CVE Download Updates

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java

@@ -100,6 +100,10 @@ public class Update extends Purge {
      * The number of hours to wait before re-checking for updates.
      */
     private Integer cveValidForHours;
+    /**
+     * Specify the first year of NVD CVE data to download; default is 2002.
+     */
+    private Integer cveStartYear;
 
     /**
      * Construct a new UpdateTask.
@@ -381,6 +385,29 @@ public void setCveValidForHours(Integer cveValidForHours) {
         this.cveValidForHours = cveValidForHours;
     }
 
+    /**
+     * Get the value of cveStartYear.
+     *
+     * @return the value of cveStartYear
+     */
+    public Integer getCveStartYear() {
+        return cveStartYear;
+    }
+
+    /**
+     * Set the value of cveStartYear.
+     *
+     * @param cveStartYear new value of cveStartYear
+     */
+    public void setCveStartYear(Integer cveStartYear) {
+        if (cveStartYear != null && cveStartYear < 2002) {
+            log("Invalid Configuration: cveStartYear must be 2002 or greater", Project.MSG_ERR);
+            this.cveStartYear = 2002;
+        } else {
+            this.cveStartYear = cveStartYear;
+        }
+    }
+
     /**
      * Executes the update by initializing the settings, downloads the NVD XML
      * data, and then processes the data storing it in the local database.
@@ -441,6 +468,7 @@ protected void populateSettings() throws BuildException {
         getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_JSON, cveModifiedJson);
         getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_BASE_JSON, cveUrlBase);
         getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_DOWNLOAD_WAIT_TIME, cveWaitTime);
+        getSettings().setIntIfNotNull(Settings.KEYS.CVE_START_YEAR, cveStartYear);
         if (cveValidForHours != null) {
             if (cveValidForHours >= 0) {
                 getSettings().setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);

ant/src/site/markdown/config-update.md

@@ -37,6 +37,7 @@ Property             | Description
 cveUrlModified       | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change.  | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
 cveUrlBase           | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year.                                  | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz
 cveWaitTime          | The time in milliseconds to wait between downloads from the NVD.                                                     | 4000
+cveStartYear         | The first year of NVD CVE data to download from the NVD.                                                             | 2002
 dataDirectory        | Data directory that is used to store the local copy of the NVD. This should generally not be changed.                | data
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                                             |  
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path.                          |  

ant/src/site/markdown/configuration.md

@@ -137,13 +137,13 @@ may be the cvedUrl properties, which can be used to host a mirror of the NVD wit
 
 Property             | Description                                                              | Default Value
 ---------------------|--------------------------------------------------------------------------|------------------
-cveUrl12Modified     | URL for the modified CVE 1.2.                                            | http://nvd.nist.gov/download/nvdcve-modified.xml
-cveUrl20Modified     | URL for the modified CVE 2.0.                                            | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
-cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
-cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
-dataDirectory        | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
-databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                 |  
-databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. |  
+cveUrlModified       | URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change.  | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
+cveUrlBase           | Base URL for each year's CVE JSON data feed, the %d will be replaced with the year.                          | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz
+cveWaitTime          | The time in milliseconds to wait between downloads from the NVD.                                             | 4000
+cveStartYear         | The first year of NVD CVE data to download from the NVD.                                                     | 2002
+dataDirectory        | Data directory that is used to store the local copy of the NVD. This should generally not be changed.        | data
+databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                                     |  
+databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path.                  |  
 connectionString     | The connection string used to connect to the database. See using a [database server](../data/database.html). |  
-databaseUser         | The username used when connecting to the database.                       |  
-databasePassword     | The password used when connecting to the database.                       |  
+databaseUser         | The username used when connecting to the database.                                                           |  
+databasePassword     | The password used when connecting to the database.                                                           |  

cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -443,6 +443,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
                 cli.getStringArgument(CliParser.ARGUMENT.HINTS_FILE));
         settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS,
                 cli.getIntegerValue(CliParser.ARGUMENT.CVE_VALID_FOR_HOURS));
+        settings.setIntIfNotNull(Settings.KEYS.CVE_START_YEAR,
+                cli.getIntegerValue(CliParser.ARGUMENT.CVE_START_YEAR));
         settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE,
                 cli.getStringArguments(CliParser.ARGUMENT.SUPPRESSION_FILES));
         //File Type Analyzer Settings

cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -114,7 +114,7 @@ private CommandLine parseArgs(String[] args) throws ParseException {
      */
     private void validateArgs() throws FileNotFoundException, ParseException {
         if (isUpdateOnly() || isRunScan()) {
-            final String value = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS);
+            String value = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS);
             if (value != null) {
                 try {
                     final int i = Integer.parseInt(value);
@@ -125,6 +125,18 @@ private void validateArgs() throws FileNotFoundException, ParseException {
                     throw new ParseException("Invalid Setting: cveValidForHours must be a number greater than or equal to 0.");
                 }
             }
+            value = line.getOptionValue(ARGUMENT.CVE_START_YEAR);
+            if (value != null) {
+                try {
+                    final int i = Integer.parseInt(value);
+                    if (i < 2002) {
+                        throw new ParseException("Invalid Setting: cveStartYear must be a number greater than or equal to 2002.");
+                    }
+                } catch (NumberFormatException ex) {
+                    throw new ParseException("Invalid Setting: cveStartYear must be a number greater than or equal to 2002.");
+                }
+            }
+
         }
         if (isRunScan()) {
             validatePathExists(getScanFiles(), ARGUMENT.SCAN);
@@ -376,6 +388,8 @@ private void addAdvancedOptions(final Options options) {
                         "The path to the `yarn` executable."))
                 .addOption(newOptionWithArg(ARGUMENT.CVE_VALID_FOR_HOURS, "hours",
                         "The number of hours to wait before checking for new updates from the NVD."))
+                .addOption(newOptionWithArg(ARGUMENT.CVE_START_YEAR, "year",
+                        "The first year to retrieve NVD CVE data for; default is 2002."))
                 .addOption(newOptionWithArg(ARGUMENT.RETIREJS_FILTERS, "pattern",
                         "Specify Retire JS content filter used to exclude files from analysis based on their content; "
                         + "most commonly used to exclude based on your applications own copyright line. This "
@@ -1085,6 +1099,11 @@ public static class ARGUMENT {
          * checking for new updates from the NVD.
          */
         public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
+        /**
+         * The CLI argument name for setting the first year to retrieve NVD
+         * data.
+         */
+        public static final String CVE_START_YEAR = "cveStartYear";
         /**
          * The username for basic auth to the CVE data.
          */
@@ -1231,7 +1250,7 @@ public static class ARGUMENT {
          */
         public static final String DISABLE_NODE_JS = "disableNodeJS";
         /**
-         * Skips dev dependencies in Node Package Analyzer
+         * Skips dev dependencies in Node Package Analyzer.
          */
         public static final String NODE_PACKAGE_SKIP_DEV_DEPENDENCIES = "nodePackageSkipDevDependencies";
         /**

cli/src/main/resources/completion-for-dependency-check.sh

@@ -21,7 +21,8 @@ _odc_completions()
             --connectionString
             --cveUrlBase
             --cveUrlModified
-            --cveValidForHours
+            --cveValidForHours <hours>
+            --cveStartYear <year>
             --cveUser <user>
             --cvePassword <password>
             --cveDownloadWait <milliseconds>

core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -891,7 +891,7 @@ public boolean doUpdates(boolean remainOpen) throws UpdateException, DatabaseExc
                     //lock is not needed as we already have the lock held
                     openDatabase(true, false);
                 }
-                
+
                 return dbUpdatesMade;
             } catch (WriteLockException ex) {
                 throw new UpdateException("Unable to obtain an exclusive lock on the H2 database to perform updates", ex);

core/src/main/java/org/owasp/dependencycheck/analyzer/ArtifactoryAnalyzer.java

@@ -235,7 +235,9 @@ private void processPom(Dependency dependency, MavenArtifact ma) throws IOExcept
             LOGGER.debug("Downloading {}", ma.getPomUrl());
             //TODO add caching
             final Downloader downloader = new Downloader(getSettings());
-            downloader.fetchFile(new URL(ma.getPomUrl()), pomFile, Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME, Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN);
+            downloader.fetchFile(new URL(ma.getPomUrl()), pomFile,
+                    Settings.KEYS.ANALYZER_ARTIFACTORY_API_USERNAME,
+                    Settings.KEYS.ANALYZER_ARTIFACTORY_API_TOKEN);
             PomUtils.analyzePOM(dependency, pomFile);
 
         } catch (DownloadFailedException ex) {

core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -334,7 +334,7 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
             String parentPackage, Engine engine) throws AnalysisException {
         if (json.containsKey("dependencies")) {
             final JsonObject deps = json.getJsonObject("dependencies");
-            boolean skipDev = getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, false);
+            final boolean skipDev = getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_SKIPDEV, false);
             for (Map.Entry<String, JsonValue> entry : deps.entrySet()) {
                 final String name = entry.getKey();
                 final String version;

core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java

@@ -17,7 +17,6 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.net.URI;
 import org.sonatype.ossindex.service.api.componentreport.ComponentReport;
 import org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability;
 import org.sonatype.ossindex.service.api.cvss.Cvss2Severity;
@@ -161,11 +160,12 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin
     }
 
     /**
-     * Delays each request (thread) by the configured amount of seconds, if the configuration is present.
+     * Delays each request (thread) by the configured amount of seconds, if the
+     * configuration is present.
      */
     private void requestDelay() throws InterruptedException {
-        final int delay = getSettings().getInt(Settings.KEYS.ANALYZER_OSSINDEX_REQUEST_DELAY,0);
-        if(delay > 0) {
+        final int delay = getSettings().getInt(Settings.KEYS.ANALYZER_OSSINDEX_REQUEST_DELAY, 0);
+        if (delay > 0) {
             LOG.debug("Request delay: " + delay);
             TimeUnit.SECONDS.sleep(delay);
         }