How to cache OWASP dependecy check NVD database on CI

Question

OWASP dependency check it's a great way of automating vulnerability discovery in our projects, though when running it as part of a CI pipeline per project it adds 3-4 minutes just to download the NVD database.

How can we cache this DB when running it with maven / gradle on a CI pipeline?

Answer 1

After a bit of research I found the way!

Basically, the files containing the NVM db are called: nvdcve-1.1-[YYYY].json.gz i.e. nvdcve-1.1-2022.json.gz which are later added to a Lucene index.

When running Dependency-Check with the Gradle plugin the files are created on:

$GRADLE_USER_HOME/.gradle/dependency-check-data/7.0/nvdcache/

When running it with Maven they are created on:

$MAVEN_HOME/.m2/repository/org/owasp/dependency-check-data/7.0/nvdcache/

So to cache this the DB on Gitlab CI you just have to add the following to your .gitlab-ci.yaml (Gradle):

before_script:
  - export GRADLE_USER_HOME=`pwd`/.gradle

cache:
  key: "$CI_PROJECT_NAME"
  paths:
    - .gradle/dependency-check-data

The first CI job run will create the cache and the consecutive (from same or different pipelines) will fetch it!