If an organization blocks the servers performing dependency-check scans from downloading content on the internet they will need to mirror two data sources: The NVD JSON data feeds and the Retire JS repository.
Several organizations have opted to mirror the NVD on an internal server and have the dependency-check clients simply pull the updates from the mirror. This setup is fairly simple:
The Retire JS Respository is located at:
https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
The Retire JS repository can be configured using the retireJsUrl
configuration option.
See the configuration for the specific dependency-check client used for more information.