diff --git a/ci/java-builder/Dockerfile b/ci/java-builder/Dockerfile
index 74508ae..3cc1f90 100644
--- a/ci/java-builder/Dockerfile
+++ b/ci/java-builder/Dockerfile
@@ -64,11 +64,17 @@ ARG OWASP_DC_VERSION=12.2.1
 ARG NVD_API_KEY=""
 ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data
 
-RUN mkdir -p "${OWASP_DATA_DIR}" \
-    && mvn org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
+RUN if [ -n "${NVD_API_KEY}" ]; then \
+        echo "NVD API key: set (length=$(printf %s "${NVD_API_KEY}" | wc -c))"; \
+    else \
+        echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s, expect ~30+ min"; \
+    fi \
+    && mkdir -p "${OWASP_DATA_DIR}" \
+    && timeout 3600 mvn -B -ntp -N \
+        org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
         -DdataDirectory="${OWASP_DATA_DIR}" \
         ${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
-        -q || true
+    && du -sh "${OWASP_DATA_DIR}"
 
 # ─────────────────────────────────────────────────────────────────────
 # ORAS CLI — for uploading artifacts to Harbor.