We run our OWASP Dependency-Check (ODC) analysis in fully air-gapped pipelines, ironically due to security restrictions. We manage to cache the NVD database daily by using dependency-check.sh --update-onlyon a connected machine and then share the data internally, including the odc.mv.db file. However, after querying this H2 database, we found that it only contains NVD CVE data.
We are interested in caching the Sonatype OSS Index to include their CVEs as well, but it appears that OSS Index can only be queried online via an API, which doesn’t work in our offline environment. To avoid errors, we currently disable the OSS Index analyzer using -DossindexAnalyzerEnabled=false in the ODC Maven plugin.
Is there any way to consolidate all OSS Index CVEs into the odc.mv.dbfile as well?
We run our OWASP Dependency-Check (ODC) analysis in fully air-gapped pipelines, ironically due to security restrictions. We manage to cache the NVD database daily by using
dependency-check.sh --update-only
on a connected machine and then share the data internally, including theodc.mv.db
file. However, after querying this H2 database, we found that it only contains NVD CVE data.We are interested in caching the Sonatype OSS Index to include their CVEs as well, but it appears that OSS Index can only be queried online via an API, which doesn’t work in our offline environment. To avoid errors, we currently disable the OSS Index analyzer using
-DossindexAnalyzerEnabled=false
in the ODC Maven plugin.Is there any way to consolidate all OSS Index CVEs into the
odc.mv.db
file as well?