OWASP dependency check it's a great way of automating vulnerability discovery in our projects, though when running it as part of a CI pipeline per project it adds 3-4 minutes just to download the NVD database.
How can we cache this DB when running it with maven / gradle on a CI pipeline?
After a bit of research I found the way!
Basically, the files containing the NVM db are called:
nvdcve-1.1-[YYYY].json.gz
i.e.nvdcve-1.1-2022.json.gz
which are later added to a Lucene index.When running Dependency-Check with the Gradle plugin the files are created on:
$GRADLE_USER_HOME/.gradle/dependency-check-data/7.0/nvdcache/
When running it with Maven they are created on:
$MAVEN_HOME/.m2/repository/org/owasp/dependency-check-data/7.0/nvdcache/
So to cache this the DB on Gitlab CI you just have to add the following to your
.gitlab-ci.yaml
(Gradle):The first CI job run will create the cache and the consecutive (from same or different pipelines) will fetch it!