diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index 037da7564..30ab437d1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -69,10 +69,11 @@ public class CveDB { private ResourceBundle statementBundle = null; /** - * Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling - * the close method. + * Creates a new CveDB object and opens the database connection. Note, the + * connection must be closed by the caller by calling the close method. * - * @throws DatabaseException thrown if there is an exception opening the database. + * @throws DatabaseException thrown if there is an exception opening the + * database. */ public CveDB() throws DatabaseException { super(); @@ -103,9 +104,11 @@ public class CveDB { } /** - * Opens the database connection. If the database does not exist, it will create a new one. + * Opens the database connection. If the database does not exist, it will + * create a new one. * - * @throws DatabaseException thrown if there is an error opening the database connection + * @throws DatabaseException thrown if there is an error opening the + * database connection */ public final void open() throws DatabaseException { if (!isOpen()) { @@ -114,7 +117,8 @@ public class CveDB { } /** - * Closes the DB4O database. Close should be called on this object when it is done being used. + * Closes the DB4O database. Close should be called on this object when it + * is done being used. */ public void close() { if (conn != null) { @@ -165,7 +169,8 @@ public class CveDB { super.finalize(); } /** - * Database properties object containing the 'properties' from the database table. + * Database properties object containing the 'properties' from the database + * table. */ private DatabaseProperties databaseProperties; @@ -179,11 +184,13 @@ public class CveDB { } /** - * Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned - * list will include all versions of the product that are registered in the NVD CVE data. + * Searches the CPE entries in the database and retrieves all entries for a + * given vendor and product combination. The returned list will include all + * versions of the product that are registered in the NVD CVE data. * * @param vendor the identified vendor name of the dependency being analyzed - * @param product the identified name of the product of the dependency being analyzed + * @param product the identified name of the product of the dependency being + * analyzed * @return a set of vulnerable software */ public Set getCPEs(String vendor, String product) { @@ -215,7 +222,8 @@ public class CveDB { * Returns the entire list of vendor/product combinations. * * @return the entire list of vendor/product combinations - * @throws DatabaseException thrown when there is an error retrieving the data from the DB + * @throws DatabaseException thrown when there is an error retrieving the + * data from the DB */ public Set> getVendorProductList() throws DatabaseException { final Set> data = new HashSet>(); @@ -438,7 +446,8 @@ public class CveDB { } /** - * Updates the vulnerability within the database. If the vulnerability does not exist it will be added. + * Updates the vulnerability within the database. If the vulnerability does + * not exist it will be added. * * @param vuln the vulnerability to add to the database * @throws DatabaseException is thrown if the database @@ -565,12 +574,20 @@ public class CveDB { } else { insertSoftware.setString(3, s.getPreviousVersion()); } - insertSoftware.execute(); + try { + insertSoftware.execute(); + } catch (SQLException ex) { + if (ex.getMessage().contains("Duplicate entry")) { + final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName()); + LOGGER.debug(msg, ex); + } else { + throw ex; + } + } } - } catch (SQLException ex) { final String msg = String.format("Error updating '%s'", vuln.getName()); - LOGGER.debug("", ex); + LOGGER.debug(msg, ex); throw new DatabaseException(msg, ex); } finally { DBUtils.closeStatement(selectVulnerabilityId); @@ -623,8 +640,9 @@ public class CveDB { } /** - * It is possible that orphaned rows may be generated during database updates. This should be called after all updates have - * been completed to ensure orphan entries are removed. + * It is possible that orphaned rows may be generated during database + * updates. This should be called after all updates have been completed to + * ensure orphan entries are removed. */ public void cleanupDatabase() { PreparedStatement ps = null; @@ -642,13 +660,17 @@ public class CveDB { } /** - * Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null, non-empty - * string passed to the previous version argument indicates that all previous versions are affected. + * Determines if the given identifiedVersion is affected by the given cpeId + * and previous version flag. A non-null, non-empty string passed to the + * previous version argument indicates that all previous versions are + * affected. * * @param vendor the vendor of the dependency being analyzed * @param product the product name of the dependency being analyzed - * @param vulnerableSoftware a map of the vulnerable software with a boolean indicating if all previous versions are affected - * @param identifiedVersion the identified version of the dependency being analyzed + * @param vulnerableSoftware a map of the vulnerable software with a boolean + * indicating if all previous versions are affected + * @param identifiedVersion the identified version of the dependency being + * analyzed * @return true if the identified version is affected, otherwise false */ Entry getMatchingSoftware(Map vulnerableSoftware, String vendor, String product, @@ -715,7 +737,8 @@ public class CveDB { } /** - * Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is returned. + * Parses the version (including revision) from a CPE identifier. If no + * version is identified then a '-' is returned. * * @param cpeStr a cpe identifier * @return a dependency version @@ -732,7 +755,8 @@ public class CveDB { } /** - * Takes a CPE and parses out the version number. If no version is identified then a '-' is returned. + * Takes a CPE and parses out the version number. If no version is + * identified then a '-' is returned. * * @param cpe a cpe object * @return a dependency version @@ -771,7 +795,8 @@ public class CveDB { } /** - * This method is only referenced in unused code and will likely break on MySQL if ever used due to the MERGE statement. + * This method is only referenced in unused code and will likely break on + * MySQL if ever used due to the MERGE statement. * * Merges CPE entries into the database. *