odc.application.name=${pom.name}
odc.application.version=${pom.version}
odc.autoupdate=true

# the url to obtain the current engine version from
engine.version.url=https://dependency-check.github.io/DependencyCheck/current.txt

#temp.directory defaults to System.getProperty("java.io.tmpdir")
#temp.directory=[path to temp directory]

# the path to the data directory; the [JAR] signifies to use the relative path
# to the dependency-check-core JAR file. This path is only used to construct
# the connection string for the H2 driver (or other drivers that require a file path
# to be supplied. If you are using another database (MySQL, Oracle, etc.) this property
# will not be used. The data.directory will be resolved and if the connection string
# below contains a %s then the data.directory will replace the %s.
data.directory=[JAR]/data
#if the filename has a %s it will be replaced with the current expected version
data.file_name=0dc.mv.db
data.version=5.3

#The analysis timeout in minutes
odc.analysis.timeout=20

# define which settings are masked when logged
odc.settings.mask=.*password.*,.*token.*,.*api.key.*

data.connection_string=jdbc:h2:file:%s;AUTOCOMMIT=ON;CACHE_SIZE=65536;
#data.connection_string=jdbc:mysql://localhost:3306/dependencycheck

# user name and password for the database connection. The inherent case is to use H2.
# As such, this unsecure username/password exist.
data.user=dcuser
data.password=DC-Pass1337!
# The following are only used if the DB Driver is not JDBC4 compliant and/or the driver
# is not in the current classpath. Setting these properties will add the give path(s) to
# the class loader and then register the driver with the DriverManager. If the class is
# not in the path you must specify both the driver name (aka the fully qualified driver name)
# and the driver path. The driver path can be a semi-colon separated list of files/directories
# to ensure any and all needed files can be added to the classpath to load the driver.
# For non-JDBC4 drivers in the classpath only the driver_name needs to be set.
# For MOST situations these properties likely do not need to be set.
#data.driver_path=
data.driver_name=org.h2.Driver

# the class name of the write lock shutdown hook
data.writelock.shutdownhook=org.owasp.dependencycheck.utils.WriteLockCleanupHook

proxy.disableSchemas=true

nvd.api.check.validforhours=4
nvd.api.datafeed.validfordays=7
nvd.api.max.retry.count=30
nvd.api.delay=0
nvd.api.requestsperthirtysecondswithoutapikey=5
nvd.api.requestsperthirtysecondswithapikey=50
#nvd.api.datafeed.url=https://example.com/nvd-cache/
#nvd.api.datafeed.user=
#nvd.api.datafeed.password=

cve.cpe.startswith.filter=cpe:2.3:a:

max.download.threads=2

#Known Exploited Vulnerabilities
kev.url=https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
kev.check.validforhours=24

cpe.validfordays=30
cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz


# the URL for searching Nexus for SHA-1 hashes and whether it's enabled
analyzer.nexus.url=https://repository.sonatype.org/service/local/
# If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port)
# are configured

# the URL for searching search.maven.org for SHA-1 and whether it's enabled
analyzer.central.enabled=true
analyzer.central.url=https://search.maven.org/solrsearch/select
central.content.url=https://search.maven.org/remotecontent?filepath=
# Note - the central query is used in a String.format(query, url, sha1)).
# As such, it must have two %s and any other % must be escapped by doubling it
analyzer.central.query=%s?q=1:%s&wt=xml
analyzer.central.retry.count=3
analyzer.central.parallel.analysis=false

# the URL for searching NPM Audit API
analyzer.node.audit.url=https://registry.npmjs.org/-/npm/v1/security/audits
analyzer.retirejs.enabled=true
analyzer.retirejs.repo.validforhours=24
analyzer.retirejs.repo.js.url=https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json

# the number of nested archives that will be searched.
archive.scan.depth=3

# use HEAD (default) or GET as HTTP request method for query timestamp
downloader.quick.query.timestamp=true
downloader.tls.protocols=TLSv1.1,TLSv1.2,TLSv1.3


# defines if the experimental and retired analyzers can be enabled
analyzer.experimental.enabled=false
analyzer.retired.enabled=false

analyzer.jar.enabled=true
analyzer.knownexploited.enabled=true
analyzer.archive.enabled=true
analyzer.node.package.enabled=true
analyzer.node.audit.enabled=true
analyzer.composer.lock.enabled=true
analyzer.golang.mod.enabled=true
analyzer.mix.audit.enabled=true
analyzer.python.distribution.enabled=true
analyzer.python.package.enabled=true
analyzer.ruby.gemspec.enabled=true
analyzer.autoconf.enabled=true
analyzer.cmake.enabled=true
analyzer.assembly.enabled=true
analyzer.nuspec.enabled=true
analyzer.nugetconf.enabled=true
analyzer.openssl.enabled=true
analyzer.nexus.enabled=false
analyzer.cocoapods.enabled=true
analyzer.carthage.enabled=true
analyzer.swift.package.manager.enabled=true
#whether the nexus analyzer uses the proxy
analyzer.nexus.proxy=true

#Use your own bundle-audit install directory.
analyzer.bundle.audit.path=/usr/local/bin/bundle-audit
analyzer.cpe.enabled=true
analyzer.npm.cpe.enabled=true
analyzer.cpesuppression.enabled=true
analyzer.dependencybundling.enabled=true
analyzer.dependencymerging.enabled=true
analyzer.falsepositive.enabled=true
analyzer.filename.enabled=true
analyzer.pe.enabled=true
analyzer.hint.enabled=true
analyzer.nvdcve.enabled=true
analyzer.vulnerabilitysuppression.enabled=true
analyzer.dart.enabled=true
analyzer.libman.enabled=true
updater.nvdcve.enabled=true
updater.versioncheck.enabled=true

ecosystem.skip.cpeanalyzer=npm
database.batchinsert.enabled=true
database.batchinsert.maxsize=1000

## The following controls the max query limit used in the CPE searches for each ecosystem
odc.ecosystem.maxquerylimit.native=1000
odc.ecosystem.maxquerylimit.default=100