From mobile apps to microservices, from small startups to big enterprises, Gradle helps teams build, automate and deliver better software, faster.

Gradle Community

just ask the question and then folks can redirect you if necessary :slightly_smiling_face:

We’re running tasks with the following configuration inside a Docker container for CI builds.

```apply plugin: 'org.owasp.dependencycheck'

dependencyCheck {
    failOnError = false
    suppressionFile = new File("${projectDir}/config/owasp/suppressions.xml")
    scanConfigurations = [ 'runtimeClasspath' ]
    format = 'ALL'
    outputDirectory = "${projectDir}/build/reports/owasp"
}```

```pipeline {
  options {
    disableConcurrentBuilds()
    timeout(time: 10, unit: 'MINUTES')
    buildDiscarder(logRotator(artifactNumToKeepStr: '1'))
  }
  agent {
    docker {
      image 'adoptopenjdk/openjdk8'
      args '-u root:root'
    }
  }```

```    stage('security audit') {
      steps {
        sh './gradlew dependencyCheckAnalyze'
        dependencyCheckPublisher pattern: 'build/reports/owasp/dependency-check-report.xml'
        publishHTML target: [ reportName: 'OWASP', reportDir: 'build/reports', reportFiles: 'owasp/dependency-check-report.html' ]
      }
    }```

Thing is… the `dependencyCheckAnalyze` stage takes 3-5 minutes every time… but that’s because it seems to be downloading CVEs and creating the database.

How-ever… we tried caching (as much as “all of”) `.gradle` and the cache dot directory for OWASP as mounts in the Docker container… aaand the build used them… but it didn’t seem to make anything any faster.

Locally run `dependencyCheckAnalyze` in a shell only takes a long time if you burn the cache directories… but are seconds-fast when you don’t.

I believe it is fast because it has default setting of the 24 hours to re-download databases. So most probably your CI doesn't cache the location of that plugin or plugin doesn't use the usual gradle cache mechanism.

I was wrong. It is four hours <https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-update.html>

<@UL4089YRX> It seems to be re-creating the database even when the builds are run minutes apart, though.

Something we’re not observing in a shell environment (even on the same machine hosting the Jenkins instance and Docker containers).

And here looks like the place where they keep cache <https://github.com/jeremylong/DependencyCheck/issues/2146>

I would create ticket on github as a question about gradle standard caching mechanism and ask if they support it. The plugin looks like just wrapper around the tool. So most probably the plugin doesn't cache anything in gradle and just relies to the tool internal caching.