From 1f6168366bf508e8ed7c86931468dd0091f1b24e Mon Sep 17 00:00:00 2001
From: Anthony Whitford <anthony@whitford.com>
Date: Wed, 21 Oct 2015 23:23:47 -0700
Subject: [PATCH] Added logic to optionally prevent overly repetitive checks
 for NVD CVE changes.

---
 .../data/update/NvdCveUpdater.java            | 37 +++++++++++++++++--
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
index 570c542ea..3b3215e94 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
@@ -66,9 +66,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     public void update() throws UpdateException {
         try {
             openDataStores();
-            final UpdateableNvdCve updateable = getUpdatesNeeded();
-            if (updateable.isUpdateNeeded()) {
-                performUpdate(updateable);
+            if (checkUpdate()) {
+                final UpdateableNvdCve updateable = getUpdatesNeeded();
+                if (updateable.isUpdateNeeded()) {
+                    performUpdate(updateable);
+                }
             }
         } catch (MalformedURLException ex) {
             LOGGER.warn(
@@ -87,6 +89,35 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         }
     }
 
+    /**
+     * Checks if the NVD CVE XML files were last checked recently.
+     * As an optimization, we can avoid repetitive checks against the NVD.
+     * Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again.
+     * A database property stores the timestamp of the last check. 
+     *
+     * @return true to proceed with the check, or false to skip.
+     */
+    private boolean checkUpdate () throws UpdateException {
+        boolean proceed = true;
+        // If the valid setting has not been specified, then we proceed to check...
+        final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
+        if (0 < validForHours) {
+            // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
+            final long msValid = validForHours * 60L * 60L * 1000L;
+            final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
+            final long now = System.currentTimeMillis();
+            proceed = (now - lastChecked) > msValid;
+            if (proceed) {
+                getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(now));
+            } else {
+                LOGGER.info("Skipping NVD check since last check was within {} hours.", validForHours);
+                LOGGER.debug("Last NVD was at {}, and now {} is within {} ms.",
+                    lastChecked, now, msValid);
+            }
+        }
+        return proceed;
+    }
+
     /**
      * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
      *