Command to get NVD data compatibility with current dependency-check

[itineric]

I am looking for a way to get an info on compatibility of my cached dependency check NVD database with the current running dependency-check.

Currently, when upgrading the dependency-check version running on my CI, I sometimes get corrupt database error. So I need to manually clean the cache to remove the existing database, then the new one is downloaded. I would like to automate that and I am looking for some parameter to pass to dependency-check-cli.

The error:

[ERROR] Incompatible or corrupt database found. To resolve this issue please remove the existing database by running purge
[ERROR] Incompatible or corrupt database found; run the purge command to resolve the issue
org.owasp.dependencycheck.data.nvdcve.DatabaseException: Incompatible or corrupt database found; run the purge command to resolve the issue

Example of what I want to do:

# I cannot find a parameter to do that
mustPurge=$(dependency-check.sh --mustpurge -d .dependency-check-data)
if [[ $mustPurge == true ]]; then
  dependency-check.sh --purge -d .dependency-check-data
fi
dependency-check.sh --updateonly --nvdApiKey $NVD_API_KEY -d .dependency-check-data

[aikebah]

There is no such command. But the need to purge-and-recreate a database is typically documented within the changelog for the major like as e.g. for version 11.0: https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md#version-1100-2024-10-21

[itineric]

Sure, the need to purge/recreate the database is available in the changelog.
With fully automated CIs dans package upgrades with tools like dependabot or renovate, dependencies like dependency-check or upgraded to the last version automatically.

[aikebah]

You can configure those tools to only do automatic bugfix/feature updates and file a PR for major version, which would always be a good practice if you want to have an always passing CI.