added property to solve issue #500

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java

@@ -22,6 +22,7 @@ import java.util.ArrayList;
 import java.util.List;
 import org.owasp.dependencycheck.data.update.NvdCveUpdater;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.Attributes;
@@ -39,6 +40,10 @@ public class CPEHandler extends DefaultHandler {
      * The current CPE schema.
      */
     private static final String CURRENT_SCHEMA_VERSION = "2.3";
+    /**
+     * The Starts with expression to filter CVE entries by CPE.
+     */
+    private static final String CPE_STARTS_WITH = Settings.getString(Settings.KEYS.CVE_CPE_STARTS_WITH_FILTER,"cpe:/a:");
     /**
      * The text content of the node being processed. This can be used during the end element event.
      */
@@ -82,7 +87,7 @@ public class CPEHandler extends DefaultHandler {
             final String temp = attributes.getValue("deprecated");
             final String value = attributes.getValue("name");
             final boolean delete = "true".equalsIgnoreCase(temp);
-            if (!delete && value.startsWith("cpe:/a:") && value.length() > 7) {
+            if (!delete && value.startsWith(CPE_STARTS_WITH) && value.length() > 7) {
                 try {
                     final Cpe cpe = new Cpe(value);
                     data.add(cpe);

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -59,6 +59,7 @@ cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
 #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cve.cpe.startswith.filter=cpe:/a:
 
 cpe.validfordays=30
 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -99,6 +99,13 @@ public final class Settings {
          * The database schema version.
          */
         public static final String DB_VERSION = "data.version";
+        /**
+         * The starts with filter used to exclude CVE entries from the database.
+         * By default this is set to 'cpe:/a:' which limits the CVEs imported to 
+         * just those that are related to applications. If this were set to just 
+         * 'cpe:' the OS, hardware, and application related CVEs would be imported.
+         */
+        public static final String CVE_CPE_STARTS_WITH_FILTER = "cve.cpe.startswith.filter";
         /**
          * The properties key for the URL to retrieve the "meta" data from about the CVE entries.
          */