diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index 30ab437d1..f00f4b8cd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -68,9 +68,18 @@ public class CveDB { */ private ResourceBundle statementBundle = null; + /** + * <<<<<<< HEAD Creates a new CveDB object and opens the database + * connection. Note, the connection must be closed by the caller by calling + * the close method. ======= Does the underlying connection support batch + * operations? + */ + private boolean batchSupported; + /** * Creates a new CveDB object and opens the database connection. Note, the * connection must be closed by the caller by calling the close method. + * >>>>>>> e79da72711dc0f326fcdce52deab89e37c0d8230 * * @throws DatabaseException thrown if there is an exception opening the * database. @@ -81,6 +90,7 @@ public class CveDB { open(); try { final String databaseProductName = conn.getMetaData().getDatabaseProductName(); + batchSupported = conn.getMetaData().supportsBatchUpdates(); LOGGER.debug("Database dialect: {}", databaseProductName); final Locale dbDialect = new Locale(databaseProductName); statementBundle = ResourceBundle.getBundle("data/dbStatements", dbDialect); @@ -388,6 +398,7 @@ public class CveDB { ResultSet rsR = null; ResultSet rsS = null; Vulnerability vuln = null; + try { psV = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY")); psV.setString(1, cve); @@ -493,6 +504,7 @@ public class CveDB { } DBUtils.closeResultSet(rs); rs = null; + if (vulnerabilityId != 0) { if (vuln.getDescription().contains("** REJECT **")) { deleteVulnerability.setInt(1, vulnerabilityId); @@ -534,13 +546,24 @@ public class CveDB { rs = null; } } - insertReference.setInt(1, vulnerabilityId); + for (Reference r : vuln.getReferences()) { + insertReference.setInt(1, vulnerabilityId); insertReference.setString(2, r.getName()); insertReference.setString(3, r.getUrl()); insertReference.setString(4, r.getSource()); - insertReference.execute(); + + if (batchSupported) { + insertReference.addBatch(); + } else { + insertReference.execute(); + } } + + if (batchSupported) { + insertReference.executeBatch(); + } + for (VulnerableSoftware s : vuln.getVulnerableSoftware()) { int cpeProductId = 0; selectCpeId.setString(1, s.getName()); @@ -569,22 +592,30 @@ public class CveDB { insertSoftware.setInt(1, vulnerabilityId); insertSoftware.setInt(2, cpeProductId); + if (s.getPreviousVersion() == null) { insertSoftware.setNull(3, java.sql.Types.VARCHAR); } else { insertSoftware.setString(3, s.getPreviousVersion()); } - try { - insertSoftware.execute(); - } catch (SQLException ex) { - if (ex.getMessage().contains("Duplicate entry")) { - final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName()); - LOGGER.debug(msg, ex); - } else { - throw ex; + if (batchSupported) { + insertSoftware.addBatch(); + } else { + try { + insertSoftware.execute(); + } catch (SQLException ex) { + if (ex.getMessage().contains("Duplicate entry")) { + final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName()); + LOGGER.debug(msg, ex); + } else { + throw ex; + } } } } + if (batchSupported) { + insertSoftware.executeBatch(); + } } catch (SQLException ex) { final String msg = String.format("Error updating '%s'", vuln.getName()); LOGGER.debug(msg, ex);