Lots of NVD API request failures

[joost-klitsie]

I need some pointers on how to set up the dependency check in my multi-module Android project reliably. I am using version 9.0.9. I have around 30 modules, and often I get NVD API request failures where it returns 503. This is happening for months now, sometimes my build turns green, only to fail again the next day. I apply the following to every gradle module (but not the root):

fun Project.configureOwaspDependencyCheck() {
	pluginManager.apply("org.owasp.dependencycheck")
	dependencyCheck {
		failBuildOnCVSS = 0f
		scanConfigurations = configurations.filter {
			!it.name.startsWithAny("androidTest", "test", "debug") &&
					it.name.contains("DependenciesMetadata") && (
					it.name.startsWithAny("api", "implementation", "runtimeOnly") ||
							it.name.contains("Api") ||
							it.name.contains("Implementation") ||
							it.name.contains("RuntimeOnly")
					)
		}.map {
			it.name
		}
		nvd.apiKey = NVDApiKey
		nvd.maxRetryCount = 1
		nvd.delay = 10000
		nvd.validForHours = 24
		suppressionFile = "${rootProject.projectDir}/owasp_dependency_check_suppression.xml"
	}
}

As you can see, I do use an API key to make sure we do not get throttled too much. When I run the dependencyCheckAnalyze command I often get a lot of this:

NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
NVD API request failures are occurring; retrying request for the 1 time
etc...

I am a bit confused why it is failing this much, to me it looks like perhaps the update is happening in parallel because I have multiple modules and therefore failing somehow.

I did read the gradle command dependencyCheckAggregate is for multi project builds. Would that help? Also, how would I go about to set it up? If I apply it to all projects, it will simply run the dependencyCheckAggregate for all projects (which I probably do not want, I want to trigger it from the root). If I only apply the plugin to the root project, it will not have a good effect as scanConfigurations will not be configured properly. Does someone have any kind of example on how to set it up? (I searched and I could not find a single example with multiple Android modules that were configured properly, just some "use this and that" pointers)