When the NVD service fails, the retries have no backoff

[seancorfield]

Currently, services.nvd.nist.gov is returning a 503 error -- and DependencyCheck is immediately retrying the HTTP call up to 32(?) times, which seems like it would just make matters worse. See below.

Should this use an exponential backoff? If there's a property to control this, should the default be a non-zero pause between requests?

2026-04-29 11:31:07,350 INFO AsyncHttpRequestRetryExec - ex-0000000001 https://services.nvd.nist.gov:443 responded with status 503; request will be automatically re-executed in 0 MILLISECONDS (exec count 2)
2026-04-29 11:31:07,448 INFO AsyncHttpRequestRetryExec - ex-0000000001 https://services.nvd.nist.gov:443 responded with status 503; request will be automatically re-executed in 0 MILLISECONDS (exec count 3)
2026-04-29 11:31:07,540 INFO AsyncHttpRequestRetryExec - ex-0000000001 https://services.nvd.nist.gov:443 responded with status 503; request will be automatically re-executed in 0 MILLISECONDS (exec count 4)
2026-04-29 11:31:07,631 INFO AsyncHttpRequestRetryExec - ex-0000000001 https://services.nvd.nist.gov:443 responded with status 503; request will be automatically re-executed in 0 MILLISECONDS (exec count 5)
...
2026-04-29 11:31:10,398 INFO AsyncHttpRequestRetryExec - ex-0000000001 https://services.nvd.nist.gov:443 responded with status 503; request will be automatically re-executed in 0 MILLISECONDS (exec count 31)
2026-04-29 11:31:10,489 WARN NvdApiRetryStrategy - NVD API request failures are occurring; retrying request for the 31st time
2026-04-29 11:31:10,571 ERROR Engine - Error updating the NVD Data
org.owasp.dependencycheck.data.update.exception.UpdateException: Error updating the NVD Data
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.processApi(NvdApiDataSource.java:387)
        at org.owasp.dependencycheck.data.update.NvdApiDataSource.update(NvdApiDataSource.java:128)
        at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:887)
        at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:692)
        at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:619)

[chadlwilson]

It's supposed to do some kind of exponential backoff, but the default minimum delay might not be "correct" (it might be doing multiples of 0ms....). It seems a little complicated.

There, you are seeing HTTPClient logging in isolation without ODC's own logging of what it's doing. I'd probably run with DEBUG enabled before coming to any particular conclusions.