dependency-check · jeremylong · Nov 18, 2025 · May 5, 2025 · May 7, 2025 · May 7, 2025
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java b/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java
@@ -316,11 +316,12 @@ private boolean processApi() throws UpdateException {
             //using a higher delay as the system may not be able to process these faster.
             builder.withApiKey(key)
                     .withDelay(5000)
-                    .withThreadCount(4);
+                    .withrequestsPerThirtySeconds(settings.getInt(Settings.KEYS.NVD_API_REQUESTS_PER_30_SECONDS_WITH_API_KEY, 50));
         } else {
             LOGGER.warn("An NVD API Key was not provided - it is highly recommended to use "
                     + "an NVD API key as the update can take a VERY long time without an API Key");
-            builder.withDelay(10000);
+            builder.withDelay(10000)
+                    .withrequestsPerThirtySeconds(settings.getInt(Settings.KEYS.NVD_API_REQUESTS_PER_30_SECONDS_WITHOUT_API_KEY, 5));
         }
 
         final int resultsPerPage = Math.min(settings.getInt(Settings.KEYS.NVD_API_RESULTS_PER_PAGE, RESULTS_PER_PAGE), RESULTS_PER_PAGE);

diff --git a/core/src/main/resources/dependencycheck.properties b/core/src/main/resources/dependencycheck.properties
@@ -56,6 +56,8 @@ nvd.api.check.validforhours=4
 nvd.api.datafeed.validfordays=7
 nvd.api.max.retry.count=30
 nvd.api.delay=0
+nvd.api.requestsperthirtysecondswithoutapikey=5
+nvd.api.requestsperthirtysecondswithapikey=50
 #nvd.api.datafeed.url=https://example.com/nvd-cache/
 #nvd.api.datafeed.user=
 #nvd.api.datafeed.password=

diff --git a/core/src/test/resources/dependencycheck.properties b/core/src/test/resources/dependencycheck.properties
@@ -52,6 +52,8 @@ nvd.api.check.validforhours=4
 nvd.api.datafeed.validfordays=7
 nvd.api.max.retry.count=30
 nvd.api.delay=0
+nvd.api.requestsperthirtysecondswithoutapikey=5
+nvd.api.requestsperthirtysecondswithapikey=50
 #nvd.api.datafeed.url=https://example.com/nvd-cache/
 #nvd.api.datafeed.user=
 #nvd.api.datafeed.password=

diff --git a/pom.xml b/pom.xml
@@ -924,7 +924,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>io.github.jeremylong</groupId>
                 <artifactId>open-vulnerability-clients</artifactId>
-                <version>7.3.2</version>
+                <version>8.0.0</version>
             </dependency>
             <dependency>
                 <groupId>org.anarres.jdiagnostics</groupId>

diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -173,6 +173,14 @@ public static final class KEYS {
          * The delay between requests for the NVD API.
          */
         public static final String NVD_API_DELAY = "nvd.api.delay";
+        /**
+         * The number of requests made to the NVD API per 30 seconds when no API KEY is provided.
+         */
+        public static final String NVD_API_REQUESTS_PER_30_SECONDS_WITHOUT_API_KEY = "nvd.api.requestsperthirtysecondswithoutapikey";
+        /**
+         * The number of requests made to the NVD API per 30 seconds when an API KEY is provided.
+         */
+        public static final String NVD_API_REQUESTS_PER_30_SECONDS_WITH_API_KEY = "nvd.api.requestsperthirtysecondswithapikey";
         /**
          * The maximum number of retry requests for a single call to the NVD
          * API.

diff --git a/utils/src/test/resources/dependencycheck.properties b/utils/src/test/resources/dependencycheck.properties
@@ -52,6 +52,8 @@ nvd.api.check.validforhours=4
 nvd.api.datafeed.validfordays=7
 nvd.api.max.retry.count=30
 nvd.api.delay=0
+nvd.api.requestsperthirtysecondswithoutapikey=5
+nvd.api.requestsperthirtysecondswithapikey=50
 #nvd.api.datafeed.url=https://example.com/nvd-cache/
 #nvd.api.datafeed.user=
 #nvd.api.datafeed.password=