OWASP Tricks to speed up vulnerabilities checks

Question

I use the maven project with the OWASP plugin to check the vulnerabilities on each commit in the CI pull requests. The configuration looks pretty simple

<plugin>
                        <groupId>org.owasp</groupId>
                        <artifactId>dependency-check-maven</artifactId>
                        <version>${version.dependency-check-maven}</version>
                        <executions>
                            <execution>
                                <goals>
                                    <goal>aggregate</goal>
                                </goals>
                                <phase>verify</phase>
                            </execution>
                        </executions>
                        <configuration>
                            <showSummary>true</showSummary>
                            <!-- this will work only in the top-level maven module -->
                            <suppressionFile>${user.dir}/owasp-suppressions.xml</suppressionFile>
                            <format>ALL</format>
                            <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
                            <!-- alternative: fail on level (High starts at 7, Critical at 9) -->
                            <!-- <failBuildOnCVSS>4</failBuildOnCVSS> -->
                            <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                            <cveUrlModified>address of the NVD local mirror</cveUrlModified>
                            <cveUrlBase>address of the NVD local mirror</cveUrlBase>
                            <cveWaitTime>1</cveWaitTime> <!--value in milliseconds, default is 4000-->
                        </configuration>
                    </plugin>

For CI builds I use PROW - https://docs.prow.k8s.io/docs/overview/ For local mirror approach is described here https://jeremylong.github.io/DependencyCheck/data/mirrornvd.html and the mirror is used from here https://github.com/stevespringett/nist-data-mirror/

Still the process to download CVEs from mirror takes quite a lot of time (around 3 minutes). From the logs I can see the most of time is spent on downloading CVEs

[INFO] Download Started for NVD CVE - 2003
[INFO] Download Complete for NVD CVE - 2003  (5 ms)
[INFO] Processing Started for NVD CVE - 2003
[INFO] Processing Complete for NVD CVE - 2002  (4608 ms)
[INFO] Processing Complete for NVD CVE - 2003  (1131 ms)
...

and for doing some DB maintenance?

[INFO] Begin database maintenance
[INFO] Updated the CPE ecosystem on 128773 NVD records
[INFO] Removed the CPE ecosystem on 3604 NVD records
[INFO] End database maintenance (13482 ms)
[INFO] Begin database defrag
[INFO] End database defrag (3765 ms)
[INFO] Check for updates complete (112132 ms)

Do you know any tricks to speed up OWASP checks?

Answer 1

This was replied on this other thread: How to cache OWASP dependecy check NVD database on CI

Basically you need to tell PROW to cache the location of the NVD database which when using the Maven plugin is:

$MAVEN_HOME/.m2/repository/org/owasp/dependency-check-data/7.0/nvdcache/

** Considering that you use Dependency-Check version 7.+