Hi, In Apache Pulsar, we use the OWASP Dependency-Check maven plugin to report vulnerabilities in dependencies in apache/pulsar GitHub Actions workflows.
The Dependency Check maven plugin will download the NVD database which takes a long time. In Apache Pulsar GitHub Actions workflows, we cache the Dependency Check database to speed up the process. However, recently the download has been so slow that the download doesn't complete in time so that it could be cached. workflow runs: https://github.com/apache/pulsar/actions/workflows/ci-owasp-dependency-check.yaml There's a warning in the logs that suggests getting an API key. "Warning: An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key" On ASF Slack, I have asked the ASF Infra team for recommendations for addressing this problem. -Lari
