Open hicker-kin opened 1 week ago
If you read the github pages you'll find there
The Open Vulnerability Project's vuln CLI can be used to create an offline copy of the data obtained from the NVD API. Then configure dependency-check to use the NVD Datafeed URL
I've highlighted the part you didn't take properly into account. The NVD API data cache is something else than the datadirectory of DependencyCheck. You need to configure the NVD datafeed URL to point to the files in your local cache.
So take a look at the CLI configuration and look for a way to configure the NVD datafeed URL and you'll find that you need to point --nvdDatafeed
to your offline NVD API cache.
Note that the typical use of it would be hosting it at some central http server in your private network, but a file-URL (file:///....
) instead of an http-URL should also work fine.
i pull the cache data (json) :
ls ~/java/target/docs:
...... nvdcve-1.1-2024.json.gz ..... staff 376K 10 24 16:01 nvdcve-1.1-recent.json.gz staff 162B 10 24 16:01 nvdcve-1.1-recent.meta
then install client, run command line:
dependency-check --project "spring-boot-docker" --scan . \ --log scan-log.log \ --format GITLAB --format HTML \ --data ~/java/target/docs \ --disableHostedSuppression --disableCentral --disableOssIndex --disableRetireJS \ --noupdate
occur error:
[ERROR] One or more fatal errors occurred [ERROR] Autoupdate is disabled and the database does not exist
why? how can i create an local cache for dependency-check datasource?