Unable to download security-advisories zip file

Question

Unable to download security-advisories zip file

Closed this issue 3 years ago · 3 comments

After learning about this project today and installing it for the first time, I've been having some trouble obtaining the security-advisories database. I can access it via curl without difficulty, but am having no luck via the local-php-security-checker binary. Instead, an "unable to load the advisory DB: unable to fetch advisories" error is reported:

ᐅ curl https://codeload.github.com/FriendsOfPHP/security-advisories/zip/master -O
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  554k  100  554k    0     0   962k      0 --:--:-- --:--:-- --:--:--  961k

ᐅ ./local-php-security-checker --help
Local PHP Security Checker 1.0.0, built at 2021-01-15T07:03:28Z

ᐅ ./local-php-security-checker
unable to load the advisory DB: unable to fetch advisories: Get "https://codeload.github.com/FriendsOfPHP/security-advisories/zip/master": dial tcp: lookup codeload.github.com on [::1]:53: read udp [::1]:64419->[::1]:53: read: connection refused

Answer 1 · 2021-03-25T18:38:35.000Z

Seeing something similar. Getting a timeout instead of connection refused:

$ lando composer -n deps-sniff
> ./bin/local-php-security-checker
unable to load the advisory DB: unable to fetch advisories: Get "https://codeload.github.com/FriendsOfPHP/security-advisories/zip/master": dial tcp: i/o timeout
Script ./bin/local-php-security-checker handling the deps-sniff event returned with error code 127

Answer 2 · 2021-03-29T19:37:12.000Z

I got the same error too.

unable to load the advisory DB: unable to fetch advisories: Get "https://codeload.github.com/FriendsOfPHP/security-advisories/zip/master": dial tcp 140.82.112.10:443: i/o timeout

Since I have it configured on my CI jobs, it creates false positives, so i would love to see this resolved.

The cause is probably that the requests are reaching the Api rate limits for github hosted content. It maybe needs to change to a DSN hosted in a cloud or something like that to prevent problems, but I think that has to be resolved in the security-advisories project, and then move this repo to whatever solution they come up with.

¿Should we open an Issue there?

Answer 3 · 2021-06-02T09:03:37.000Z

Butting in about a similar error, although this time the error message is different

unable to load the advisory DB: unable to fetch advisories: zip: not a valid zip file

Not sure if that's the same issue ; i can open another one if needed.

EDIT: It seems to have solved itself right after i posted this, oh well.