Question
How often does the Contrast UI refresh SCA library information?
Answer
The Contrast UI populates library data from a proprietary repository (referred to internally as "Ardy"). The Ardy repository is in turn populated from several public-facing repositories (such as Nuget and Maven Central) on a daily cadence for most languages (or every 6 hours for NodeJS and PHP) but also manually as required when high-profile vulnerabilities come to light (such as the relatively recent Log4j2 vulnerability).
The Contrast UI polls Ardy every 10 minutes for libraries which don't already exist on the system, or for libraries that are unknown. It then caches for 24 hours following that update, after which it re-polls Ardy for any changes.
As a result, an existing library may be 24 hours out-of-step with the content in Ardy, but any newly discovered libraries will be no more than 10 minutes out-of-date.
The exception to this cadence is that if a new CVE is added then the update will be made within 60 minutes of the change being made in Ardy.