aikebah
commented
1 month ago No, live access is the only way to consult OSSINDEX for vulnerability data. See also #3605
Closed bflorat closed 6 days ago
aikebah
commented
1 month ago No, live access is the only way to consult OSSINDEX for vulnerability data. See also #3605
We run our OWASP Dependency-Check (ODC) analysis in fully air-gapped pipelines, ironically due to security restrictions. We manage to cache the NVD database daily by using
dependency-check.sh --update-onlyon a connected machine and then share the data internally, including theodc.mv.dbfile. However, after querying this H2 database, we found that it only contains NVD CVE data.We are interested in caching the Sonatype OSS Index to include their CVEs as well, but it appears that OSS Index can only be queried online via an API, which doesn’t work in our offline environment. To avoid errors, we currently disable the OSS Index analyzer using
-DossindexAnalyzerEnabled=falsein the ODC Maven plugin.Is there any way to consolidate all OSS Index CVEs into the
odc.mv.dbfile as well?