION_TIME=1000;MAX_COMPACT_TIME=10000;
2025-08-30 20:10:37,257 org.owasp.dependencycheck.data.nvdcve.DatabaseManager:180
DEBUG - Database User: dcuser
2025-08-30 20:10:37,487 org.owasp.dependencycheck.data.nvdcve.DatabaseManager:245
DEBUG - Database product: h2
2025-08-30 20:10:37,505 org.owasp.dependencycheck.data.nvdcve.DatabaseManager:506
DEBUG - DC Schema: 5.5
2025-08-30 20:10:37,515 org.owasp.dependencycheck.data.nvdcve.DatabaseManager:507
DEBUG - DB Schema: 5.5
2025-08-30 20:10:37,621 org.owasp.dependencycheck.Engine:894
INFO  - Checking for updates
2025-08-30 20:10:37,636 io.github.jeremylong.openvulnerability.client.nvd.RateLimitedClient:127
DEBUG - rate limited call delay: 5000
2025-08-30 20:10:37,727 io.github.jeremylong.openvulnerability.client.nvd.RateLimitedClient:127
DEBUG - rate limited call delay: 5000
2025-08-30 20:10:37,761 io.github.jeremylong.openvulnerability.client.nvd.RateLimitedClient:127
DEBUG - rate limited call delay: 5000
2025-08-30 20:10:37,796 io.github.jeremylong.openvulnerability.client.nvd.RateLimitedClient:127
DEBUG - rate limited call delay: 5000
2025-08-30 20:10:37,861 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:302
DEBUG - requesting URI: https://services.nvd.nist.gov/rest/json/cves/2.0?resultsPerPage=2000&startIndex=0
2025-08-30 20:10:37,866 io.github.jeremylong.openvulnerability.client.nvd.RateMeter:83
DEBUG - Ticket taken At: 20:10:37; count: 1; by 128
2025-08-30 20:10:37,867 io.github.jeremylong.openvulnerability.client.nvd.RateLimitedClient:198
DEBUG - Requested At: 20:10:37; URI: /rest/json/cves/2.0?resultsPerPage=2000&startIndex=0
2025-08-30 20:10:38,749 io.github.jeremylong.openvulnerability.client.nvd.RateMeter:95
DEBUG - Ticket returned At: 20:10:38; count: 2; by 128
2025-08-30 20:10:38,868 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:407
DEBUG - Status Code: 404
2025-08-30 20:10:38,868 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:408
DEBUG - Reason: Not Found
2025-08-30 20:10:38,869 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:409
DEBUG - Response Headers:
2025-08-30 20:10:38,869 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : date ,Value : Sat, 30 Aug 2025 18:10:37 GMT
2025-08-30 20:10:38,869 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : content-length ,Value : 0
2025-08-30 20:10:38,869 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : cf-ray ,Value : 97763ef53fad424b-EWR
2025-08-30 20:10:38,869 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : message ,Value : Invalid apiKey.
2025-08-30 20:10:38,870 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : x-frame-options ,Value : SAMEORIGIN
2025-08-30 20:10:38,870 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : access-control-allow-origin ,Value : *
2025-08-30 20:10:38,870 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : access-control-allow-headers ,Value : accept, apiKey, content-type, origin, x-requested-with
2025-08-30 20:10:38,870 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : access-control-allow-methods ,Value : GET, HEAD, OPTIONS
2025-08-30 20:10:38,870 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : access-control-allow-credentials ,Value : false
2025-08-30 20:10:38,870 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : strict-transport-security ,Value : max-age=31536000
2025-08-30 20:10:38,870 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : cf-cache-status ,Value : DYNAMIC
2025-08-30 20:10:38,870 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : set-cookie ,Value : __cf_bm=uyoX4YvMKLD4_bcBdZREHHLdgHLmOlQ4t0N9TH0RbN0-1756577437-1.0.1.1-yCHpaa69sMQbwkKYnZyahomtSblPNF_AbL7_nS8IGYhpmvZ8bDlJRrMlhA6gf83nsxzkHj.jaNSVa_p8bZoVBuE11Tcwj0M4HgTKH8.mocc; path=/; expires=Sat, 30-Aug-25 18:40:37 GMT; domain=.nist.gov; HttpOnly; Secure; SameSite=None
2025-08-30 20:10:38,871 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : set-cookie ,Value : _cfuvid=dMsyg2U2XPNg2iQqUNeMEVgJrEaCwmgzlQAflXm5.Bw-1756577437075-0.0.1.1-604800000; path=/; domain=.nist.gov; HttpOnly; Secure; SameSite=None
2025-08-30 20:10:38,871 io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient:413
DEBUG - Key : server ,Value : cloudflare
2025-08-30 20:10:38,990 org.owasp.dependencycheck.Engine:906
ERROR - Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:399)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:117)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:903)
	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:708)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:634)
	at org.owasp.dependencycheck.App.runScan(App.java:269)
	at org.owasp.dependencycheck.App.run(App.java:201)
	at org.owasp.dependencycheck.App.main(App.java:93)
Caused by: java.lang.NullPointerException: Cannot read the array length because "bytes" is null
	at java.base/java.lang.String.<init>(String.java:1385)
	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient._next(NvdCveClient.java:418)
	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:357)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:355)
	... 7 common frames omitted
2025-08-30 20:10:38,997 org.owasp.dependencycheck.utils.Settings:1276
DEBUG - Settings.getDataFile() - file: 'c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:38,999 org.owasp.dependencycheck.data.update.RetireJSDataSource:115
DEBUG - Last updated: 1756577005
2025-08-30 20:10:39,001 org.owasp.dependencycheck.data.update.RetireJSDataSource:116
DEBUG - Now: 1756577438999
2025-08-30 20:10:39,001 org.owasp.dependencycheck.data.update.RetireJSDataSource:88
DEBUG - Begin RetireJS Update
2025-08-30 20:10:39,001 org.owasp.dependencycheck.utils.Settings:1276
DEBUG - Settings.getDataFile() - file: 'c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:39,034 org.owasp.dependencycheck.utils.WriteLock:168
DEBUG - Lock file created (main) 93b336bcafe8cd7ba2e9879cc7c3cb31 @ 2025-08-30 20:10:39.034
2025-08-30 20:10:39,035 org.owasp.dependencycheck.data.update.RetireJSDataSource:139
DEBUG - RetireJS Repo URL: https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
2025-08-30 20:10:39,224 org.owasp.dependencycheck.utils.WriteLock:240
DEBUG - Lock released (main) 93b336bcafe8cd7ba2e9879cc7c3cb31 @ 2025-08-30 20:10:39.224
2025-08-30 20:10:39,237 org.owasp.dependencycheck.utils.Settings:1276
DEBUG - Settings.getDataFile() - file: 'c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:39,238 org.owasp.dependencycheck.data.update.HostedSuppressionsDataSource:108
DEBUG - Last updated: 1756577005
2025-08-30 20:10:39,238 org.owasp.dependencycheck.data.update.HostedSuppressionsDataSource:109
DEBUG - Now: 1756577439238
2025-08-30 20:10:39,238 org.owasp.dependencycheck.data.update.HostedSuppressionsDataSource:77
DEBUG - Begin Hosted Suppressions file update
2025-08-30 20:10:39,238 org.owasp.dependencycheck.utils.Settings:1276
DEBUG - Settings.getDataFile() - file: 'c:\Temp\dependency-check-12.1.0-release\dependency-check\data'
2025-08-30 20:10:39,271 org.owasp.dependencycheck.utils.WriteLock:168
DEBUG - Lock file created (main) d3bd6f080cd74e761bedcbc037be580f @ 2025-08-30 20:10:39.271
2025-08-30 20:10:39,271 org.owasp.dependencycheck.data.update.HostedSuppressionsDataSource:133
DEBUG - Hosted Suppressions URL: https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
2025-08-30 20:10:39,357 org.owasp.dependencycheck.utils.WriteLock:240
DEBUG - Lock released (main) d3bd6f080cd74e761bedcbc037be580f @ 2025-08-30 20:10:39.356
2025-08-30 20:10:39,362 org.owasp.dependencycheck.data.update.KnownExploitedDataSource:140
INFO  - Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
2025-08-30 20:10:39,363 org.owasp.dependencycheck.data.nvdcve.CveDB:312
DEBUG - Closing database
2025-08-30 20:10:39,363 org.owasp.dependencycheck.data.nvdcve.CveDB:314
DEBUG - Cache cleared
2025-08-30 20:10:39,382 org.owasp.dependencycheck.data.nvdcve.CveDB:317
DEBUG - Connection closed
2025-08-30 20:10:39,382 org.owasp.dependencycheck.data.nvdcve.CveDB:323
DEBUG - Resources released
2025-08-30 20:10:39,382 org.owasp.dependencycheck.data.nvdcve.DriverLoader:57
DEBUG - Begin deregister driver
2025-08-30 20:10:39,382 org.owasp.dependencycheck.data.nvdcve.DriverLoader:59
DEBUG - End deregister driver
2025-08-30 20:10:39,387 org.owasp.dependencycheck.utils.WriteLock:240
DEBUG - Lock released (main) 178b79e4b31c70c0d43e9f6d0218be91 @ 2025-08-30 20:10:39.387
2025-08-30 20:10:39,387 org.owasp.dependencycheck.Engine:711
WARN  - Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.
2025-08-30 20:10:39,388 org.owasp.dependencycheck.Engine:713
DEBUG - Update Error
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:399)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:117)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:903)
	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:708)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:634)
	at org.owasp.dependencycheck.App.runScan(App.java:269)
	at org.owasp.dependencycheck.App.run(App.java:201)
	at org.owasp.dependencycheck.App.main(App.java:93)
Caused by: java.lang.NullPointerException: Cannot read the array length because "bytes" is null
	at java.base/java.lang.String.<init>(String.java:1385)
	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient._next(NvdCveClient.java:418)
	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:357)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:355)
	... 7 common frames omitted
2025-08-30 20:10:39,389 org.owasp.dependencycheck.Engine:1175
ERROR - Unable to continue dependency-check analysis.
2025-08-30 20:10:39,389 org.owasp.dependencycheck.Engine:1176
DEBUG - 
org.owasp.dependencycheck.exception.NoDataException: No documents exist
	at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:1160)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:638)
	at org.owasp.dependencycheck.App.runScan(App.java:269)
	at org.owasp.dependencycheck.App.run(App.java:201)
	at org.owasp.dependencycheck.App.main(App.java:93)
2025-08-30 20:10:39,407 org.owasp.dependencycheck.App:217
ERROR - One or more fatal errors occurred
2025-08-30 20:10:39,410 org.owasp.dependencycheck.App:223
ERROR - Error updating the NVD Data
2025-08-30 20:10:39,410 org.owasp.dependencycheck.App:224
DEBUG - unexpected error
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:399)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:117)
	at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:903)
	at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:708)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:634)
	at org.owasp.dependencycheck.App.runScan(App.java:269)
	at org.owasp.dependencycheck.App.run(App.java:201)
	at org.owasp.dependencycheck.App.main(App.java:93)
Caused by: java.lang.NullPointerException: Cannot read the array length because "bytes" is null
	at java.base/java.lang.String.<init>(String.java:1385)
	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient._next(NvdCveClient.java:418)
	at io.github.jeremylong.openvulnerability.client.nvd.NvdCveClient.next(NvdCveClient.java:357)
	at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:355)
	... 7 common frames omitted
2025-08-30 20:10:39,410 org.owasp.dependencycheck.App:223
ERROR - No documents exist
2025-08-30 20:10:39,411 org.owasp.dependencycheck.App:224
DEBUG - unexpected error
org.owasp.dependencycheck.exception.NoDataException: No documents exist
	at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:1160)
	at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:638)
	at org.owasp.dependencycheck.App.runScan(App.java:269)
	at org.owasp.dependencycheck.App.run(App.java:201)
	at org.owasp.dependencycheck.App.main(App.java:93)
2025-08-30 20:10:39,411 org.owasp.dependencycheck.App:94
DEBUG - Exit code: 13

[jeremylong]

Not entirely sure what happened. NVD could have rate-limited you, which could occur if you have multiple jobs running in CI environments all trying to update at the same time without using any mirroring strategy (i.e., every job downloads the full NVD dataset every time it performs a scan). It could have been a temporary glitch in the NVD.

You might consider using the NVD datafeed instead of the API:

--nvdDatafeed https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-\{0\}.json.gz

[volkhardv]

Hello @jeremylong ,
thanks for this.
it is the only running call from local workstation - there is no other piipeline running with this plugin.

best regards
Volkhard