Is your feature request related to a problem? Please describe.
When using the "single node database updater with multiple node readers" caching pattern in a container image (and probably other cases), it's substantially more efficient to start with the last cached data. In a typical day (assuming the days this week were typical) there are less than 1000 total NVD updates, substantially less than the full rebuild of 230,000+ updates (reducing both build time and load on the NVD API). The most convenient means of storing/retrieving this data (e.g. taking from the last built container image, some cloud-based cache) may not have accurate timestamps (or at least can be challenging to ensure they do). ODC does, however, use timestamps for some files to determine the need to check for updates.
Describe the solution you'd like
Propose adding a properties file along side the hosted suppression and RetireJS files to track the retrieved times to ensure accurate updates (and any others that currently use the last modified timestamp). This is a follow up from jeremylong/DependencyCheck#6220 (comment).
Describe alternatives you've considered
The simplest alternative found so far is using the --retireJsForceUpdate and --hostedSuppressionsForceUpdate CLI arguments, but this forces updates in cases where they may not otherwise be required (especially if rebuilding multiple times throughout the day, e.g. every 4 hours).
Is your feature request related to a problem? Please describe.
When using the "single node database updater with multiple node readers" caching pattern in a container image (and probably other cases), it's substantially more efficient to start with the last cached data. In a typical day (assuming the days this week were typical) there are less than 1000 total NVD updates, substantially less than the full rebuild of 230,000+ updates (reducing both build time and load on the NVD API). The most convenient means of storing/retrieving this data (e.g. taking from the last built container image, some cloud-based cache) may not have accurate timestamps (or at least can be challenging to ensure they do). ODC does, however, use timestamps for some files to determine the need to check for updates.
Describe the solution you'd like
Propose adding a properties file along side the hosted suppression and RetireJS files to track the retrieved times to ensure accurate updates (and any others that currently use the last modified timestamp). This is a follow up from jeremylong/DependencyCheck#6220 (comment).
Describe alternatives you've considered
The simplest alternative found so far is using the
--retireJsForceUpdateand--hostedSuppressionsForceUpdateCLI arguments, but this forces updates in cases where they may not otherwise be required (especially if rebuilding multiple times throughout the day, e.g. every 4 hours).