aikebah
commented
4 months ago In a multi-stage build after running the update you would have to copy over the contents of /usr/share/dependency-check/data
If you have an environment with external persistent storage available to your containers you could avoid the periodic container-build/push by mounting the datalocation as a volume (which is what is done in the script referenced in our documentation for running the container - https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#docker)
Also be aware of that the docker image (which uses the CLI) is only recommended as a scanner of last resort. If your project is built by a tool for which there is a dedicated build-tool based plugin you will typically get much better results (fewer false positives) when you use that plugin for the scan
I want to maintain a image with up-to-date vulnerability databases up to 4 hours. I was trying to reduce the pulls to the NVD by recursively building the image and running a database update. ever 4 hours. I noticed the size of the container is expanding exponentially so I was thinking of instead using a multi-stage docker build.
What folders do I need to copy over in a multi-stage docker build?