Builds a mirror of the NIST vulnerbility database.
Use the mirrored data for faster scans with OWASP Dependency-Check to check for known dependency vulnerabilities.
Inspired by https://github.com/stevespringett/nist-data-mirror
npm install
npm start
docker build -t local/nist-mirror:latest .
docker run -ti --rm -p 8080:80 local/nist-mirror:latest
https://localhost:8080/nvdcve-1.0-2018.json
The Dependency check has support for a number of build tools, see https://jeremylong.github.io/DependencyCheck/
If you use Maven, here are the Maven plugin configs to make use of the mirror (replace with your hostname)
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>3.1.1</version>
<configuration>
<cveUrl12Modified>https://localhost:8080/nvdcve-modified.xml.gz</cveUrl12Modified>
<cveUrl20Modified>https://localhost:8080/nvdcve-2.0-modified.xml.gz</cveUrl20Modified>
<cveUrl12Base>https://localhost:8080/nvdcve-%d.xml.gz</cveUrl12Base>
<cveUrl20Base>https://localhost:8080/nvdcve-2.0-%d.xml.gz</cveUrl20Base>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
It should run on mvn verify phase by default. You may also trigger it using:
mvn org.owasp:dependency-check-maven:3.1.1:check
Running the script again will refresh the mirror data. This should be run periodically to be kept up to date.