Provide already imported fresh CVE Database as daily built Docker image for direct use

Is your feature request related to a problem? Please describe.

We operate a large “on premise” CI platform. Each job is independent (specific Maven repo, specific CVE database, …) We are trying to find a reliable way to share the CVE database (we have tried with a separate H2 database, common MySQL / PostgreSQL database, etc.)

Describe the solution you’d like

The most efficient way we have tried is to give a Docker container that includes the already imported CVE database. This image is built/updated daily with fresh CVE metadatas.

An example of Dockerfile to create this image: https://github.com/jycr/docker-dependency-check-with-db/blob/main/Dockerfile

Docker image versioning can follow rule : X.X.X.YYYYYYYYYYYY where:

• X.X.X is dependency-check version
• YYYYYYYYYYYY is timestamp of CVE database.

A customer can directly use this image, or customize this own with a multistage Dockerfile. Ex:

FROM jycr/dependency-check-with-db:latest as dependency-check

FROM maven:3.8-jdk-11-slim

# Installation of Git in order to be able to release via the Jenkins pipeline
RUN apt-get update && \
    apt-get install --assume-yes --no-install-recommends \
        git \
        && \
    rm -rf /var/lib/apt/lists/* && \
    mkdir -p /usr/share

COPY --from=dependency-check /usr/share/dependency-check /usr/share/dependency-check

Benefits:

• No need to download CVE metadatas from NIST as it is already available in the database provided with this custom Docker image
• No time spent updating the database: the CVE database included in the Docker image is already updated
• The Docker image is available on the large Docker Hub CDN (much more available than the NIST website for uploading metadata files)
• Each customer can create their own build context with a custom Dockerfile and copy the CVE database, or can directly use that custom Docker image. With the Docker cache system, it’s really fast.