Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency check odc.autoupdate option is not respected #88

Closed
lread opened this issue Aug 4, 2024 · 4 comments · Fixed by #90
Closed

Dependency check odc.autoupdate option is not respected #88

lread opened this issue Aug 4, 2024 · 4 comments · Fixed by #90
Assignees
@lread
Milestone
6.0

Comments

@lread
Copy link
Contributor

lread commented Aug 4, 2024

Currently

While looking at #86, I noticed the following in the logs:

Downloading/Updating database.
2024-08-04 13:48:58,345 INFO Engine - Checking for updates
2024-08-04 13:48:58,353 INFO NvdApiDataSource - Skipping the NVD API Update as it was completed within the last 720 minutes
2024-08-04 13:48:58,597 INFO KnownExploitedDataSource - Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
2024-08-04 13:48:58,605 INFO Engine - Check for updates complete (259 ms)
Download/Update completed.
2024-08-04 13:48:59,131 INFO Engine - Checking for updates
2024-08-04 13:48:59,132 INFO NvdApiDataSource - Skipping the NVD API Update as it was completed within the last 720 minutes
2024-08-04 13:48:59,362 INFO KnownExploitedDataSource - Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
2024-08-04 13:48:59,373 INFO Engine - Check for updates complete (242 ms)

You'll notice the duplicate work.

Diagnosis

Clj-watson explicitly requests that the nvd database be updated, but dependency.check odc.autoupdate controls whether or not the nvd database is updated, and the clj-watson default is a very reasonable true.

Next

I'll follow up with a PR to remove clj-watson's explicit unnecessary request to update.
@seancorfield
Copy link
Contributor

I wonder if there are any users out there who have their own dependency-check.properties with that set to false? (I very much doubt it, but it is a consideration for documenting this change, especially when we streamline the properties overrides as discussed in #70 ).

@lread
Copy link
Contributor Author

lread commented Aug 4, 2024

Right. I guess if they had it set to false they would not want the nvd database to update, but the current behaviour is to always update. I'll reword this issue (and upcoming commit/changelog) to make it more apparent.

@lread lread changed the title code review: Unnecessary nvd db update Dependency check odc.update option is not respected Aug 4, 2024
@seancorfield seancorfield changed the title Dependency check odc.update option is not respected Dependency check odc.autoupdate option is not respected Aug 4, 2024
@lread
Copy link
Contributor Author

lread commented Aug 4, 2024

Right! Thanks for update to my update!

@lread
Copy link
Contributor Author

lread commented Aug 4, 2024

Worth noting: The Dependency Check auto update default matches clj-watson dependency-check.properties default of true

lread added a commit to lread/clj-watson that referenced this issue Aug 4, 2024
@lread
Respect dependency-check odc.autoupdate option
36d0eb6 
Remove clj-watson's update of the nvd database.

Whether or not to update the nvd database is a dependency-check concern
and controlled by the `dependency-check.properties` `odc.autoupdate`
property.

Closes clj-holmes#88
@lread lread mentioned this issue Aug 4, 2024
Merged
@seancorfield seancorfield added this to the 6.0 milestone Aug 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lread lread

Labels
None yet
Milestone
6.0
Development

Successfully merging a pull request may close this issue.

Respect dependency-check odc.autoupdate option lread/clj-watson
2 participants
@seancorfield @lread