From 6e1512f7d9b69e0df56358e87c81b3c7fde9f5f4 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 27 Dec 2016 08:45:01 -0500
Subject: [PATCH] added enabled setting (#612) and added additional checks to
 see if the update should occur (#631)

---
 .../data/update/EngineVersionCheck.java               | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
index 27614e2cb..b6aea04ed 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
@@ -99,7 +99,16 @@ public class EngineVersionCheck implements CachedWebDataSource {
     @Override
     public void update() throws UpdateException {
         try {
-            if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
+            final boolean autoupdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE, true);
+            final boolean enabled = Settings.getBoolean(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, true);
+            final String original = Settings.getString(Settings.KEYS.CVE_ORIGINAL_MODIFIED_20_URL);
+            final String current = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
+            /**
+             * Only update if auto-update is enabled, the engine check is
+             * enabled, and the NVD CVE URLs have not been modified (i.e. the
+             * user has not configured them to point to an internal source).
+             */
+            if (enabled && autoupdate && original != null && original.equals(current)) {
                 openDatabase();
                 LOGGER.debug("Begin Engine Version Check");
                 final DatabaseProperties properties = cveDB.getDatabaseProperties();