Is there any way to use depcheck with NVD data from zipped json instead of the data feed?

[shikida]

It's just easier to download the NVD data from zipped json files from https://nvd.nist.gov/vuln/data-feeds sometimes.

Is there any option currently to use data from https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.zip (for example) instead of NVD APIs? (which demands API key)

If not, anyone can point in the source code where I could implement such a change?

thanks

Leo

[aikebah]

After version 8.4.3 the switch to the API was made in response to NVD indicating that the datafeeds would soon be dismantled and replaced by the API.

Overall putting some automation to get the API contents populated to a locally cached NVD CVE-db and running ODC (without updating) against that local cache is a more future-proof setup, which would still isolate temporary NVD troubles like the past few days from your build-jobs (only your 'update the cached data job' would be in trouble, all your CI/build jobs would run fine (only lacking new CVEs that cannot also be discovered on other sources than the NVD).

On our (my day-job) build-CI we have one job taking care of updating the CVEdb with NVD data (which is currently frequently and in past intermittently failing). All software builds are re-using this prepopulated database and run in no-update mode.