diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java index 87392bc4c..24293b969 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java @@ -22,6 +22,7 @@ import java.util.ArrayList; import java.util.List; import org.owasp.dependencycheck.data.update.NvdCveUpdater; import org.owasp.dependencycheck.data.update.exception.InvalidDataException; +import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.xml.sax.Attributes; @@ -39,6 +40,10 @@ public class CPEHandler extends DefaultHandler { * The current CPE schema. */ private static final String CURRENT_SCHEMA_VERSION = "2.3"; + /** + * The Starts with expression to filter CVE entries by CPE. + */ + private static final String CPE_STARTS_WITH = Settings.getString(Settings.KEYS.CVE_CPE_STARTS_WITH_FILTER,"cpe:/a:"); /** * The text content of the node being processed. This can be used during the end element event. */ @@ -82,7 +87,7 @@ public class CPEHandler extends DefaultHandler { final String temp = attributes.getValue("deprecated"); final String value = attributes.getValue("name"); final boolean delete = "true".equalsIgnoreCase(temp); - if (!delete && value.startsWith("cpe:/a:") && value.length() > 7) { + if (!delete && value.startsWith(CPE_STARTS_WITH) && value.length() > 7) { try { final Cpe cpe = new Cpe(value); data.add(cpe); diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index a0a1fd3e7..def5b8d86 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -59,6 +59,7 @@ cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml +cve.cpe.startswith.filter=cpe:/a: cpe.validfordays=30 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 924e355cd..807b027ed 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -99,6 +99,13 @@ public final class Settings { * The database schema version. */ public static final String DB_VERSION = "data.version"; + /** + * The starts with filter used to exclude CVE entries from the database. + * By default this is set to 'cpe:/a:' which limits the CVEs imported to + * just those that are related to applications. If this were set to just + * 'cpe:' the OS, hardware, and application related CVEs would be imported. + */ + public static final String CVE_CPE_STARTS_WITH_FILTER = "cve.cpe.startswith.filter"; /** * The properties key for the URL to retrieve the "meta" data from about the CVE entries. */