WARNING: This discusses an advanced setup and you may run into issues.
Out of the box dependency-check uses a local H2 database. The location of the database file is configured using the data directory configuration option (see CLI).
Some organizations may want to use a more robust centralized database. Currently, H2 in server mode, MySQL, MariaDB, PostgreSQL, Oracle, and MS SQL Server have been tested. In general, the setup is done by creating a central database, setting up a single instance of dependency-check, which can connect to the Internet, that is run in update-only mode once a day. Then the other dependency-check clients can connect, using a read-only connection, to perform the analysis. Please note that if the clients are unable to access the Internet the analysis may result in a few false negatives; see the note about Central here.
To setup a centralized database the following generalized steps can be used:
Also, if using an external database you will need to manually upgrade the schema. See database upgrades for more information.
The following example shows how to use the Maven plugin with MariaDB:
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>dummy</groupId>
<artifactId>dummy</artifactId>
<version>1.0-SNAPSHOT</version>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>9.0.2</version>
<dependencies>
<dependency>
<groupId>org.mariadb.jdbc</groupId>
<artifactId>mariadb-java-client</artifactId>
<version>1.4.6</version>
</dependency>
</dependencies>
<configuration>
<databaseDriverName>org.mariadb.jdbc.Driver</databaseDriverName>
<connectionString>jdbc:mariadb://my.cvedb.host/cvedb</connectionString>
<databaseUser>depscan</databaseUser>
<databasePassword>NotReallyMyDbPassword</databasePassword>
</configuration>
<executions>
<execution>
<goals>
<goal>update-only</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
As always, feel free to open an issue.