merge upstream

dependency-check-core/src/main/resources/data/dbStatements_h2.properties

@@ -13,3 +13,4 @@
 # limitations under the License.
 
 MERGE_PROPERTY=MERGE INTO properties (id, value) KEY(id) VALUES(?, ?)
+CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id IN (SELECT id FROM cpeEntry LEFT JOIN software ON cpeEntry.id = software.CPEEntryId WHERE software.CPEEntryId IS NULL)

dependency-check-core/src/main/resources/data/initialize_mysql.sql

@@ -54,4 +54,4 @@ DELIMITER ;
 
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 
-UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -319,4 +319,98 @@
         <filePath regex="true">.*\.(jar|exe|dll|ear|war|pom)</filePath>
         <cpe>cpe:/a:class:class</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Linux ssh False Positives
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|ear|war|pom)</filePath>
+        <cpe>cpe:/a:pam:pam</cpe>
+        <cpe>cpe:/a:pam_ssh:pam_ssh</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        elastic search false postivies
+        ]]></notes>
+        <gav regex="true">org\.elasticsearch:securesm:.*</gav>
+        <cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Glassfish false positives.
+        ]]></notes>
+        <gav regex="true">org\.glassfish:javax.el:.*</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Struts false positives.
+        ]]></notes>
+        <gav regex="true">sslext:sslext:.*</gav>
+        <cpe>cpe:/a:apache:struts</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        ACtiveMQ false positives.
+        ]]></notes>
+        <gav regex="true">org\.apache\.activemq:activemq-pool.*</gav>
+        <cpe>cpe:/a:apache:activemq</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        ACtiveMQ false positives.
+        ]]></notes>
+        <gav regex="true">org\.apache\.activemq:artemis.*</gav>
+        <cpe>cpe:/a:apache:activemq</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Spring data mongodb false positives.
+        ]]></notes>
+        <gav regex="true">org\.springframework\.data:spring-data-mongodb.*</gav>
+        <cpe>cpe:/a:mongodb:mongodb</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Spring data neo4j false positives.
+        ]]></notes>
+        <gav regex="true">org\.springframework\.data:spring-data-neo4j:.*</gav>
+        <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+        <cpe>cpe:/a:pivotal:spring_framework</cpe>
+        <cpe>cpe:/a:neo4j:neo4j</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Spring data solr false positives.
+        ]]></notes>
+        <gav regex="true">org\.springframework\.data:spring-data-solr:.*</gav>
+        <cpe>cpe:/a:apache:solr</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Spring social facebook false positive.
+        ]]></notes>
+        <gav regex="true">org\.springframework\.social:spring-social-facebook:.*</gav>
+        <cpe>cpe:/a:facebook:facebook</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Spring Security JWT false positive.
+        ]]></notes>
+        <gav regex="true">org\.springframework\.security:spring-security-jwt.*</gav>
+        <cpe>cpe:/a:vmware:springsource_spring_security</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Aether false positive.
+        ]]></notes>
+        <gav regex="true">org.eclipse.aether:aether.*</gav>
+        <cpe>cpe:/a:eclipse:eclipse_ide</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Drupal services false positive.
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|ear|war|pom)</filePath>
+        <cpe>cpe:/a:services_project:services</cpe>
+    </suppress>
 </suppressions>

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -63,13 +63,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 cpe.validfordays=30
 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
 
-# file type analyzer settings:
-analyzer.archive.enabled=true
-analyzer.jar.enabled=true
-analyzer.nuspec.enabled=true
-analyzer.assembly.enabled=true
-analyzer.composer.lock.enabled=true
-
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
 analyzer.nexus.url=https://repository.sonatype.org/service/local/
@@ -87,7 +80,7 @@ archive.scan.depth=3
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
 
-
+analyzer.experimental.enabled=false
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true