From 63ad13ff7a89e7071ef687cbd0b88d22fd51f338 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 27 Dec 2016 08:46:04 -0500 Subject: [PATCH] added enabled properties per issue #612 --- .../data/update/CpeUpdater.java | 13 +++++++++++ .../data/update/NvdCveUpdater.java | 8 +++++++ .../main/resources/dependencycheck.properties | 4 ++++ .../test/resources/dependencycheck.properties | 4 ++++ .../owasp/dependencycheck/utils/Settings.java | 22 +++++++++++++++++-- 5 files changed, 49 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java index c6e6d3e89..f1c82a095 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java @@ -53,8 +53,10 @@ import org.xml.sax.SAXException; * this class is not currently used. The code is being kept as a future update * may utilize more data from the CPE XML files. * + * @deprecated the CPE updater is not currently used. * @author Jeremy Long */ +@Deprecated public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { /** @@ -64,6 +66,17 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { @Override public void update() throws UpdateException { + /* + //the following could be used if this were ever used. + try { + if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) { + return; + } + } catch (InvalidSettingException ex) { + LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex); + } + */ + try { openDataStores(); if (updateNeeded()) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index a219d1481..bcf19a34b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -67,6 +67,14 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { */ @Override public void update() throws UpdateException { + try { + if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) { + return; + } + } catch (InvalidSettingException ex) { + LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex); + } + try { openDataStores(); boolean autoUpdate = true; diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index 474fff4ee..a824b7fbc 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -53,6 +53,8 @@ cve.startyear=2002 # the path to the modified nvd cve xml file. cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml +#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy +cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz @@ -110,3 +112,5 @@ analyzer.filename.enabled=true analyzer.hint.enabled=true analyzer.nvdcve.enabled=true analyzer.vulnerabilitysuppression.enabled=true +updater.nvdcve.enabled=true +updater.versioncheck.enabled=true diff --git a/dependency-check-core/src/test/resources/dependencycheck.properties b/dependency-check-core/src/test/resources/dependencycheck.properties index a53133293..138bb587c 100644 --- a/dependency-check-core/src/test/resources/dependencycheck.properties +++ b/dependency-check-core/src/test/resources/dependencycheck.properties @@ -48,6 +48,8 @@ cve.startyear=2014 # the path to the modified nvd cve xml file. cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml +#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy +cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz @@ -109,3 +111,5 @@ analyzer.filename.enabled=true analyzer.hint.enabled=true analyzer.nvdcve.enabled=true analyzer.vulnerabilitysuppression.enabled=true +updater.nvdcve.enabled=true +updater.versioncheck.enabled=true diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 21784e0c1..d619c5a06 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -109,13 +109,21 @@ public final class Settings { /** * The properties key for the URL to retrieve the "meta" data from about * the CVE entries. + * + * @deprecated this is not currently used */ + @Deprecated public static final String CVE_META_URL = "cve.url.meta"; /** * The properties key for the URL to retrieve the recently modified and * added CVE entries (last 8 days) using the 2.0 schema. */ public static final String CVE_MODIFIED_20_URL = "cve.url-2.0.modified"; + /** + * The properties key for the URL to retrieve the recently modified and + * added CVE entries (last 8 days) using the 2.0 schema. + */ + public static final String CVE_ORIGINAL_MODIFIED_20_URL = "cve.url-2.0.original"; /** * The properties key for the URL to retrieve the recently modified and * added CVE entries (last 8 days) using the 1.2 schema. @@ -336,7 +344,7 @@ public final class Settings { * The key to HTTP protocol list to use. */ public static final String DOWNLOADER_TLS_PROTOCOL_LIST = "downloader.tls.protocols"; - + /** * The key to determine if the CPE analyzer is enabled. */ @@ -370,9 +378,19 @@ public final class Settings { */ public static String ANALYZER_NVD_CVE_ENABLED = "analyzer.nvdcve.enabled"; /** - * The key to determine if the Vulnerability Suppression analyzer is enabled. + * The key to determine if the Vulnerability Suppression analyzer is + * enabled. */ public static String ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED = "analyzer.vulnerabilitysuppression.enabled"; + /** + * The key to determine if the NVD CVE updater should be enabled. + */ + public static String UPDATE_NVDCVE_ENABLED = "updater.nvdcve.enabled"; + /** + * The key to determine if dependency-check should check if there is a + * new version available. + */ + public static String UPDATE_VERSION_CHECK_ENABLED = "updater.versioncheck.enabled"; /** * private constructor because this is a "utility" class containing