added enabled properties per issue #612

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java

@@ -53,8 +53,10 @@ import org.xml.sax.SAXException;
  * this class is not currently used. The code is being kept as a future update
  * may utilize more data from the CPE XML files.
  *
+ * @deprecated the CPE updater is not currently used.
  * @author Jeremy Long
  */
+@Deprecated
 public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
 
     /**
@@ -64,6 +66,17 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
 
     @Override
     public void update() throws UpdateException {
+        /*
+        //the following could be used if this were ever used.
+        try {
+            if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
+                return;
+            }
+        } catch (InvalidSettingException ex) {
+            LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex);
+        }
+         */
+
         try {
             openDataStores();
             if (updateNeeded()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -67,6 +67,14 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
      */
     @Override
     public void update() throws UpdateException {
+        try {
+            if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
+                return;
+            }
+        } catch (InvalidSettingException ex) {
+            LOGGER.trace("inavlid setting UPDATE_NVDCVE_ENABLED", ex);
+        }
+
         try {
             openDataStores();
             boolean autoUpdate = true;

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -53,6 +53,8 @@ cve.startyear=2002
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
+#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy
+cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
@@ -110,3 +112,5 @@ analyzer.filename.enabled=true
 analyzer.hint.enabled=true
 analyzer.nvdcve.enabled=true
 analyzer.vulnerabilitysuppression.enabled=true
+updater.nvdcve.enabled=true
+updater.versioncheck.enabled=true

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -48,6 +48,8 @@ cve.startyear=2014
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
+#the original URL and modified URL should be the same; this is used to detect if we are using an internal NVD CVE copy
+cve.url-2.0.original=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
@@ -109,3 +111,5 @@ analyzer.filename.enabled=true
 analyzer.hint.enabled=true
 analyzer.nvdcve.enabled=true
 analyzer.vulnerabilitysuppression.enabled=true
+updater.nvdcve.enabled=true
+updater.versioncheck.enabled=true