DependencyCheck uses the decommissioned v1.0 of the NVD json feed

[aikebah]

Describe the bug
NVD has updated their current datafeeds to the JSON 1.1 format. DependencyCheck should start consuming these. JSON 1.0 feeds appear still available and up-to-date, but only 1.1 format feeds are officially published.

** Version of dependency-check used **
The problem occurs using version 5.2.2 of DependencyCheck

To Reproduce

1. Run dependencycheck in a new environment
2. Observe downloads taking the 1.0 datafeeds

Expected behavior
DependencyCheck downloading the current NVD datafeeds as published on their website

Additional context
According to the publication on their website the v1.1 version of JSON feeds reached final state on 9 Sep. Based on the changelog my suspicion is that it only requires an update of the URLs and the NVD json schemas.

At that time the current JSON 1.0 data feeds will no longer available.

Is what they state in the announcement, but that has been proven to be not entirely the case as when I just checked the meta of the 1.0 JSON feeds it was a) still there and b) up-to-date with the 1.1 feed. Nevertheless continued use of the 1.0 feeds is a ticking timebomb as somewhere in the future NVD will cease publishing the 1.0 feeds.

I'll make an attempt at fixing this and if successful will publish the PR.

Will use this ticket for further discussion if needed.

[glsutter]

Is there a workaround for this issue? Or do we need to wait on a new release?

[glsutter]

Never mind. I see that a fix was merged in a few days ago. Thanks.

[jeremylong]

A new release will be published in a week or two.