up to date check for file based data sources broken

[amandel]

Describe the bug
There is a chance that I do not see the logic behind but what I see:

• the LAST_CHECKED date information of retirejs and hosted suppression is stored in the central database
• the actual publishedSuppressions.xml or jsrepository.json is stored in the local file system (.m2)

this leads to inconsistent data. Where the database property can state that the file is up to date but locally the copy might be outdated or even none existing.

Also the fact that such an update performs a write operation to the database leads to below warning since the usual scan user (dcuser) does not have write permission to this shared database. But this depends on the setup.

[WARNING] Unable to save property 'retirejs.checked' with a value of '12345678' to the database

This was introduced in #6260. I've put a comment on #6399 which is related but not the same.

Version of dependency-check used
The problem occurs using version 9.0.7 & 9.0.9ff

Expected behavior
Up to date information for local files must be stored locally.

Additional context
We use a central (PostgreSQL) database as mirror for the NVD data. A regular job executes org.owasp:dependency-check-maven:9.0.9:update-only using a privileged database user. The actual scans run independently on distributed systems where the less privileged dcuser is used to access the database.

[Ulriksen]

This makes no sense for us either. We run scans in various containers and sync the NIST data to a PostgreSQL database. Storing the timestamp centrally while keeping the data local seems like it just went a little fast with that feature.