github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-16 16:46:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

added property to solve issue #500

Browse Source
This commit is contained in:
Jeremy Long
2016-06-18 07:32:57 -04:00
parent 9be91474f6
commit 35cc14815e
3 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java
View File

@@ -22,6 +22,7 @@ import java.util.ArrayList;
import java.util.List;
import org.owasp.dependencycheck.data.update.NvdCveUpdater;
import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.Attributes;
@@ -39,6 +40,10 @@ public class CPEHandler extends DefaultHandler {
* The current CPE schema.
*/
private static final String CURRENT_SCHEMA_VERSION = "2.3";
/**
* The Starts with expression to filter CVE entries by CPE.
*/
private static final String CPE_STARTS_WITH = Settings.getString(Settings.KEYS.CVE_CPE_STARTS_WITH_FILTER,"cpe:/a:");
/**
* The text content of the node being processed. This can be used during the end element event.
*/
@@ -82,7 +87,7 @@ public class CPEHandler extends DefaultHandler {
final String temp = attributes.getValue("deprecated");
final String value = attributes.getValue("name");
final boolean delete = "true".equalsIgnoreCase(temp);
if (!delete && value.startsWith("cpe:/a:") && value.length() > 7) {
if (!delete && value.startsWith(CPE_STARTS_WITH) && value.length() > 7) {
try {
final Cpe cpe = new Cpe(value);
data.add(cpe);

1
dependency-check-core/src/main/resources/dependencycheck.properties
View File

@@ -59,6 +59,7 @@ cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
cve.cpe.startswith.filter=cpe:/a:
cpe.validfordays=30
cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz

7
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -99,6 +99,13 @@ public final class Settings {
* The database schema version.
*/
public static final String DB_VERSION = "data.version";
/**
* The starts with filter used to exclude CVE entries from the database.
* By default this is set to 'cpe:/a:' which limits the CVEs imported to
* just those that are related to applications. If this were set to just
* 'cpe:' the OS, hardware, and application related CVEs would be imported.
*/
public static final String CVE_CPE_STARTS_WITH_FILTER = "cve.cpe.startswith.filter";
/**
* The properties key for the URL to retrieve the "meta" data from about the CVE entries.
*/