Was noticing that no new recent vulnerabilities are showing up in NCM, so I went to check things out.
In my Firmware Vulnerability Settings page, I'm getting the following errors -
URL "http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-recent.xml" is currently inaccessible.
URL "http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml" is currently inaccessible.
If you go to those URL's it says that "Effective October 16, 2015 the XML data feeds will no longer be available for download in an uncompressed format.
You have reached this page because you have a process that links directly to a file that no longer exists. Please modify your process to use the compressed format as described on the main NVD Datafeeds landing page."
If you go to the NVD Datafeeds landing page (NVD - Data Feeds), there are links to the compressed version of the two files above in either GZIP or ZIP format
Its fairly easy to unzip them and drop them in to the correct directory, which is shown in the Settings page, but I thought maybe a product update to fix this is in order?
Solved! Go to Solution.
I have the exact same issue. Just updated to v7.5 and realized that NCM haven't updated the vulnerabilities since october 2015.
I did look up the URL's and it actually seems it's now the following ones:
If I direct my brower to these two URL's it downloads the ZIP-files without any problem. But NCM cannot.
I can see in my firewall that HTTPS is open and that my NCM server is actually trying to connect on port TCP 443 (to NIST on an IP in the range 184.108.40.206/16)... but still no new files in the folder. And, yes the folder path passes validation.
What could be the cause? Why cannot NCM fetch the files? Or is it something about it's not being able to unzip them and therefore it just drops the files?
I have the same issue. I can access the urls from the host. I could manually do the process as suggested though this seems like it defeats the purpose of an automated task.
I also have this problem. Seems to me that Solar Winds should put an update out that fixes this properly, rather than expecting us all to manually import.
This fell off my radar, though I have to say that I would still really like this feature to actually work. I have plenty of other compliance tools (most of which are long lists from other people) but I would like to have the functionality as advertised. Okay this will probably die as a thread as well as a blip on my radar.
I got this confermation from the NIST, on my question for how long this vulnerability XML download will be available for automated download (like in NCM)
Per the timeline provided in the XML feed retirement announcement we will be implementing Phase 3 of the XML retirement plan on Wednesday October 16th.
We originally announced the retirement of the XML Vulnerability feeds at the beginning of this year so organizations would have time to adjust....
I hope we have a working solution for NCM to download these vulnerability XML files after 16 October 2019 Is there a plan-B ?
we dont even see the compressed versions of the xml from Oct 16.
Whats the version of NCM for which there is plan to include JSON feeds ?
And does converting the JSON feeds to xml and uploading them work? Has anyone tried it
No it seems the XML version is no longer supported by NIST and the new version is not supported by NCM. Not good!
Solarwinds, time to work!!
Yes . You are totally right. But I think solarwinds developers are already working on the fix in next NCM release. I just hope they backport to older supported releases also .
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.