Configure National Vulnerability Database (NVD) Synchronization

YourSky.blue logo

Overview

Dependency-Track integrates with the National Vulnerability Database (NVD) to provide up-to-date CVE and vulnerability information.

This guide explains how to configure and verify NVD synchronization in your Dependency Track SaaS instance.

Prerequisites

Before configuring NVD synchronization, ensure you have:

  • Access to the Dependency-Track Administration panel
  • An NVD API key. You can request a free NVD API Key for your organization.

Configuration Steps

Dependency-Track administration page showing the National Vulnerability Database (NVD) configuration settings, including API key input field and synchronization options.

1. Open NVD Configuration

Navigate to: Administration > Vulnerability Sources > National Vulnerability Database

2. Configure API Key

Enter your NVD API key in the API Key field.

3. Enable Synchronization

Ensure that both National Vulnerability Database mirroring and mirroring via API are enabled in your configuration.

This allows Dependency-Track to regularly retrieve updated vulnerability data from NVD.

4. Save Changes

Click Update to apply your configuration.

Synchronization will begin automatically after saving. No manual intervention is required after this initial setup.

Synchronization Timing

After enabling or updating the configuration:

  • Initial synchronization may take some time to complete
  • Subsequent updates occur automatically on a regular schedule

Data Consistency

Minor differences between your local data and the NVD database may occur due to synchronization timing. This is expected behavior.

If you observe significant or persistent discrepancies, review your configuration or contact support.

Troubleshooting

No vulnerability data is appearing

Check that:

  • The NVD API key is correctly configured
  • Synchronization is enabled
  • The system has completed its initial synchronization cycle and displays a recent date in Last Modification field

Data appears outdated

  • Ensure synchronization is enabled
  • Verify that the API key is valid
  • Click on Update button
  • Allow time for the next update cycle to complete

Missing or incomplete results

Side-by-side comparison of vulnerability counts between Dependency-Track local instance and the National Vulnerability Database (NVD) dashboard, highlighting differences in reported CVE totals.
  • Compare your CVE count with the official NVD dashboard
  • If the Last Modification field in Administration > Vulnerability Sources > National Vulnerability Database shows a recent date but a significant number of CVEs are still missing, you may need to reinitialize synchronization by clearing the Last Modification field and clicking the Update button.

If you need assistance, please contact the support team.

Contact us