diff --git a/ci/java-builder/Dockerfile b/ci/java-builder/Dockerfile
index 3cc1f90..8c60235 100644
--- a/ci/java-builder/Dockerfile
+++ b/ci/java-builder/Dockerfile
@@ -55,8 +55,13 @@ RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
 # OWASP Dependency-Check — pre-download NVD database
 #
 # This is the single biggest CI time saver. The NVD database download
-# takes 5-10 minutes on a cold cache. Pre-baking it into the image
-# means audit jobs start with a warm database.
+# takes 5-10 minutes on a cold cache (with API key) or 20-30 min cold.
+# Pre-baking it into the image means audit jobs start with a warm DB.
+#
+# Best-effort: if NVD is flaky and the update fails, the build still
+# succeeds without a warm cache. Consumers (CI scan jobs) can detect
+# this by checking for ${OWASP_DATA_DIR}/.warm — present means the
+# pre-warm worked, missing means scans will need to download on demand.
 #
 # Rebuild this image weekly to keep the NVD database fresh.
 # ─────────────────────────────────────────────────────────────────────
@@ -67,14 +72,19 @@ ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data
 RUN if [ -n "${NVD_API_KEY}" ]; then \
         echo "NVD API key: set (length=$(printf %s "${NVD_API_KEY}" | wc -c))"; \
     else \
-        echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s, expect ~30+ min"; \
+        echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s"; \
     fi \
     && mkdir -p "${OWASP_DATA_DIR}" \
-    && timeout 3600 mvn -B -ntp -N \
-        org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
-        -DdataDirectory="${OWASP_DATA_DIR}" \
-        ${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
-    && du -sh "${OWASP_DATA_DIR}"
+    && ( timeout 1800 mvn -B -ntp -N \
+            org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
+            -DdataDirectory="${OWASP_DATA_DIR}" \
+            -DnvdMaxRetryCount=30 \
+            -DnvdApiDelay=2000 \
+            ${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
+         && touch "${OWASP_DATA_DIR}/.warm" \
+         && echo "NVD pre-warm: complete" \
+       || echo "WARNING: NVD pre-warm did NOT complete — image built without a warm cache. CI scans will download on demand. (NVD API was flaky at build time; retry the image build later.)" ) \
+    && du -sh "${OWASP_DATA_DIR}" 2>/dev/null || true
 
 # ─────────────────────────────────────────────────────────────────────
 # ORAS CLI — for uploading artifacts to Harbor.