build: increase owasp build timeout
parent
16ebcec7ef
commit
5c526822b8
|
|
@ -55,8 +55,13 @@ RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
|
||||||
# OWASP Dependency-Check — pre-download NVD database
|
# OWASP Dependency-Check — pre-download NVD database
|
||||||
#
|
#
|
||||||
# This is the single biggest CI time saver. The NVD database download
|
# This is the single biggest CI time saver. The NVD database download
|
||||||
# takes 5-10 minutes on a cold cache. Pre-baking it into the image
|
# takes 5-10 minutes on a cold cache (with API key) or 20-30 min cold.
|
||||||
# means audit jobs start with a warm database.
|
# Pre-baking it into the image means audit jobs start with a warm DB.
|
||||||
|
#
|
||||||
|
# Best-effort: if NVD is flaky and the update fails, the build still
|
||||||
|
# succeeds without a warm cache. Consumers (CI scan jobs) can detect
|
||||||
|
# this by checking for ${OWASP_DATA_DIR}/.warm — present means the
|
||||||
|
# pre-warm worked, missing means scans will need to download on demand.
|
||||||
#
|
#
|
||||||
# Rebuild this image weekly to keep the NVD database fresh.
|
# Rebuild this image weekly to keep the NVD database fresh.
|
||||||
# ─────────────────────────────────────────────────────────────────────
|
# ─────────────────────────────────────────────────────────────────────
|
||||||
|
|
@ -67,14 +72,19 @@ ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data
|
||||||
RUN if [ -n "${NVD_API_KEY}" ]; then \
|
RUN if [ -n "${NVD_API_KEY}" ]; then \
|
||||||
echo "NVD API key: set (length=$(printf %s "${NVD_API_KEY}" | wc -c))"; \
|
echo "NVD API key: set (length=$(printf %s "${NVD_API_KEY}" | wc -c))"; \
|
||||||
else \
|
else \
|
||||||
echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s, expect ~30+ min"; \
|
echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s"; \
|
||||||
fi \
|
fi \
|
||||||
&& mkdir -p "${OWASP_DATA_DIR}" \
|
&& mkdir -p "${OWASP_DATA_DIR}" \
|
||||||
&& timeout 3600 mvn -B -ntp -N \
|
&& ( timeout 1800 mvn -B -ntp -N \
|
||||||
org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
|
org.owasp:dependency-check-maven:${OWASP_DC_VERSION}:update-only \
|
||||||
-DdataDirectory="${OWASP_DATA_DIR}" \
|
-DdataDirectory="${OWASP_DATA_DIR}" \
|
||||||
${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
|
-DnvdMaxRetryCount=30 \
|
||||||
&& du -sh "${OWASP_DATA_DIR}"
|
-DnvdApiDelay=2000 \
|
||||||
|
${NVD_API_KEY:+-DnvdApiKey="${NVD_API_KEY}"} \
|
||||||
|
&& touch "${OWASP_DATA_DIR}/.warm" \
|
||||||
|
&& echo "NVD pre-warm: complete" \
|
||||||
|
|| echo "WARNING: NVD pre-warm did NOT complete — image built without a warm cache. CI scans will download on demand. (NVD API was flaky at build time; retry the image build later.)" ) \
|
||||||
|
&& du -sh "${OWASP_DATA_DIR}" 2>/dev/null || true
|
||||||
|
|
||||||
# ─────────────────────────────────────────────────────────────────────
|
# ─────────────────────────────────────────────────────────────────────
|
||||||
# ORAS CLI — for uploading artifacts to Harbor.
|
# ORAS CLI — for uploading artifacts to Harbor.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue