Dependency-Check fetches its vulnerbility database from the NVD API which has rate limiting. There are two choices
1. Use NVD API key, the rate limit is higher which reduces the execution time of Dependency-Check
2. Use your local NVD Data feed cache url, you need it, if your Gitlab runners cannot contact the NVD API (e.g. if they are not allowed to connect to the Internet), you can maintain a local data feed cache with the [vulnz](https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz) tool. It fetches the vulnerabilities and store them as data feeds (the data feeds will be stored as JSON files with the NVD Vulnerability Data API version 2.0 schema). This data feed URL should be reachable by your Gitlab runners.
In order to configure a NVD API key, you need to:
* Set the `NVD_API_KEY` variable with your NVD API key. :warning: This is a sensitive value, so we recommend you add it as a **masked** Gitlab variable
```groovy
// ...
dependencyCheck{
// ...
nvd{
// NVD_API_KEY got from environment (set it in your GitLab CI/CD variables)
apiKey=System.getenv("NVD_API_KEY")
}
// ...
}
```
In order to configure a NVD data feed URL, you need to:
If you're using an [Artifactory](https://jfrog.com/artifactory/) as a repository/mirror, you might need to add a `repositories` block and add an `artifactory` block in the job definition.
