fix: Allow NVD data feed metadata downloads to fail on 1st Jan while logging correct errors

[chadlwilson]

Description of Change

As noted in #8204 currently the code logs a misleading exception when the data feed metadata downloads fail; because it swallows the exception and logs the original cache.properties failure. That might be OK when using your own proxy or a cache produced by vulnz, but is misleading when using the NVD 2.0 data feeds, especially swallowing the original error (ex vs ex1).

DependencyCheck/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java

Lines 637 to 638 in 48c4595

	} catch (URISyntaxException | TooManyRequestsException | ResourceNotFoundException | IOException ex1) {
	throw new UpdateException("Unable to download the data feed META files", ex);

When pointing to the NVD 2.0 data feeds, the cache.properties doesn't exist (I think this is a vulnz invention?), so the metadata files are always needed to be checked remotely.

Furthermore, this also changes the feed file for a given year to be considered "mandatory" ONLY once it is 2nd Jan (or later) everywhere on earth. This way the code tries its best to find metadata on January 1st, without failing - so avoids us coupling logic to when NVD happen to publish their feed (currently 03:00 Jan 1st UTC-05:00). Seeking feedback on this - this change is in a separate subsequent commit.

Minor related changes

• fixes a date-dependent test that was written to fail after 2025-12-31
• refactors the data feed parsing and URL building hijinxing off into the existing dedicated subclass
• tweaks error messages to reflect possible usage of NVD 2.0 data feeds as in Support for NIST 2.0 data feeds #7514 (not just a "NVD API cache")

Related issues

• fixes Using parameter nvdDatafeed stopped working (feed 2.0) #8204

Have test cases been added to cover the new functionality?

yes

[Copilot]

Pull request overview

This PR fixes exception handling for NVD data feed downloads by improving error reporting and handling edge cases around January 1st when new year feed files may not yet be available.

Key Changes:

• Improves exception handling to properly report download failures instead of swallowing errors and logging misleading messages about cache.properties failures
• Implements timezone-aware logic to make feed files mandatory only after January 2nd everywhere on earth, avoiding failures on January 1st when NVD feed files may not yet be published
• Refactors URL parsing and formatting logic into a dedicated FeedUrl class with improved API

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
core/src/test/resources/suppressions_1_4.xml	Updates test expiration date from 2026 to 2046 to prevent date-dependent test failure
core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionParserTest.java	Updates expected date in test to match the suppressions file change
core/src/test/java/org/owasp/dependencycheck/data/update/NvdApiDataSourceTest.java	Adds comprehensive test coverage for URL parsing, mandatory year logic, and metadata retrieval with timezone edge cases
core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java	Refactors URL extraction to FeedUrl class, improves exception handling in metadata download fallback, implements timezone-aware mandatory year logic, and updates error messages to reference "Cache / Data Feed"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jeremylong]

LGTM