added enabled properties per issue #612

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java

@@ -53,8 +53,10 @@ import org.xml.sax.SAXException;
  * this class is not currently used. The code is being kept as a future update
  * may utilize more data from the CPE XML files.
  *
+ * @deprecated the CPE updater is not currently used.
  * @author Jeremy Long
  */
+@Deprecated
 public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
 
     /**
@@ -64,6 +66,17 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
 
     @Override
     public void update() throws UpdateException {
+        /*
+        //the following could be used if this were ever used.
+        try {
+            if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
+                return;
+            }
+        } catch (InvalidSettingException ex) {
+            LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex);
+        }
+         */
+
         try {
             openDataStores();
             if (updateNeeded()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -67,6 +67,14 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
      */
     @Override
     public void update() throws UpdateException {
+        try {
+            if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
+                return;
+            }
+        } catch (InvalidSettingException ex) {
+            LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex);
+        }
+
         try {
             openDataStores();
             boolean autoUpdate = true;

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -53,6 +53,8 @@ cve.startyear=2002
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
+#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy
+cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
@@ -110,3 +112,5 @@ analyzer.filename.enabled=true
 analyzer.hint.enabled=true
 analyzer.nvdcve.enabled=true
 analyzer.vulnerabilitysuppression.enabled=true
+updater.nvdcve.enabled=true
+updater.versioncheck.enabled=true

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -48,6 +48,8 @@ cve.startyear=2014
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
+#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy
+cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
@@ -109,3 +111,5 @@ analyzer.filename.enabled=true
 analyzer.hint.enabled=true
 analyzer.nvdcve.enabled=true
 analyzer.vulnerabilitysuppression.enabled=true
+updater.nvdcve.enabled=true
+updater.versioncheck.enabled=true

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -109,13 +109,21 @@ public final class Settings {
         /**
          * The properties key for the URL to retrieve the "meta" data from about
          * the CVE entries.
+         *
+         * @deprecated this is not currently used
          */
+        @Deprecated
         public static final String CVE_META_URL = "cve.url.meta";
         /**
          * The properties key for the URL to retrieve the recently modified and
          * added CVE entries (last 8 days) using the 2.0 schema.
          */
         public static final String CVE_MODIFIED_20_URL = "cve.url-2.0.modified";
+        /**
+         * The properties key for the URL to retrieve the recently modified and
+         * added CVE entries (last 8 days) using the 2.0 schema.
+         */
+        public static final String CVE_ORIGINAL_MODIFIED_20_URL = "cve.url-2.0.original";
         /**
          * The properties key for the URL to retrieve the recently modified and
          * added CVE entries (last 8 days) using the 1.2 schema.
@@ -336,7 +344,7 @@ public final class Settings {
          * The key to HTTP protocol list to use.
          */
         public static final String DOWNLOADER_TLS_PROTOCOL_LIST = "downloader.tls.protocols";
-        
+
         /**
          * The key to determine if the CPE analyzer is enabled.
          */
@@ -370,9 +378,19 @@ public final class Settings {
          */
         public static String ANALYZER_NVD_CVE_ENABLED = "analyzer.nvdcve.enabled";
         /**
-         * The key to determine if the Vulnerability Suppression analyzer is enabled.
+         * The key to determine if the Vulnerability Suppression analyzer is
+         * enabled.
          */
         public static String ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED = "analyzer.vulnerabilitysuppression.enabled";
+        /**
+         * The key to determine if the NVD CVE updater should be enabled.
+         */
+        public static String UPDATE_NVDCVE_ENABLED = "updater.nvdcve.enabled";
+        /**
+         * The key to determine if dependency-check should check if there is a
+         * new version available.
+         */
+        public static String UPDATE_VERSION_CHECK_ENABLED = "updater.versioncheck.enabled";
 
         /**
          * private constructor because this is a "utility" class containing