As of version 9.0.0, Dependency-Check is subject to the Terms of Use of the NVD API. Regarding attribution, the Terms of Use states the following.

Services which utilize or access the NVD API are asked to display the following notice prominently within the application: "This product uses the NVD API but is not endorsed or certified by the NVD." You may use the NVD name in order to identify the source of API content subject to these rules. You may not use the NVD name, to imply endorsement of any product, service, or entity, not-for-profit, commercial or otherwise.

While Dependency-Check itself may not be a service that utilizes or accesses the NVD API (I'm not a lawyer), my opinion is that software that makes use of Dependency-Check is most likely considered a service under the Terms of Use. Dependency-Check should automatically display the attribution notice at runtime so that consumers meet the NVD API Terms of Use.