Merge branch 'NvdCheck' of https://github.com/awhitford/DependencyCheck into awhitford-NvdCheck

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -45,6 +45,10 @@ public class DatabaseProperties {
      * updates)..
      */
     public static final String MODIFIED = "Modified";
+    /**
+     * The properties file key for the last checked field - used to store the last check time of the Modified NVD CVE xml file.
+     */
+    public static final String LAST_CHECKED = "NVD CVE Checked";
     /**
      * The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE xml file.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -66,9 +66,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     public void update() throws UpdateException {
         try {
             openDataStores();
-            final UpdateableNvdCve updateable = getUpdatesNeeded();
-            if (updateable.isUpdateNeeded()) {
-                performUpdate(updateable);
+            if (checkUpdate()) {
+                final UpdateableNvdCve updateable = getUpdatesNeeded();
+                if (updateable.isUpdateNeeded()) {
+                    performUpdate(updateable);
+                }
             }
         } catch (MalformedURLException ex) {
             LOGGER.warn(
@@ -87,6 +89,35 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         }
     }
 
+    /**
+     * Checks if the NVD CVE XML files were last checked recently.
+     * As an optimization, we can avoid repetitive checks against the NVD.
+     * Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again.
+     * A database property stores the timestamp of the last check. 
+     *
+     * @return true to proceed with the check, or false to skip.
+     */
+    private boolean checkUpdate () throws UpdateException {
+        boolean proceed = true;
+        // If the valid setting has not been specified, then we proceed to check...
+        final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
+        if (0 < validForHours) {
+            // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
+            final long msValid = validForHours * 60L * 60L * 1000L;
+            final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
+            final long now = System.currentTimeMillis();
+            proceed = (now - lastChecked) > msValid;
+            if (proceed) {
+                getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(now));
+            } else {
+                LOGGER.info("Skipping NVD check since last check was within {} hours.", validForHours);
+                LOGGER.debug("Last NVD was at {}, and now {} is within {} ms.",
+                    lastChecked, now, msValid);
+            }
+        }
+        return proceed;
+    }
+
     /**
      * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DateUtil.java

@@ -36,11 +36,12 @@ public final class DateUtil {
      *
      * @param date the date to be checked.
      * @param compareTo the date to compare to.
-     * @param range the range in days to be considered valid.
+     * @param dayRange the range in days to be considered valid.
      * @return whether or not the date is within the range.
      */
-    public static boolean withinDateRange(long date, long compareTo, int range) {
-        final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
-        return differenceInDays < range;
+    public static boolean withinDateRange(long date, long compareTo, int dayRange) {
+        // ms = dayRange x 24 hours/day x 60 min/hour x 60 sec/min x 1000 ms/sec
+        final long msRange = dayRange * 24L * 60L * 60L * 1000L;
+        return (compareTo - date) < msRange;
     }
 }

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -295,6 +295,11 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      */
     @Parameter(property = "cveUrl20Base", defaultValue = "", required = false)
     private String cveUrl20Base;
+    /**
+     * Optionally skip excessive CVE update checks for a designated duration in hours.
+     */
+    @Parameter(property = "cveValidForHours", defaultValue = "", required = false)
+    private String cveValidForHours;
 
     /**
      * The path to mono for .NET Assembly analysis on non-windows systems.
@@ -688,6 +693,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
             Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
         }
+        if (cveValidForHours != null && !cveValidForHours.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
+        }
     }
 
     /**

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -117,6 +117,10 @@ public final class Settings {
          * The properties key for the URL to retrieve the recently modified and added CVE entries (last 8 days).
          */
         public static final String CVE_MODIFIED_VALID_FOR_DAYS = "cve.url.modified.validfordays";
+        /**
+         * The properties key to control the skipping of the check for CVE updates.
+         */
+        public static final String CVE_CHECK_VALID_FOR_HOURS = "cve.check.validforhours";
         /**
          * The properties key for the telling us how many cve.url.* URLs exists. This is used in combination with CVE_BASE_URL to
          * be able to retrieve the URLs for all of the files that make up the NVD CVE listing.