fix: allow hosted suppressions file to be disabled (#5509)

jeremylong · web-flow · commit b6c5ec3ed84a · 2023-02-27T07:30:54.000-05:00
diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
@@ -109,9 +109,13 @@ public class Update extends Purge {
      */
     private Integer hostedSuppressionsValidForHours;
     /**
-     * Whether or not the hosted suppressions file will be updated regardless of the `autoupdate` settings. Defaults to false.
+     * Whether the hosted suppressions file will be updated regardless of the `autoupdate` settings. Defaults to false.
      */
     private Boolean hostedSuppressionsForceUpdate;
+    /**
+     * Whether the hosted suppressions file will be used. Defaults to true.
+     */
+    private Boolean hostedSuppressionsEnabled;
 
     /**
      * Specify the first year of NVD CVE data to download; default is 2002.
@@ -475,6 +479,23 @@ public void setHostedSuppressionsForceUpdate(final Boolean hostedSuppressionsFor
         this.hostedSuppressionsForceUpdate = hostedSuppressionsForceUpdate;
     }
 
+    /**
+     * Get the value of hostedSuppressionsEnabled.
+     *
+     * @return the value of hostedSuppressionsEnabled
+     */
+    public Boolean isHostedSuppressionsEnabled() {
+        return hostedSuppressionsEnabled;
+    }
+    /**
+     * Set the value of hostedSuppressionsEnabled.
+     *
+     * @param hostedSuppressionsEnabled new value of hostedSuppressionsEnabled
+     */
+    public void setHostedSuppressionsEnabled(Boolean hostedSuppressionsEnabled) {
+        this.hostedSuppressionsEnabled = hostedSuppressionsEnabled;
+    }
+
     /**
      * Executes the update by initializing the settings, downloads the NVD XML
      * data, and then processes the data storing it in the local database.
@@ -539,6 +560,7 @@ protected void populateSettings() throws BuildException {
         getSettings().setIntIfNotNull(Settings.KEYS.CVE_START_YEAR, cveStartYear);
         getSettings().setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, hostedSuppressionsValidForHours);
         getSettings().setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, hostedSuppressionsForceUpdate);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);
         if (cveValidForHours != null) {
             if (cveValidForHours >= 0) {
                 getSettings().setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
diff --git a/ant/src/site/markdown/config-update.md b/ant/src/site/markdown/config-update.md
@@ -45,6 +45,7 @@ databaseDriverPath   | The path to the database driver JAR file; only used if th
 connectionString     | The connection string used to connect to the database. See using a [database server](../data/database.html).         | &nbsp;
 databaseUser         | The username used when connecting to the database.                                                                   | &nbsp;
 databasePassword     | The password used when connecting to the database.                                                                   | &nbsp;
-hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
-hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
+hostedSuppressionsEnabled | Whether the hosted suppression file will be used.                                                               | true
+hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments                    | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
+hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file          | 2
 hostedSuppressionsForceUpdate | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings | false 
diff --git a/ant/src/site/markdown/configuration.md b/ant/src/site/markdown/configuration.md
@@ -154,6 +154,7 @@ databaseDriverPath   | The path to the database driver JAR file; only used if th
 connectionString     | The connection string used to connect to the database. See using a [database server](../data/database.html). | &nbsp;
 databaseUser         | The username used when connecting to the database.                                                           | &nbsp;
 databasePassword     | The password used when connecting to the database.                                                           | &nbsp;
-hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
-hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file | 2
+hostedSuppressionsEnabled | Whether the hosted suppression file will be used.                                                       | true
+hostedSuppressionsUrl | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments            | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
+hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file  | 2
 hostedSuppressionsForceUpdate | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings | false 
diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -663,6 +663,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
 
         settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL,
                 cli.getStringArgument(CliParser.ARGUMENT.HOSTED_SUPPRESSIONS_URL));
+        settings.setBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED,
+                !cli.isDisabled(CliParser.ARGUMENT.DISABLE_HOSTED_SUPPRESSIONS, Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED));
         settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE,
                 cli.hasOption(CliParser.ARGUMENT.HOSTED_SUPPRESSIONS_FORCEUPDATE));
         settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS,
diff --git a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java
@@ -499,6 +499,7 @@ private void addAdvancedOptions(final Options options) {
                 .addOption(newOption(ARGUMENT.ENABLE_NEXUS, "Enable the Nexus Analyzer."))
                 .addOption(newOption(ARGUMENT.ARTIFACTORY_ENABLED, "Whether the Artifactory Analyzer should be enabled."))
                 .addOption(newOption(ARGUMENT.PURGE_NVD, "Purges the local NVD data cache"))
+                .addOption(newOption(ARGUMENT.DISABLE_HOSTED_SUPPRESSIONS, "Disable the usage of the hosted suppressions file"))
                 .addOption(newOption(ARGUMENT.HOSTED_SUPPRESSIONS_FORCEUPDATE, "Force the hosted suppressions file to update even"
                                                                                + " if autoupdate is disabled"))
                 .addOption(newOptionWithArg(ARGUMENT.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, "hours",
@@ -1521,6 +1522,10 @@ public static class ARGUMENT {
          * when generating the JUNIT report format.
          */
         public static final String FAIL_JUNIT_ON_CVSS = "junitFailOnCVSS";
+        /**
+         * The CLI argument to set the number of hours to wait before re-checking hosted suppressions file for updates.
+         */
+        public static final String DISABLE_HOSTED_SUPPRESSIONS = "disableHostedSuppressions";
         /**
          * The CLI argument to set the number of hours to wait before re-checking hosted suppressions file for updates.
          */
diff --git a/cli/src/main/resources/completion-for-dependency-check.sh b/cli/src/main/resources/completion-for-dependency-check.sh
@@ -44,6 +44,7 @@ _odc_completions()
             --disableFileName
             --disableGolangDep
             --disableGolangMod
+            --disableHostedSuppressions
             --disableJar
             --disableMavenInstall
             --disableMixAudit
diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md
@@ -118,6 +118,7 @@ Advanced Options
 |       | \-\-dbUser                            | \<user\>        | The username used to connect to the database.                                                                                                                                                          | &nbsp; |
 | \-d   | \-\-data                              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set.                                                                                             | &nbsp; |
 |       | \-\-purge                             |                 | Delete the local copy of the NVD. This is used to force a refresh of the data.                                                                                                                         | &nbsp; |
-|       | \-\-hostedSuppressionsForceUpdate               |                 | Whether the hosted suppressions file will update regardless of the `noupdate` argument.                                                                                                      | false  |
-|       | \-\-hostedSuppressionsValidForHours                       | \<hours\>         | The number of hours to wait before checking for new updates of the hosted suppressions file                                                                                      | 2      |
-|       | \-\-hostedSuppressionsUrl                       | \<url\>         | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                       | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
+|       | \-\-disableHostedSuppressions         |                 | Whether the usage of the hosted suppressions file will be disabled.                                                                                                                                    | false  |
+|       | \-\-hostedSuppressionsForceUpdate     |                 | Whether the hosted suppressions file will update regardless of the `noupdate` argument.                                                                                                                | false  |
+|       | \-\-hostedSuppressionsValidForHours   | \<hours\>       | The number of hours to wait before checking for new updates of the hosted suppressions file                                                                                                            | 2      |
+|       | \-\-hostedSuppressionsUrl             | \<url\>         | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                       | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -230,6 +230,10 @@ private void loadPackagedSuppressionBaseData(final SuppressionParser parser, fin
     private void loadHostedSuppressionBaseData(final SuppressionParser parser, final Engine engine) {
         final File repoFile;
         boolean repoEmpty = false;
+        final boolean enabled = getSettings().getBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, true);
+        if (!enabled) {
+            return;
+        }
         final boolean autoupdate = getSettings().getBoolean(Settings.KEYS.AUTO_UPDATE, true);
         final boolean forceupdate = getSettings().getBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, false);
 
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/HostedSuppressionsDataSource.java b/core/src/main/java/org/owasp/dependencycheck/data/update/HostedSuppressionsDataSource.java
@@ -66,7 +66,8 @@ public boolean update(Engine engine) throws UpdateException {
         final boolean forceupdate = settings.getBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, false);
         final boolean cpeSuppressionEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_CPE_SUPPRESSION_ENABLED, true);
         final boolean vulnSuppressionEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED, true);
-        final boolean enabled = cpeSuppressionEnabled || vulnSuppressionEnabled;
+        boolean enabled = settings.getBoolean(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, true);
+        enabled = enabled && (cpeSuppressionEnabled || vulnSuppressionEnabled);
         try {
             final URL url = new URL(configuredUrl);
             final File filepath = new File(url.getPath());
diff --git a/core/src/main/resources/dependencycheck.properties b/core/src/main/resources/dependencycheck.properties
@@ -172,6 +172,10 @@ database.batchinsert.maxsize=1000
 analyzer.artifactory.enabled=false
 odc.reports.pretty.print=false
 
+hosted.suppressions.enabled=true
+hosted.suppressions.url=https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
+hosted.suppressions.validforhours=2
+
 ## The following controls the max query limit used in the CPE searches for each ecosystem
 odc.ecosystem.maxquerylimit.native=1000
 odc.ecosystem.maxquerylimit.default=100
diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -975,6 +975,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     @SuppressWarnings("CanBeFinal")
     @Parameter(property = "hostedSuppressionsForceUpdate")
     private Boolean hostedSuppressionsForceUpdate;
+    /**
+     * Whether the hosted suppressions file will be used.
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "hostedSuppressionsEnabled")
+    private Boolean hostedSuppressionsEnabled;
     /**
      * Skip excessive hosted suppression file update checks for a designated
      * duration in hours (defaults to 2 hours).
@@ -2318,6 +2324,7 @@ protected void populateSettings() {
         settings.setIntIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_VALID_FOR_HOURS, hostedSuppressionsValidForHours);
         settings.setStringIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_URL, hostedSuppressionsUrl);
         settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_FORCEUPDATE, hostedSuppressionsForceUpdate);
+        settings.setBooleanIfNotNull(Settings.KEYS.HOSTED_SUPPRESSIONS_ENABLED, hostedSuppressionsEnabled);
     }
 
     /**
diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md
@@ -162,12 +162,13 @@ connectionString         | The connection string used to connect to the database
 serverId                 | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. | &nbsp; |
 databaseUser             | The username used when connecting to the database.                                                                                         | &nbsp;                                                              |
 databasePassword         | The password used when connecting to the database.                                                                                         | &nbsp;                                                              |
-hostedSuppressionsForceUpdate                 | Whether the hosted suppressions file will update regardless of the `autoupdate` setting.                              | false
-hostedSuppressionsUrl                         | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                     | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
-hostedSuppressionsValidForHours            | Sets the number of hours to wait before checking for new updates from the NVD.                                     | 2
-retireJsUrlServerId      | The id of a server defined in the settings.xml to retrieve the credentials (username and password) to connect to RetireJS instance. | &nbsp;
-retireJsUser          | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;
-retireJsPassword         | If you don't want register user/password in settings.xml, you can specify user. | &nbsp;
+hostedSuppressionsEnabled      | Whether the hosted suppressions file will be used.                                                                                    | true
+hostedSuppressionsForceUpdate  | Whether the hosted suppressions file will update regardless of the `autoupdate` setting.                                             | false
+hostedSuppressionsUrl          | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                                    | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
+hostedSuppressionsValidForHours| Sets the number of hours to wait before checking for new updates from the NVD.                                                       | 2
+retireJsUrlServerId      | The id of a server defined in the settings.xml to retrieve the credentials (username and password) to connect to RetireJS instance.        | &nbsp;
+retireJsUser             | If you don't want register user/password in settings.xml, you can specify user.                                                            | &nbsp;
+retireJsPassword         | If you don't want register user/password in settings.xml, you can specify user.                                                            | &nbsp;
 
 Proxy Configuration
 ====================
diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
@@ -180,10 +180,10 @@ ossIndex     | password              | The password or API token to connect to S
 ossIndex     | warnOnlyOnRemoteErrors| Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false
 slack        | enabled               | Whether or not slack notifications are enabled.                                                                   | false
 slack        | webhookUrl            | The custom incoming webhook URL to receive notifications.                                                         | &nbsp;
-hostedSuppressions | enabled         | The number of hours to wait before checking for new updates of the hosted suppressions file .                     | 2
+hostedSuppressions | enabled         | Whether the hosted suppressions file will be used.                                                                | true
 hostedSuppressions | forceupdate     | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                         | false
 hostedSuppressions | url             | The URL to the Retire JS repository.                                                                              | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
-
+hostedSuppressions | validForHours   | The number of hours to wait before checking for new updates of the hosted suppressions file .                     | 2
 
 #### Example
 ```groovy
diff --git a/src/site/markdown/dependency-check-gradle/configuration-update.md b/src/site/markdown/dependency-check-gradle/configuration-update.md
@@ -75,6 +75,10 @@ data         | driverPath        | The path to the database driver JAR file; onl
 data         | connectionString  | The connection string used to connect to the database. See using a [database server](../data/database.html). | &nbsp;                                                              |
 data         | username          | The username used when connecting to the database.                                                           | &nbsp;                                                              |
 data         | password          | The password used when connecting to the database.                                                           | &nbsp;                                                              |
+hostedSuppressions | enabled         | Whether the hosted suppressions file will be used.                                                       | true
+hostedSuppressions | forceupdate     | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                | false
+hostedSuppressions | url             | The URL to the Retire JS repository.                                                                     | https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
+hostedSuppressions | validForHours   | The number of hours to wait before checking for new updates of the hosted suppressions file .            | 2
 
 #### Example
 ```groovy
diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md
diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
