updated license to apache 2.0

Former-commit-id: 15ae4bc58338bbc4da6ba4a98f19f276add8a76c

dependency-check-core/config/checkstyle-header.txt

@@ -1,18 +1,17 @@
 ^/\*\s*$
 ^ \* This file is part of dependency-check-core\.\s*$
 ^ \*\s*$
-^ \* Dependency-check-core is free software\: you can redistribute it and/or modify it\s*$
+^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
-^ \* under the terms of the GNU General Public License as published by the Free\s*$
+^ \* you may not use this file except in compliance with the License.\s*$
-^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
+^ \* You may obtain a copy of the License at\s*$
-^ \* later version\.
 ^ \*\s*$
-^ \* Dependency-check-core is distributed in the hope that it will be useful, but\s*$
+^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
-^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
-^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
-^ \* details\.\s*$
 ^ \*\s*$
-^ \* You should have received a copy of the GNU General Public License along with\s*$
+^ \* Unless required by applicable law or agreed to in writing, software\s*$
-^ \* dependency-check-core\. If not, see http://www.gnu.org/licenses/\.\s*$
+^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
+^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
+^ \* See the License for the specific language governing permissions and\s*$
+^ \* limitations under the License\.\s*$
 ^ \*\s*$
 ^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
 ^ \*/\s*$

dependency-check-core/pom.xml

@@ -1,20 +1,19 @@
 <!--
-Copyright (c) 2012 - Jeremy Long
+This file is part of dependency-check-core.
 
-This file is part of Dependency-Check.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-Dependency-Check is free software: you can redistribute it and/or modify
+    http://www.apache.org/licenses/LICENSE-2.0
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
 
-Dependency-Check is distributed in the hope that it will be useful,
+Unless required by applicable law or agreed to in writing, software
-but WITHOUT ANY WARRANTY; without even the implied warranty of
+distributed under the License is distributed on an "AS IS" BASIS,
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-GNU General Public License for more details.
+See the License for the specific language governing permissions and
+limitations under the License.
 
-You should have received a copy of the GNU General Public License
+Copyright (c) 2012 Jeremy Long. All Rights Reserved.
-along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
 -->
 
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,9 +28,8 @@ import java.util.Set;
 public abstract class AbstractAnalyzer implements Analyzer {
 
     /**
-     * Utility method to help in the creation of the extensions set. This
+     * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
-     * constructs a new Set that can be used in a final static
+     * final static declaration.<br/><br/>
-     * declaration.<br/><br/>
      *
      * This implementation was copied from
      * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -29,8 +28,7 @@ import org.owasp.dependencycheck.suppression.SuppressionRule;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * Abstract base suppression analyzer that contains methods for parsing the
+ * Abstract base suppression analyzer that contains methods for parsing the suppression xml file.
- * suppression xml file.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -50,8 +48,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
+     * @return whether or not the specified file extension is supported by this analyzer.
-     * analyzer.
      */
     @Override
     public boolean supportsExtension(String extension) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,40 +22,38 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 
 /**
- * An interface that defines an Analyzer that is used to identify Dependencies.
+ * An interface that defines an Analyzer that is used to identify Dependencies. An analyzer will collect information
- * An analyzer will collect information about the dependency in the form of
+ * about the dependency in the form of Evidence.
- * Evidence.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public interface Analyzer {
 
     /**
-     * Analyzes the given dependency. The analysis could be anything from
+     * Analyzes the given dependency. The analysis could be anything from identifying an Identifier for the dependency,
-     * identifying an Identifier for the dependency, to finding vulnerabilities,
+     * to finding vulnerabilities, etc. Additionally, if the analyzer collects enough information to add a description
-     * etc. Additionally, if the analyzer collects enough information to add a
+     * or license information for the dependency it should be added.
-     * description or license information for the dependency it should be added.
      *
      * @param dependency a dependency to analyze.
-     * @param engine the engine that is scanning the dependencies - this is
+     * @param engine the engine that is scanning the dependencies - this is useful if we need to check other
-     * useful if we need to check other dependencies
+     * dependencies
-     * @throws AnalysisException is thrown if there is an error analyzing the
+     * @throws AnalysisException is thrown if there is an error analyzing the dependency file
-     * dependency file
      */
     void analyze(Dependency dependency, Engine engine) throws AnalysisException;
 
     /**
-     * <p>Returns a list of supported file extensions. An example would be an
+     * <p>
-     * analyzer that inspected java jar files. The getSupportedExtensions
+     * Returns a list of supported file extensions. An example would be an analyzer that inspected java jar files. The
-     * function would return a set with a single element "jar".</p>
+     * getSupportedExtensions function would return a set with a single element "jar".</p>
      *
-     * <p><b>Note:</b> when implementing this the extensions returned MUST be
+     * <p>
-     * lowercase.</p>
+     * <b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
      *
      * @return The file extensions supported by this analyzer.
      *
-     * <p>If the analyzer returns null it will not cause additional files to be
+     * <p>
-     * analyzed but will be executed against every file loaded</p>
+     * If the analyzer returns null it will not cause additional files to be analyzed but will be executed against every
+     * file loaded</p>
      */
     Set<String> getSupportedExtensions();
 
@@ -71,8 +68,7 @@ public interface Analyzer {
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
+     * @return whether or not the specified file extension is supported by this analyzer.
-     * analyzer.
      */
     boolean supportsExtension(String extension);
 
@@ -84,17 +80,14 @@ public interface Analyzer {
     AnalysisPhase getAnalysisPhase();
 
     /**
-     * The initialize method is called (once) prior to the analyze method being
+     * The initialize method is called (once) prior to the analyze method being called on all of the dependencies.
-     * called on all of the dependencies.
      *
-     * @throws Exception is thrown if an exception occurs initializing the
+     * @throws Exception is thrown if an exception occurs initializing the analyzer.
-     * analyzer.
      */
     void initialize() throws Exception;
 
     /**
-     * The close method is called after all of the dependencies have been
+     * The close method is called after all of the dependencies have been analyzed.
-     * analyzed.
      *
      * @throws Exception is thrown if an exception occurs closing the analyzer.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -45,8 +44,9 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * <p>An analyzer that extracts files from archives and ensures any supported
+ * <p>
- * files contained within the archive are added to the dependency list.</p>
+ * An analyzer that extracts files from archives and ensures any supported files contained within the archive are added
+ * to the dependency list.</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -57,8 +57,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      */
     private static final int BUFFER_SIZE = 4096;
     /**
-     * The count of directories created during analysis. This is used for
+     * The count of directories created during analysis. This is used for creating temporary directories.
-     * creating temporary directories.
      */
     private static int dirCount = 0;
     /**
@@ -66,8 +65,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      */
     private File tempFileLocation = null;
     /**
-     * The max scan depth that the analyzer will recursively extract nested
+     * The max scan depth that the analyzer will recursively extract nested archives.
-     * archives.
      */
     private static final int MAX_SCAN_DEPTH = Settings.getInt("archive.scan.depth", 3);
     /**
@@ -110,8 +108,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
+     * @return whether or not the specified file extension is supported by this analyzer.
-     * analyzer.
      */
     public boolean supportsExtension(String extension) {
         return EXTENSIONS.contains(extension);
@@ -130,8 +127,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     /**
      * The initialize method does nothing for this Analyzer.
      *
-     * @throws Exception is thrown if there is an exception deleting or creating
+     * @throws Exception is thrown if there is an exception deleting or creating temporary files
-     * temporary files
      */
     @Override
     public void initialize() throws Exception {
@@ -156,8 +152,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     /**
      * The close method does nothing for this Analyzer.
      *
-     * @throws Exception thrown if there is an exception deleting temporary
+     * @throws Exception thrown if there is an exception deleting temporary files
-     * files
      */
     @Override
     public void close() throws Exception {
@@ -167,9 +162,8 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Analyzes a given dependency. If the dependency is an archive, such as a
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
-     * WAR or EAR, the contents are extracted, scanned, and added to the list of
+     * scanned, and added to the list of dependencies within the engine.
-     * dependencies within the engine.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine scanning
@@ -204,7 +198,6 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                 d.setFileName(displayName);
 
                 //TODO - can we get more evidence from the parent? EAR contains module name, etc.
-
                 //analyze the dependency (i.e. extract files) if it is a supported type.
                 if (this.supportsExtension(d.getFileExtension()) && scanDepth < MAX_SCAN_DEPTH) {
                     scanDepth += 1;
@@ -292,8 +285,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      * @param input the archive to extract files from
      * @param destination the location to write the files too
      * @param engine the dependency-check engine
-     * @throws ArchiveExtractionException thrown if there is an exception
+     * @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive
-     * extracting files from the archive
      */
     private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
         ArchiveEntry entry;
@@ -365,8 +357,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      *
      * @param inputStream the compressed file
      * @param outputFile the location to write the decompressed file
-     * @throws ArchiveExtractionException thrown if there is an exception
+     * @throws ArchiveExtractionException thrown if there is an exception decompressing the file
-     * decompressing the file
      */
     private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
         FileOutputStream out = null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveExtractionException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,26 +33,25 @@ import org.apache.lucene.queryparser.classic.ParseException;
 import org.apache.lucene.search.ScoreDoc;
 import org.apache.lucene.search.TopDocs;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.lucene.LuceneUtils;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Evidence;
-import org.owasp.dependencycheck.dependency.Evidence.Confidence;
-import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
 import org.owasp.dependencycheck.data.cpe.Fields;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
 import org.owasp.dependencycheck.data.cpe.IndexException;
+import org.owasp.dependencycheck.data.lucene.LuceneUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.Evidence.Confidence;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 
 /**
- * CPEAnalyzer is a utility class that takes a project dependency and attempts
+ * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE.
- * to discern if there is an associated CPE. It uses the evidence contained
+ * It uses the evidence contained within the dependency to search the Lucene index.
- * within the dependency to search the Lucene index.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -68,18 +66,15 @@ public class CPEAnalyzer implements Analyzer {
      */
     static final String WEIGHTING_BOOST = "^5";
     /**
-     * A string representation of a regular expression defining characters
+     * A string representation of a regular expression defining characters utilized within the CPE Names.
-     * utilized within the CPE Names.
      */
     static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
     /**
-     * A string representation of a regular expression used to remove all but
+     * A string representation of a regular expression used to remove all but alpha characters.
-     * alpha characters.
      */
     static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
     /**
-     * The additional size to add to a new StringBuilder to account for extra
+     * The additional size to add to a new StringBuilder to account for extra data that will be written into the string.
-     * data that will be written into the string.
      */
     static final int STRING_BUILDER_BUFFER = 20;
     /**
@@ -94,10 +89,9 @@ public class CPEAnalyzer implements Analyzer {
     /**
      * Opens the data source.
      *
-     * @throws IOException when the Lucene directory to be queried does not
+     * @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
-     * exist or is corrupt.
+     * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use
-     * @throws DatabaseException when the database throws an exception. This
+     * by another process.
-     * usually occurs when the database is in use by another process.
      */
     public void open() throws IOException, DatabaseException {
         Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Opening the CVE Database");
@@ -127,9 +121,8 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Searches the data store of CPE entries, trying to identify the CPE for
+     * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence
-     * the given dependency based on the evidence contained within. The
+     * contained within. The dependency passed in is updated with any identified CPE values.
-     * dependency passed in is updated with any identified CPE values.
      *
      * @param dependency the dependency to search for CPE entries on.
      * @throws CorruptIndexException is thrown when the Lucene index is corrupt.
@@ -175,10 +168,9 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Returns the text created by concatenating the text and the values from
+     * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a
-     * the EvidenceCollection (filtered for a specific confidence). This
+     * specific confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence
-     * attempts to prevent duplicate terms from being added.<br/<br/> Note, if
+     * is longer then 200 characters it will be truncated.
-     * the evidence is longer then 200 characters it will be truncated.
      *
      * @param text the base text.
      * @param ec an EvidenceCollection
@@ -208,8 +200,7 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Reduces the given confidence by one level. This returns LOW if the
+     * Reduces the given confidence by one level. This returns LOW if the confidence passed in is not HIGH.
-     * confidence passed in is not HIGH.
      *
      * @param c the confidence to reduce.
      * @return One less then the confidence passed in.
@@ -225,18 +216,18 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * <p>Searches the Lucene CPE index to identify possible CPE entries
+     * <p>
-     * associated with the supplied vendor, product, and version.</p>
+     * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
+     * version.</p>
      *
-     * <p>If either the vendorWeightings or productWeightings lists have been
+     * <p>
-     * populated this data is used to add weighting factors to the search.</p>
+     * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting
+     * factors to the search.</p>
      *
      * @param vendor the text used to search the vendor field
      * @param product the text used to search the product field
-     * @param vendorWeightings a list of strings to use to add weighting factors
+     * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field
-     * to the vendor field
+     * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search
-     * @param productWeightings Adds a list of strings that will be used to add
-     * weighting factors to the product search
      * @return a list of possible CPE values
      * @throws CorruptIndexException when the Lucene index is corrupt
      * @throws IOException when the Lucene index is not found
@@ -276,19 +267,17 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * <p>Builds a Lucene search string by properly escaping data and
+     * <p>
-     * constructing a valid search query.</p>
+     * Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
      *
-     * <p>If either the possibleVendor or possibleProducts lists have been
+     * <p>
-     * populated this data is used to add weighting factors to the search string
+     * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting
-     * generated.</p>
+     * factors to the search string generated.</p>
      *
      * @param vendor text to search the vendor field
      * @param product text to search the product field
-     * @param vendorWeighting a list of strings to apply to the vendor to boost
+     * @param vendorWeighting a list of strings to apply to the vendor to boost the terms weight
-     * the terms weight
+     * @param productWeightings a list of strings to apply to the product to boost the terms weight
-     * @param productWeightings a list of strings to apply to the product to
-     * boost the terms weight
      * @return the Lucene query
      */
     protected String buildSearch(String vendor, String product,
@@ -309,17 +298,14 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * This method constructs a Lucene query for a given field. The searchText
+     * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the
-     * is split into separate words and if the word is within the list of
+     * word is within the list of weighted words then an additional weighting is applied to the term as it is appended
-     * weighted words then an additional weighting is applied to the term as it
+     * into the query.
-     * is appended into the query.
      *
      * @param sb a StringBuilder that the query text will be appended to.
-     * @param field the field within the Lucene index that the query is
+     * @param field the field within the Lucene index that the query is searching.
-     * searching.
      * @param searchText text used to construct the query.
-     * @param weightedText a list of terms that will be considered higher
+     * @param weightedText a list of terms that will be considered higher importance when searching.
-     * importance when searching.
      * @return if the append was successful.
      */
     private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
@@ -358,8 +344,7 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Removes characters from the input text that are not used within the CPE
+     * Removes characters from the input text that are not used within the CPE index.
-     * index.
      *
      * @param text is the text to remove the characters from.
      * @return the text having removed some characters.
@@ -369,8 +354,7 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Compares two strings after lower casing them and removing the non-alpha
+     * Compares two strings after lower casing them and removing the non-alpha characters.
-     * characters.
      *
      * @param l string one to compare.
      * @param r string two to compare.
@@ -387,9 +371,8 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Ensures that the CPE Identified matches the dependency. This validates
+     * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version
-     * that the product, vendor, and version information for the CPE are
+     * information for the CPE are contained within the dependencies evidence.
-     * contained within the dependencies evidence.
      *
      * @param entry a CPE entry.
      * @param dependency the dependency that the CPE entries could be for.
@@ -425,7 +408,6 @@ public class CPEAnalyzer implements Analyzer {
         //            }
         //        }
         //</editor-fold>
-
         //TODO - likely need to change the split... not sure if this will work for CPE with special chars
         if (text == null) {
             return false;
@@ -435,9 +417,9 @@ public class CPEAnalyzer implements Analyzer {
         String tempWord = null;
         for (String word : words) {
             /*
-            single letter words should be concatenated with the next word.
+             single letter words should be concatenated with the next word.
-            so { "m", "core", "sample" } -> { "mcore", "sample" }
+             so { "m", "core", "sample" } -> { "mcore", "sample" }
-            */
+             */
             if (tempWord != null) {
                 list.add(tempWord + word);
                 tempWord = null;
@@ -459,13 +441,11 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Analyzes a dependency and attempts to determine if there are any CPE
+     * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
-     * identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze.
      * @param engine The analysis engine
-     * @throws AnalysisException is thrown if there is an issue analyzing the
+     * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
-     * dependency.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -532,11 +512,9 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Retrieves a list of CPE values from the CveDB based on the vendor and
+     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
-     * product passed in. The list is then validated to find only CPEs that are
+     * validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
-     * valid for the given dependency. It is possible that the CPE identified is
+     * best effort "guess" based on the vendor, product, and version information.
-     * a best effort "guess" based on the vendor, product, and version
-     * information.
      *
      * @param dependency the Dependency being analyzed
      * @param vendor the vendor for the CPE being analyzed
@@ -622,8 +600,7 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * A simple object to hold an identifier and carry information about the
+     * A simple object to hold an identifier and carry information about the confidence in the identifier.
-     * confidence in the identifier.
      */
     private static class IdentifierMatch implements Comparable<IdentifierMatch> {
 
@@ -633,10 +610,8 @@ public class CPEAnalyzer implements Analyzer {
          * @param type the type of identifier (such as CPE)
          * @param value the value of the identifier
          * @param url the URL of the identifier
-         * @param identifierConfidence the confidence in the identifier: best
+         * @param identifierConfidence the confidence in the identifier: best guess or exact match
-         * guess or exact match
+         * @param evidenceConfidence the confidence of the evidence used to find the identifier
-         * @param evidenceConfidence the confidence of the evidence used to find
-         * the identifier
          */
         IdentifierMatch(String type, String value, String url, IdentifierConfidence identifierConfidence, Confidence evidenceConfidence) {
             this.identifier = new Identifier(type, value, url);
@@ -767,8 +742,8 @@ public class CPEAnalyzer implements Analyzer {
         //</editor-fold>
 
         /**
-         * Standard implementation of compareTo that compares identifier
+         * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the
-         * confidence, evidence confidence, and then the identifier.
+         * identifier.
          *
          * @param o the IdentifierMatch to compare to
          * @return the natural ordering of IdentifierMatch

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -23,9 +22,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.suppression.SuppressionRule;
 
 /**
- * The suppression analyzer processes an externally defined XML document that
+ * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
- * complies with the suppressions.xsd schema. Any identified CPE entries within
+ * Any identified CPE entries within the dependencies that match will be removed.
- * the dependencies that match will be removed.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,13 +33,12 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.owasp.dependencycheck.utils.LogUtils;
 
 /**
- * <p>This analyzer ensures dependencies that should be grouped together, to
+ * <p>
- * remove excess noise from the report, are grouped. An example would be Spring,
+ * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
- * Spring Beans, Spring MVC, etc. If they are all for the same version and have
+ * grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
- * the same relative path then these should be grouped into a single dependency
+ * same relative path then these should be grouped into a single dependency under the core/main library.</p>
- * under the core/main library.</p>
+ * <p>
- * <p>Note, this grouping only works on dependencies with identified CVE
+ * Note, this grouping only works on dependencies with identified CVE entries</p>
- * entries</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -92,8 +90,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this
+     * @return whether or not the specified file extension is supported by this analyzer.
-     * analyzer.
      */
     public boolean supportsExtension(String extension) {
         return true;
@@ -110,14 +107,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     //</editor-fold>
 
     /**
-     * Analyzes a set of dependencies. If they have been found to have the same
+     * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
-     * base path and the same set of identifiers they are likely related. The
+     * identifiers they are likely related. The related dependencies are bundled into a single reportable item.
-     * related dependencies are bundled into a single reportable item.
      *
      * @param ignore this analyzer ignores the dependency being analyzed
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
-     * file.
      */
     @Override
     public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
@@ -195,13 +190,11 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
 
     /**
-     * Returns true if the file names (and version if it exists) of the two
+     * Returns true if the file names (and version if it exists) of the two dependencies are sufficiently similar.
-     * dependencies are sufficiently similar.
      *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
-     * @return true if the identifiers in the two supplied dependencies are
+     * @return true if the identifiers in the two supplied dependencies are equal
-     * equal
      */
     private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getFileName() == null
@@ -248,13 +241,11 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
 
     /**
-     * Returns true if the identifiers in the two supplied dependencies are
+     * Returns true if the identifiers in the two supplied dependencies are equal.
-     * equal.
      *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
-     * @return true if the identifiers in the two supplied dependencies are
+     * @return true if the identifiers in the two supplied dependencies are equal
-     * equal
      */
     private boolean identifiersMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getIdentifiers() == null
@@ -299,13 +290,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
 
     /**
-     * This is likely a very broken attempt at determining if the 'left'
+     * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
-     * dependency is the 'core' library in comparison to the 'right' library.
+     * to the 'right' library.
      *
      * @param left the dependency to test
      * @param right the dependency to test against
-     * @return a boolean indicating whether or not the left dependency should be
+     * @return a boolean indicating whether or not the left dependency should be considered the "core" version.
-     * considered the "core" version.
      */
     private boolean isCore(Dependency left, Dependency right) {
         final String leftName = left.getFileName().toLowerCase();

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -36,8 +35,7 @@ import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 
 /**
- * This analyzer attempts to remove some well known false positives -
+ * This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
- * specifically regarding the java runtime.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -79,8 +77,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this
+     * @return whether or not the specified file extension is supported by this analyzer.
-     * analyzer.
      */
     public boolean supportsExtension(String extension) {
         return true;
@@ -97,13 +94,11 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     //</editor-fold>
 
     /**
-     * Analyzes the dependencies and removes bad/incorrect CPE associations
+     * Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.
-     * based on various heuristics.
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
-     * file.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -115,15 +110,17 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * <p>Intended to remove spurious CPE entries. By spurious we mean
+     * <p>
-     * duplicate, less specific CPE entries.</p>
+     * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
-     * <p>Example:</p>
+     * <p>
+     * Example:</p>
      * <code>
      * cpe:/a:some-vendor:some-product
      * cpe:/a:some-vendor:some-product:1.5
      * cpe:/a:some-vendor:some-product:1.5.2
      * </code>
-     * <p>Should be trimmed to:</p>
+     * <p>
+     * Should be trimmed to:</p>
      * <code>
      * cpe:/a:some-vendor:some-product:1.5.2
      * </code>
@@ -178,8 +175,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
         }
     }
     /**
-     * Regex to identify core java libraries and a few other commonly
+     * Regex to identify core java libraries and a few other commonly misidentified ones.
-     * misidentified ones.
      */
     public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
             + "java(_platfrom_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
@@ -190,8 +186,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
 
     /**
-     * Removes any CPE entries for the JDK/JRE unless the filename ends with
+     * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
-     * rt.jar
      *
      * @param dependency the dependency to remove JRE CPEs from
      */
@@ -251,9 +246,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Removes bad CPE matches for a dependency. Unfortunately, right now these
+     * Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific
-     * are hard-coded patches for specific problems identified when testing this
+     * problems identified when testing this on a LARGE volume of jar files.
-     * on a LARGE volume of jar files.
      *
      * @param dependency the dependency to analyze
      */
@@ -266,10 +260,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
          * found based on LOW confidence evidence should have a different CPE type? (this
          * might be a better solution then just removing the URL for "best-guess" matches).
          */
-
         //Set<Evidence> groupId = dependency.getVendorEvidence().getEvidence("pom", "groupid");
         //Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
-
         while (itr.hasNext()) {
             final Identifier i = itr.next();
             //TODO move this startswith expression to a configuration file?
@@ -294,8 +286,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Removes CPE matches for the wrong version of a dependency. Currently,
+     * Removes CPE matches for the wrong version of a dependency. Currently, this only covers Axis 1 & 2.
-     * this only covers Axis 1 & 2.
      *
      * @param dependency the dependency to analyze
      */
@@ -328,9 +319,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * There are some known CPE entries, specifically regarding sun and oracle
+     * There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and
-     * products due to the acquisition and changes in product names, that based
+     * changes in product names, that based on given evidence we can add the related CPE entries to ensure a complete
-     * on given evidence we can add the related CPE entries to ensure a complete
      * list of CVE entries.
      *
      * @param dependency the dependency being analyzed

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -1,28 +1,27 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Evidence;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 
@@ -70,8 +69,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
+     * @return whether or not the specified file extension is supported by this analyzer.
-     * analyzer.
      */
     public boolean supportsExtension(String extension) {
         return true;
@@ -92,8 +90,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
-     * file.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -67,8 +66,7 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
+     * @return whether or not the specified file extension is supported by this analyzer.
-     * analyzer.
      */
     public boolean supportsExtension(String extension) {
         return true;
@@ -85,13 +83,12 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
     //</editor-fold>
 
     /**
-     * The HintAnalyzer uses knowledge about a dependency to add additional
+     * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of
-     * information to help in identification of identifiers or vulnerabilities.
+     * identifiers or vulnerabilities.
      *
      * @param dependency The dependency being analyzed
      * @param engine The scanning engine
-     * @throws AnalysisException is thrown if there is an exception analyzing
+     * @throws AnalysisException is thrown if there is an exception analyzing the dependency.
-     * the dependency.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -110,7 +107,6 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                 "SpringSource",
                 Evidence.Confidence.HIGH);
 
-
         Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
         if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
             dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
@@ -139,6 +135,5 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
             dependency.getVendorEvidence().addEvidence(e);
         }
 
-
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -1,37 +1,28 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
-import java.util.Enumeration;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-import javax.xml.bind.JAXBException;
-import javax.xml.parsers.ParserConfigurationException;
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Evidence;
-import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.Reader;
 import java.util.ArrayList;
+import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -43,15 +34,23 @@ import java.util.jar.Attributes;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.jar.Manifest;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
 import javax.xml.bind.Unmarshaller;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.sax.SAXSource;
 import org.jsoup.Jsoup;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
 import org.owasp.dependencycheck.jaxb.pom.generated.License;
 import org.owasp.dependencycheck.jaxb.pom.generated.Model;
@@ -64,8 +63,7 @@ import org.xml.sax.XMLReader;
 
 /**
  *
- * Used to load a JAR file and collect information that can be used to determine
+ * Used to load a JAR file and collect information that can be used to determine the associated CPE.
- * the associated CPE.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -77,8 +75,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      */
     private static final String NEWLINE = System.getProperty("line.separator");
     /**
-     * A list of values in the manifest to ignore as they only result in false
+     * A list of values in the manifest to ignore as they only result in false positives.
-     * positives.
      */
     private static final Set<String> IGNORE_VALUES = newHashSet(
             "Sun Java System Application Server");
@@ -183,8 +180,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
+     * @return whether or not the specified file extension is supported by this analyzer.
-     * analyzer.
      */
     public boolean supportsExtension(String extension) {
         return EXTENSIONS.contains(extension);
@@ -201,13 +197,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     //</editor-fold>
 
     /**
-     * Loads a specified JAR file and collects information from the manifest and
+     * Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE
-     * checksums to identify the correct CPE information.
+     * information.
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
-     * file.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -231,14 +226,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Attempts to find a pom.xml within the JAR file. If found it extracts
+     * Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence.
-     * information and adds it to the evidence. This will attempt to interpolate
+     * This will attempt to interpolate the strings contained within the pom.properties if one exists.
-     * the strings contained within the pom.properties if one exists.
      *
      * @param dependency the dependency being analyzed
      * @param classes a collection of class name information
-     * @throws AnalysisException is thrown if there is an exception parsing the
+     * @throws AnalysisException is thrown if there is an exception parsing the pom
-     * pom
      * @return whether or not evidence was added to the dependency
      */
     protected boolean analyzePOM(Dependency dependency, ArrayList<ClassNameInformation> classes) throws AnalysisException {
@@ -290,14 +283,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Given a path to a pom.xml within a JarFile, this method attempts to load
+     * Given a path to a pom.xml within a JarFile, this method attempts to load a sibling pom.properties if one exists.
-     * a sibling pom.properties if one exists.
      *
      * @param path the path to the pom.xml within the JarFile
      * @param jar the JarFile to load the pom.properties from
      * @return a Properties object or null if no pom.properties was found
-     * @throws IOException thrown if there is an exception reading the
+     * @throws IOException thrown if there is an exception reading the pom.properties
-     * pom.properties
      */
     @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "OS_OPEN_STREAM",
             justification = "The reader is closed by closing the zipEntry")
@@ -314,8 +305,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Searches a JarFile for pom.xml entries and returns a listing of these
+     * Searches a JarFile for pom.xml entries and returns a listing of these entries.
-     * entries.
      *
      * @param jar the JarFile to search
      * @return a list of pom.xml entries
@@ -340,8 +330,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      * @param path the path to the pom.xml file within the jar file
      * @param jar the jar file to extract the pom from
      * @return returns a
-     * @throws AnalysisException is thrown if there is an exception extracting
+     * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
-     * or parsing the POM
      * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
      */
     private Model retrievePom(String path, JarFile jar) throws AnalysisException {
@@ -401,10 +390,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      * @param dependency the dependency to set data on
      * @param pom the information from the pom
      * @param pomProperties the pom properties file (null if none exists)
-     * @param classes a collection of ClassNameInformation - containing data
+     * @param classes a collection of ClassNameInformation - containing data about the fully qualified class names
-     * about the fully qualified class names within the JAR file being analyzed
+     * within the JAR file being analyzed
-     * @return true if there was evidence within the pom that we could use;
+     * @return true if there was evidence within the pom that we could use; otherwise false
-     * otherwise false
      */
     private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
         boolean foundSomething = false;
@@ -505,15 +493,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Analyzes the path information of the classes contained within the
+     * Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible
-     * JarAnalyzer to try and determine possible vendor or product names. If any
+     * vendor or product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
-     * are found they are stored in the packageVendor and packageProduct
-     * hashSets.
      *
      * @param classNames a list of class names
      * @param dependency a dependency to analyze
-     * @param addPackagesAsEvidence a flag indicating whether or not package
+     * @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
-     * names should be added as evidence.
      */
     protected void analyzePackageNames(ArrayList<ClassNameInformation> classNames,
             Dependency dependency, boolean addPackagesAsEvidence) {
@@ -547,12 +532,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * <p>Reads the manifest from the JAR file and collects the entries. Some
+     * <p>
-     * vendorKey entries are:</p> <ul><li>Implementation Title</li>
+     * Reads the manifest from the JAR file and collects the entries. Some vendorKey entries are:</p>
+     * <ul><li>Implementation Title</li>
      * <li>Implementation Version</li> <li>Implementation Vendor</li>
-     * <li>Implementation VendorId</li> <li>Bundle Name</li> <li>Bundle
+     * <li>Implementation VendorId</li> <li>Bundle Name</li> <li>Bundle Version</li> <li>Bundle Vendor</li> <li>Bundle
-     * Version</li> <li>Bundle Vendor</li> <li>Bundle Description</li> <li>Main
+     * Description</li> <li>Main Class</li> </ul>
-     * Class</li> </ul>
      * However, all but a handful of specific entries are read in.
      *
      * @param dependency A reference to the dependency
@@ -575,7 +560,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                         && !dependency.getFileName().toLowerCase().endsWith("-doc.jar")) {
                     Logger.getLogger(JarAnalyzer.class.getName()).log(Level.INFO,
                             String.format("Jar file '%s' does not contain a manifest.",
-                            dependency.getFileName()));
+                                    dependency.getFileName()));
                 }
                 return false;
             }
@@ -779,29 +764,30 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * <p>A utility function that will interpolate strings based on values given
+     * <p>
-     * in the properties file. It will also interpolate the strings contained
+     * A utility function that will interpolate strings based on values given in the properties file. It will also
-     * within the properties file so that properties can reference other
+     * interpolate the strings contained within the properties file so that properties can reference other
      * properties.</p>
-     * <p><b>Note:</b> if there is no property found the reference will be
+     * <p>
-     * removed. In other words, if the interpolated string will be replaced with
+     * <b>Note:</b> if there is no property found the reference will be removed. In other words, if the interpolated
-     * an empty string.
+     * string will be replaced with an empty string.
      * </p>
-     * <p>Example:</p>
+     * <p>
+     * Example:</p>
      * <code>
      * Properties p = new Properties();
      * p.setProperty("key", "value");
      * String s = interpolateString("'${key}' and '${nothing}'", p);
      * System.out.println(s);
      * </code>
-     * <p>Will result in:</p>
+     * <p>
+     * Will result in:</p>
      * <code>
      * 'value' and ''
      * </code>
      *
      * @param text the string that contains references to properties.
-     * @param properties a collection of properties that may be referenced
+     * @param properties a collection of properties that may be referenced within the text.
-     * within the text.
      * @return the interpolated text.
      */
     protected String interpolateString(String text, Properties properties) {
@@ -835,13 +821,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Determines if the key value pair from the manifest is for an "import"
+     * Determines if the key value pair from the manifest is for an "import" type entry for package names.
-     * type entry for package names.
      *
      * @param key the key from the manifest
      * @param value the value from the manifest
-     * @return true or false depending on if it is believed the entry is an
+     * @return true or false depending on if it is believed the entry is an "import" entry
-     * "import" entry
      */
     private boolean isImportPackage(String key, String value) {
         final Pattern packageRx = Pattern.compile("^((([a-zA-Z_#\\$0-9]\\.)+)\\s*\\;\\s*)+$");
@@ -852,9 +836,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Cycles through an enumeration of JarEntries, contained within the
+     * Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class
-     * dependency, and returns a list of the class names. This does not include
+     * names. This does not include core Java package names (i.e. java.* or javax.*).
-     * core Java package names (i.e. java.* or javax.*).
      *
      * @param dependency the dependency being analyzed
      * @return an list of fully qualified class names
@@ -891,16 +874,12 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Cycles through the list of class names and places the package levels 0-3
+     * Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and
-     * into the provided maps for vendor and product. This is helpful when
+     * product. This is helpful when analyzing vendor/product as many times this is included in the package name.
-     * analyzing vendor/product as many times this is included in the package
-     * name.
      *
      * @param classNames a list of class names
-     * @param vendor HashMap of possible vendor names from package names (e.g.
+     * @param vendor HashMap of possible vendor names from package names (e.g. owasp)
-     * owasp)
+     * @param product HashMap of possible product names from package names (e.g. dependencycheck)
-     * @param product HashMap of possible product names from package names (e.g.
-     * dependencycheck)
      */
     private void analyzeFullyQualifiedClassNames(ArrayList<ClassNameInformation> classNames,
             HashMap<String, Integer> vendor, HashMap<String, Integer> product) {
@@ -927,9 +906,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Adds an entry to the specified collection and sets the Integer (e.g. the
+     * Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists
-     * count) to 1. If the entry already exists in the collection then the
+     * in the collection then the Integer is incremented by 1.
-     * Integer is incremented by 1.
      *
      * @param collection a collection of strings and their occurrence count
      * @param key the key to add to the collection
@@ -943,10 +921,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Cycles through the collection of class name information to see if parts
+     * Cycles through the collection of class name information to see if parts of the package names are contained in the
-     * of the package names are contained in the provided value. If found, it
+     * provided value. If found, it will be added as the HIGHEST confidence evidence because we have more then one
-     * will be added as the HIGHEST confidence evidence because we have more
+     * source corroborating the value.
-     * then one source corroborating the value.
      *
      * @param classes a collection of class name information
      * @param value the value to check to see if it contains a package name
@@ -967,22 +944,20 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * <p><b>This is currently a failed implementation.</b> Part of the issue is
+     * <p>
-     * I was trying to solve the wrong problem. Instead of multiple POMs being
+     * <b>This is currently a failed implementation.</b> Part of the issue is I was trying to solve the wrong problem.
-     * in the JAR to just add information about dependencies - I didn't realize
+     * Instead of multiple POMs being in the JAR to just add information about dependencies - I didn't realize until
-     * until later that I was looking at an uber-jar (aka fat-jar) that included
+     * later that I was looking at an uber-jar (aka fat-jar) that included all of its dependencies.</p>
-     * all of its dependencies.</p>
+     * <p>
-     * <p>I'm leaving this method in the source tree, entirely commented out
+     * I'm leaving this method in the source tree, entirely commented out until a solution
-     * until a solution https://github.com/jeremylong/DependencyCheck/issues/11
+     * https://github.com/jeremylong/DependencyCheck/issues/11 has been implemented.</p>
-     * has been implemented.</p>
+     * <p>
-     * <p>Takes a list of pom entries from a JAR file and attempts to filter it
+     * Takes a list of pom entries from a JAR file and attempts to filter it down to the pom related to the jar (rather
-     * down to the pom related to the jar (rather then the pom entry for a
+     * then the pom entry for a dependency).</p>
-     * dependency).</p>
      *
      * @param pomEntries a list of pom entries
      * @param classes a list of fully qualified classes from the JAR file
-     * @return the list of pom entries that are associated with the jar being
+     * @return the list of pom entries that are associated with the jar being analyzed rather then the dependent poms
-     * analyzed rather then the dependent poms
      */
     private List<String> filterPomEntries(List<String> pomEntries, ArrayList<ClassNameInformation> classes) {
         return pomEntries;
@@ -1040,8 +1015,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Simple check to see if the attribute from a manifest is just a package
+     * Simple check to see if the attribute from a manifest is just a package name.
-     * name.
      *
      * @param key the key of the value to check
      * @param value the value to check
@@ -1059,16 +1033,13 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     protected static class ClassNameInformation {
 
         /**
-         * Stores information about a given class name. This class will keep the
+         * Stores information about a given class name. This class will keep the fully qualified class name and a list
-         * fully qualified class name and a list of the important parts of the
+         * of the important parts of the package structure. Up to the first four levels of the package structure are
-         * package structure. Up to the first four levels of the package
+         * stored, excluding a leading "org" or "com". Example:          <code>ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer");
-         * structure are stored, excluding a leading "org" or "com". Example:
-         * <code>ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer");
          * System.out.println(obj.getName());
          * for (String p : obj.getPackageStructure())
          *     System.out.println(p);
-         * </code> Would result in:
+         * </code> Would result in:          <code>org.owasp.dependencycheck.analyzer.JarAnalyzer
-         * <code>org.owasp.dependencycheck.analyzer.JarAnalyzer
          * owasp
          * dependencycheck
          * analyzer
@@ -1119,8 +1090,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
             this.name = name;
         }
         /**
-         * Up to the first four levels of the package structure, excluding a
+         * Up to the first four levels of the package structure, excluding a leading "org" or "com".
-         * leading "org" or "com".
          */
         private ArrayList<String> packageStructure = new ArrayList<String>();
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java

@@ -1,32 +1,30 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.Dependency;
 import java.util.Set;
 import java.util.regex.Pattern;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
 
 /**
  *
- * Used to load a JAR file and collect information that can be used to determine
+ * Used to load a JAR file and collect information that can be used to determine the associated CPE.
- * the associated CPE.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -68,8 +66,7 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
      * Returns whether or not this analyzer can process the given extension.
      *
      * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
+     * @return whether or not the specified file extension is supported by this analyzer.
-     * analyzer.
      */
     public boolean supportsExtension(String extension) {
         return EXTENSIONS.contains(extension);
@@ -86,13 +83,12 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
     //</editor-fold>
 
     /**
-     * Loads a specified JAR file and collects information from the manifest and
+     * Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE
-     * checksums to identify the correct CPE information.
+     * information.
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
-     * file.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java

@@ -1,20 +1,19 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
@@ -24,7 +23,6 @@ import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Set;
 import java.util.logging.Logger;
-
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
@@ -33,23 +31,21 @@ import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * Analyzer which will attempt to locate a dependency on a Nexus service
+ * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
- * by SHA-1 digest of the dependency.
  *
  * There are two settings which govern this behavior:
  *
  * <ul>
- *   <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED}
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
- * determines whether this analyzer is even enabled. This can be overridden by
+ * even enabled. This can be overridden by setting the system property.</li>
- * setting the system property.</li>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
- *   <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL}
+ * SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
- * the URL to a Nexus service to search by SHA-1. There is an expected <code>%s</code>
- * in this where the SHA-1 will get entered.</li>
  * </ul>
  *
  * @author colezlaw
  */
 public class NexusAnalyzer extends AbstractAnalyzer {
+
     /**
      * The logger
      */
@@ -97,7 +93,7 @@ public class NexusAnalyzer extends AbstractAnalyzer {
                 // I know that initialize can throw an exception, but we'll
                 // just disable the analyzer if the URL isn't valid
                 LOGGER.warning(String.format("Property %s not a valid URL. Nexus searching disabled",
-                            searchUrl));
+                        searchUrl));
             }
         }
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,16 +22,15 @@ import java.sql.SQLException;
 import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Vulnerability;
-import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.Vulnerability;
 
 /**
- * NvdCveAnalyzer is a utility class that takes a project dependency and
+ * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
- * attempts to discern if there is an associated CVEs. It uses the the
+ * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
- * identifiers found by other analyzers to lookup the CVE data.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -53,8 +51,7 @@ public class NvdCveAnalyzer implements Analyzer {
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
-     * @throws ClassNotFoundException thrown if the h2 database driver cannot be
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
-     * loaded
      */
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
@@ -92,13 +89,11 @@ public class NvdCveAnalyzer implements Analyzer {
     }
 
     /**
-     * Analyzes a dependency and attempts to determine if there are any CPE
+     * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
-     * identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze
      * @param engine The analysis engine
-     * @throws AnalysisException is thrown if there is an issue analyzing the
+     * @throws AnalysisException is thrown if there is an issue analyzing the dependency
-     * dependency
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -23,9 +22,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.suppression.SuppressionRule;
 
 /**
- * The suppression analyzer processes an externally defined XML document that
+ * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
- * complies with the suppressions.xsd schema. Any identified Vulnerability
+ * Any identified Vulnerability entries within the dependencies that match will be removed.
- * entries within the dependencies that match will be removed.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/DirectoryLockException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/DirectorySpinLock.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -34,9 +33,8 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 
 /**
- * Implements a spin lock on a given directory. If the lock cannot be obtained,
+ * Implements a spin lock on a given directory. If the lock cannot be obtained, the process will "spin" waiting for an
- * the process will "spin" waiting for an opportunity to obtain the lock
+ * opportunity to obtain the lock requested.
- * requested.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -63,14 +61,12 @@ public class DirectorySpinLock implements Closeable /*, AutoCloseable*/ {
      */
     private FileLock lock = null;
     /**
-     * The maximum number of seconds that the spin lock will wait while trying
+     * The maximum number of seconds that the spin lock will wait while trying to obtain a lock.
-     * to obtain a lock.
      */
     private long maxWait = MAX_SPIN;
 
     /**
-     * Get the maximum wait time, in seconds, that the spin lock will wait while
+     * Get the maximum wait time, in seconds, that the spin lock will wait while trying to obtain a lock.
-     * trying to obtain a lock.
      *
      * @return the number of seconds the spin lock will wait
      */
@@ -79,8 +75,7 @@ public class DirectorySpinLock implements Closeable /*, AutoCloseable*/ {
     }
 
     /**
-     * Set the maximum wait time, in seconds, that the spin lock will wait while
+     * Set the maximum wait time, in seconds, that the spin lock will wait while trying to obtain a lock.
-     * trying to obtain a lock.
      *
      * @param maxWait the number of seconds the spin lock will wait
      */
@@ -92,10 +87,8 @@ public class DirectorySpinLock implements Closeable /*, AutoCloseable*/ {
      * Constructs a new spin lock on the given directory.
      *
      * @param directory the directory to monitor/lock
-     * @throws InvalidDirectoryException thrown if there is an issue with the
+     * @throws InvalidDirectoryException thrown if there is an issue with the directory provided
-     * directory provided
+     * @throws DirectoryLockException thrown there is an issue obtaining a handle to the lock file
-     * @throws DirectoryLockException thrown there is an issue obtaining a
-     * handle to the lock file
      */
     public DirectorySpinLock(File directory) throws InvalidDirectoryException, DirectoryLockException {
         checkDirectory(directory);
@@ -110,39 +103,32 @@ public class DirectorySpinLock implements Closeable /*, AutoCloseable*/ {
     }
 
     /**
-     * Attempts to obtain an exclusive lock; an exception is thrown if the lock
+     * Attempts to obtain an exclusive lock; an exception is thrown if the lock could not be obtained. This method may
-     * could not be obtained. This method may block for a few seconds if a lock
+     * block for a few seconds if a lock cannot be obtained.
-     * cannot be obtained.
      *
-     * @throws DirectoryLockException thrown if there is an exception obtaining
+     * @throws DirectoryLockException thrown if there is an exception obtaining the lock
-     * the lock
      */
     public void obtainSharedLock() throws DirectoryLockException {
         obtainLock(true);
     }
 
     /**
-     * Attempts to obtain an exclusive lock; an exception is thrown if the lock
+     * Attempts to obtain an exclusive lock; an exception is thrown if the lock could not be obtained. This method may
-     * could not be obtained. This method may block for a few seconds if a lock
+     * block for a few seconds if a lock cannot be obtained.
-     * cannot be obtained.
      *
-     * @throws DirectoryLockException thrown if there is an exception obtaining
+     * @throws DirectoryLockException thrown if there is an exception obtaining the lock
-     * the lock
      */
     public void obtainExclusiveLock() throws DirectoryLockException {
         obtainLock(false);
     }
 
     /**
-     * Attempts to obtain a lock; an exception is thrown if the lock could not
+     * Attempts to obtain a lock; an exception is thrown if the lock could not be obtained. This method may block for a
-     * be obtained. This method may block for a few seconds if a lock cannot be
+     * few seconds if a lock cannot be obtained.
-     * obtained.
      *
      * @param shared true if the lock is shared, otherwise false
-     * @param maxWait the maximum time to wait, in seconds, while trying to
+     * @param maxWait the maximum time to wait, in seconds, while trying to obtain the lock
-     * obtain the lock
+     * @throws DirectoryLockException thrown if there is an exception obtaining the lock
-     * @throws DirectoryLockException thrown if there is an exception obtaining
-     * the lock
      */
     protected void obtainLock(boolean shared, long maxWait) throws DirectoryLockException {
         setMaxWait(maxWait);
@@ -150,13 +136,11 @@ public class DirectorySpinLock implements Closeable /*, AutoCloseable*/ {
     }
 
     /**
-     * Attempts to obtain a lock; an exception is thrown if the lock could not
+     * Attempts to obtain a lock; an exception is thrown if the lock could not be obtained. This method may block for a
-     * be obtained. This method may block for a few seconds if a lock cannot be
+     * few seconds if a lock cannot be obtained.
-     * obtained.
      *
      * @param shared true if the lock is shared, otherwise false
-     * @throws DirectoryLockException thrown if there is an exception obtaining
+     * @throws DirectoryLockException thrown if there is an exception obtaining the lock
-     * the lock
      */
     protected void obtainLock(boolean shared) throws DirectoryLockException {
         if (lock != null) {
@@ -199,12 +183,11 @@ public class DirectorySpinLock implements Closeable /*, AutoCloseable*/ {
     }
 
     /**
-     * Performs a few simple rudimentary checks on the specified directory.
+     * Performs a few simple rudimentary checks on the specified directory. Specifically, does the file exist and is it
-     * Specifically, does the file exist and is it a directory.
+     * a directory.
      *
      * @param directory the File object to inspect
-     * @throws InvalidDirectoryException thrown if the directory is null or is
+     * @throws InvalidDirectoryException thrown if the directory is null or is not a directory
-     * not a directory
      */
     private void checkDirectory(File directory) throws InvalidDirectoryException {
         if (directory == null) {
@@ -250,8 +233,7 @@ public class DirectorySpinLock implements Closeable /*, AutoCloseable*/ {
     }
 
     /**
-     * Releases the lock. Any exceptions that are thrown by the underlying lock
+     * Releases the lock. Any exceptions that are thrown by the underlying lock during the release are ignored.
-     * during the release are ignored.
      */
     public void release() {
         if (lock != null) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/InvalidDirectoryException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -41,15 +40,15 @@ import org.apache.lucene.queryparser.classic.QueryParser;
 import org.apache.lucene.search.IndexSearcher;
 import org.apache.lucene.search.Query;
 import org.apache.lucene.search.TopDocs;
-import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
-import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.apache.lucene.store.RAMDirectory;
+import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
 import org.owasp.dependencycheck.data.lucene.LuceneUtils;
 import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
 
 /**
- * An in memory lucene index that contains the vendor/product combinations from
+ * An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within
- * the CPE (application) identifiers within the NVD CVE data.
+ * the NVD CVE data.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -278,8 +277,7 @@ public final class CpeMemoryIndex {
      * @param maxQueryResults the maximum number of documents to return
      * @return the TopDocs found by the search
      * @throws ParseException thrown when the searchString is invalid
-     * @throws IOException is thrown if there is an issue with the underlying
+     * @throws IOException is thrown if there is an issue with the underlying Index
-     * Index
      */
     public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
         if (searchString == null || searchString.trim().isEmpty()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java

@@ -1,26 +1,24 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.cpe;
 
 /**
- * Fields is a collection of field names used within the Lucene index for CPE
+ * Fields is a collection of field names used within the Lucene index for CPE entries.
- * entries.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -126,16 +125,18 @@ public class IndexEntry implements Serializable {
     }
 
     /**
-     * <p>Parses a name attribute value, from the cpe.xml, into its
+     * <p>
-     * corresponding parts: vendor, product.</p>
+     * Parses a name attribute value, from the cpe.xml, into its corresponding parts: vendor, product.</p>
-     * <p>Example:</p>
+     * <p>
+     * Example:</p>
      * <code>nbsp;nbsp;nbsp;cpe:/a:apache:struts:1.1:rc2</code>
      *
-     * <p>Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
+     * <p>
+     * Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
      * </ul>
-     * <p>If it is necessary to parse the CPE into more parts (i.e. to include
+     * <p>
-     * version and revision) then you should use the
+     * If it is necessary to parse the CPE into more parts (i.e. to include version and revision) then you should use
-     * {@link org.owasp.dependencycheck.dependency.VulnerableSoftware#parseName VulnerableSoftware.parseName()}.
+     * the {@link org.owasp.dependencycheck.dependency.VulnerableSoftware#parseName VulnerableSoftware.parseName()}.
      *
      * @param cpeName the cpe name
      * @throws UnsupportedEncodingException should never be thrown...

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -73,7 +72,8 @@ public final class CweDB {
     }
 
     /**
-     * <p>Returns the full CWE name from the CWE ID.</p>
+     * <p>
+     * Returns the full CWE name from the CWE ID.</p>
      *
      * @param cweId the CWE ID
      * @return the full name of the CWE

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -24,8 +23,7 @@ import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 
 /**
- * An abstract tokenizing filter that can be used as the base for a tokenizing
+ * An abstract tokenizing filter that can be used as the base for a tokenizing filter.
- * filter.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AlphaNumericTokenizer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -23,8 +22,7 @@ import org.apache.lucene.analysis.util.CharTokenizer;
 import org.apache.lucene.util.Version;
 
 /**
- * Tokenizes the input breaking it into tokens when non-alpha/numeric characters
+ * Tokenizes the input breaking it into tokens when non-alpha/numeric characters are found.
- * are found.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -32,12 +31,10 @@ public class DependencySimilarity extends DefaultSimilarity {
     private static final long serialVersionUID = 1L;
 
     /**
-     * <p>Override the default idf implementation so that frequency within all
+     * <p>
-     * document is ignored.</p>
+     * Override the default idf implementation so that frequency within all document is ignored.</p>
      *
-     * See <a
+     * See <a href="http://www.lucenetutorial.com/advanced-topics/scoring.html">this article</a> for more details.
-     * href="http://www.lucenetutorial.com/advanced-topics/scoring.html">this
-     * article</a> for more details.
      *
      * @param docFreq - the number of documents which contain the term
      * @param numDocs - the total number of documents in the collection

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,9 +28,9 @@ import org.apache.lucene.analysis.miscellaneous.WordDelimiterFilter;
 import org.apache.lucene.util.Version;
 
 /**
- * <p>A Lucene Analyzer that utilizes the WhitespaceTokenizer,
+ * <p>
- * WordDelimiterFilter, LowerCaseFilter, and StopFilter. The intended purpose of
+ * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The
- * this Analyzer is to index the CPE fields vendor and product.</p>
+ * intended purpose of this Analyzer is to index the CPE fields vendor and product.</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,16 +20,16 @@ package org.owasp.dependencycheck.data.lucene;
 import org.apache.lucene.util.Version;
 
 /**
- * <p>Lucene utils is a set of utilize written to make constructing Lucene
+ * <p>
- * queries simpler.</p>
+ * Lucene utils is a set of utilize written to make constructing Lucene queries simpler.</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class LuceneUtils {
 
     /**
-     * The current version of Lucene being used. Declaring this one place so an
+     * The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through
-     * upgrade doesn't require hunting through the code base.
+     * the code base.
      */
     public static final Version CURRENT_VERSION = Version.LUCENE_45;
 
@@ -41,8 +40,7 @@ public final class LuceneUtils {
     }
 
     /**
-     * Appends the text to the supplied StringBuilder escaping Lucene control
+     * Appends the text to the supplied StringBuilder escaping Lucene control characters in the process.
-     * characters in the process.
      *
      * @param buf a StringBuilder to append the escaped text to
      * @param text the data to be escaped
@@ -88,8 +86,7 @@ public final class LuceneUtils {
     }
 
     /**
-     * Escapes the text passed in so that it is treated as data instead of
+     * Escapes the text passed in so that it is treated as data instead of control characters.
-     * control characters.
      *
      * @param text data to be escaped
      * @return the escaped text.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -40,8 +39,8 @@ public class SearchFieldAnalyzer extends Analyzer {
      */
     private final Version version;
     /**
-     * A local reference to the TokenPairConcatenatingFilter so that we can
+     * A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer
-     * clear any left over state if this analyzer is re-used.
+     * is re-used.
      */
     private TokenPairConcatenatingFilter concatenatingFilter;
 
@@ -85,10 +84,11 @@ public class SearchFieldAnalyzer extends Analyzer {
     }
 
     /**
-     * <p>Resets the analyzer and clears any internal state data that may have
+     * <p>
-     * been left-over from previous uses of the analyzer.</p>
+     * Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the
-     * <p><b>If this analyzer is re-used this method must be called between
+     * analyzer.</p>
-     * uses.</b></p>
+     * <p>
+     * <b>If this analyzer is re-used this method must be called between uses.</b></p>
      */
     public void clear() {
         if (concatenatingFilter != null) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,8 +26,7 @@ import org.apache.lucene.analysis.core.WhitespaceTokenizer;
 import org.apache.lucene.util.Version;
 
 /**
- * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version
+ * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
- * information.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  * @deprecated version information is no longer stored in lucene

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -25,10 +24,10 @@ import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 
 /**
- * <p>Takes a TokenStream and adds additional tokens by concatenating pairs of
+ * <p>
- * words.</p>
+ * Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
- * <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
+ * <p>
- * Framework FrameworkCore Core".</p>
+ * <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -76,9 +75,8 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
-     * construct an expanded set of tokens by concatenating tokens with the
+     * concatenating tokens with the previous token.
-     * previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs
@@ -113,10 +111,11 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
     }
 
     /**
-     * <p>Resets the Filter and clears any internal state data that may have
+     * <p>
-     * been left-over from previous uses of the Filter.</p>
+     * Resets the Filter and clears any internal state data that may have been left-over from previous uses of the
-     * <p><b>If this Filter is re-used this method must be called between
+     * Filter.</p>
-     * uses.</b></p>
+     * <p>
+     * <b>If this Filter is re-used this method must be called between uses.</b></p>
      */
     public void clear() {
         previousWord = null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -29,10 +28,10 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 import org.owasp.dependencycheck.utils.UrlStringUtils;
 
 /**
- * <p>Takes a TokenStream and splits or adds tokens to correctly index version
+ * <p>
- * numbers.</p>
+ * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
- * <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
+ * <p>
- * 3.0.0.RELEASE".</p>
+ * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -48,9 +47,8 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
-     * construct an expanded set of tokens by concatenating tokens with the
+     * concatenating tokens with the previous token.
-     * previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -24,10 +23,10 @@ import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 
 /**
- * <p>Takes a TokenStream and splits or adds tokens to correctly index version
+ * <p>
- * numbers.</p>
+ * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
- * <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
+ * <p>
- * 3.0.0.RELEASE".</p>
+ * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  * @deprecated version information is no longer stored in lucene
@@ -45,9 +44,8 @@ public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
-     * construct an expanded set of tokens by concatenating tokens with the
+     * concatenating tokens with the previous token.
-     * previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs
@@ -69,13 +67,13 @@ public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * <p>Analyzes the version and adds several copies of the version as
+     * <p>
-     * different tokens. For example, the version 1.2.7 would create the tokens
+     * Analyzes the version and adds several copies of the version as different tokens. For example, the version 1.2.7
-     * 1 1.2 1.2.7. This is useful in discovering the correct version -
+     * would create the tokens 1 1.2 1.2.7. This is useful in discovering the correct version - sometimes a maintenance
-     * sometimes a maintenance or build number will throw off the version
+     * or build number will throw off the version identification.</p>
-     * identification.</p>
      *
-     * <p>expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
+     * <p>
+     * expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
      *
      * @param version the version to analyze
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java

@@ -1,20 +1,19 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nexus;
 
@@ -24,6 +23,7 @@ package org.owasp.dependencycheck.data.nexus;
  * @author colezlaw
  */
 public class MavenArtifact {
+
     /**
      * The groupId
      */
@@ -40,12 +40,10 @@ public class MavenArtifact {
     private String version;
 
     /**
-     * The artifact url. This may change depending on which Nexus
+     * The artifact url. This may change depending on which Nexus server the search took place.
-     * server the search took place.
      */
     private String artifactUrl;
 
-
     /**
      * Creates an empty MavenArtifact.
      */
@@ -95,42 +93,54 @@ public class MavenArtifact {
      *
      * @param groupId the groupId
      */
-    public void setGroupId(String groupId) { this.groupId = groupId; }
+    public void setGroupId(String groupId) {
+        this.groupId = groupId;
+    }
 
     /**
      * Gets the groupId.
      *
      * @return the groupId
      */
-    public String getGroupId() { return groupId; }
+    public String getGroupId() {
+        return groupId;
+    }
 
     /**
      * Sets the artifactId.
      *
      * @param artifactId the artifactId
      */
-    public void setArtifactId(String artifactId) { this.artifactId = artifactId; }
+    public void setArtifactId(String artifactId) {
+        this.artifactId = artifactId;
+    }
 
     /**
      * Gets the artifactId.
      *
      * @return the artifactId
      */
-    public String getArtifactId() { return artifactId; }
+    public String getArtifactId() {
+        return artifactId;
+    }
 
     /**
      * Sets the version.
      *
      * @param version the version
      */
-    public void setVersion(String version) { this.version = version; }
+    public void setVersion(String version) {
+        this.version = version;
+    }
 
     /**
      * Gets the version.
      *
      * @return the version
      */
-    public String getVersion() { return version; }
+    public String getVersion() {
+        return version;
+    }
 
     /**
      * Sets the artifactUrl.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java

@@ -1,20 +1,19 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nexus;
 
@@ -35,6 +34,7 @@ import org.w3c.dom.Document;
  * @author colezlaw
  */
 public class NexusSearch {
+
     /**
      * The root URL for the Nexus repository service
      */
@@ -48,22 +48,21 @@ public class NexusSearch {
     /**
      * Creates a NexusSearch for the given repository URL.
      *
-     * @param rootURL the root URL of the repository on which searches should execute.
+     * @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated
-     *        full URL's are calculated relative to this URL, so it should end with a /
+     * relative to this URL, so it should end with a /
      */
     public NexusSearch(URL rootURL) {
         this.rootURL = rootURL;
     }
 
     /**
-     * Searches the configured Nexus repository for the given sha1
+     * Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a
-     * hash. If the artifact is found, a <code>MavenArtifact</code> is populated
+     * <code>MavenArtifact</code> is populated with the coordinate information.
-     * with the coordinate information.
      *
      * @param sha1 The SHA-1 hash string for which to search
      * @return the populated Maven coordinates
-     * @throws IOException if it's unable to connect to the specified repositor or
+     * @throws IOException if it's unable to connect to the specified repositor or if the specified artifact is not
-     *         if the specified artifact is not found.
+     * found.
      */
     public MavenArtifact searchSha1(String sha1) throws IOException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java

@@ -4,9 +4,11 @@
  * <title>org.owasp.dependencycheck.data.nexus</title>
  * </head>
  * <body>
- * <p>Contains classes related to searching a Nexus repository.</p>
+ * <p>
- * <p>These are used to abstract Nexus searching away from
+ * Contains classes related to searching a Nexus repository.</p>
- * OWASP Dependency Check so they can be reused elsewhere.</p>
+ * <p>
+ * These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.</p>
  * </body>
  * </html>
  */
+package org.owasp.dependencycheck.data.nexus;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java

@@ -1,26 +1,25 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
 /**
- * An exception used to indicate the db4o database is corrupt. This could be due
+ * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure
- * to invalid data or a complete failure of the db.
+ * of the db.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -1,26 +1,25 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
 import java.util.Properties;
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 
 /**
  * This is a wrapper around a set of properties that are stored in the database.
@@ -30,19 +29,18 @@ import org.owasp.dependencycheck.data.update.NvdCveInfo;
 public class DatabaseProperties {
 
     /**
-     * Modified key word, used as a key to store information about the modified
+     * Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8
-     * file (i.e. the containing the last 8 days of updates)..
+     * days of updates)..
      */
     public static final String MODIFIED = "modified";
     /**
-     * The properties file key for the last updated field - used to store the
+     * The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE
-     * last updated time of the Modified NVD CVE xml file.
+     * xml file.
      */
     public static final String LAST_UPDATED = "lastupdated.modified";
     /**
-     * Stores the last updated time for each of the NVD CVE files. These
+     * Stores the last updated time for each of the NVD CVE files. These timestamps should be updated if we process the
-     * timestamps should be updated if we process the modified file within 7
+     * modified file within 7 days of the last update.
-     * days of the last update.
      */
     public static final String LAST_UPDATED_BASE = "lastupdated.";
     /**
@@ -81,8 +79,7 @@ public class DatabaseProperties {
     }
 
     /**
-     * Writes a properties file containing the last updated date to the
+     * Writes a properties file containing the last updated date to the VULNERABLE_CPE directory.
-     * VULNERABLE_CPE directory.
      *
      * @param updatedValue the updated NVD CVE entry
      * @throws UpdateException is thrown if there is an update exception
@@ -96,8 +93,8 @@ public class DatabaseProperties {
     }
 
     /**
-     * Returns the property value for the given key. If the key is not contained
+     * Returns the property value for the given key. If the key is not contained in the underlying properties null is
-     * in the underlying properties null is returned.
+     * returned.
      *
      * @param key the property key
      * @return the value of the property
@@ -107,8 +104,8 @@ public class DatabaseProperties {
     }
 
     /**
-     * Returns the property value for the given key. If the key is not contained
+     * Returns the property value for the given key. If the key is not contained in the underlying properties the
-     * in the underlying properties the default value is returned.
+     * default value is returned.
      *
      * @param key the property key
      * @param defaultValue the default value

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoadException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CachedWebDataSource.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,20 +20,18 @@ package org.owasp.dependencycheck.data.update;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 
 /**
- * Defines a data source who's data is retrieved from the Internet. This data
+ * Defines a data source who's data is retrieved from the Internet. This data can be downloaded and the local cache
- * can be downloaded and the local cache updated.
+ * updated.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public interface CachedWebDataSource {
 
     /**
-     * Determines if an update to the current data store is needed, if it is the
+     * Determines if an update to the current data store is needed, if it is the new data is downloaded from the
-     * new data is downloaded from the Internet and imported into the current
+     * Internet and imported into the current cached data store.
-     * cached data store.
      *
-     * @throws UpdateException is thrown if there is an exception downloading
+     * @throws UpdateException is thrown if there is an exception downloading the data or updating the data store.
-     * the data or updating the data store.
      */
     void update() throws UpdateException;
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveInfo.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -1,27 +1,26 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.update;
 
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import java.net.MalformedURLException;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 
 /**
@@ -32,11 +31,10 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
 public class NvdCveUpdater implements CachedWebDataSource {
 
     /**
-     * <p>Downloads the latest NVD CVE XML file from the web and imports it into
+     * <p>
-     * the current CVE Database.</p>
+     * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
      *
-     * @throws UpdateException is thrown if there is an error updating the
+     * @throws UpdateException is thrown if there is an error updating the database
-     * database
      */
     @Override
     public void update() throws UpdateException {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java

@@ -1,28 +1,22 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.update;
 
-import org.owasp.dependencycheck.data.update.task.ProcessTask;
-import org.owasp.dependencycheck.data.update.task.CallableDownloadTask;
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import java.net.MalformedURLException;
 import java.util.Calendar;
 import java.util.Date;
@@ -35,11 +29,16 @@ import java.util.concurrent.Future;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
-import org.owasp.dependencycheck.utils.DownloadFailedException;
-import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
+import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.data.update.task.CallableDownloadTask;
+import org.owasp.dependencycheck.data.update.task.ProcessTask;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Class responsible for updating the NVDCVE data store.
@@ -53,8 +52,7 @@ public class StandardUpdate {
      */
     public static final int MAX_THREAD_POOL_SIZE = Settings.getInt(Settings.KEYS.MAX_DOWNLOAD_THREAD_POOL_SIZE, 3);
     /**
-     * Information about the timestamps and URLs for data that needs to be
+     * Information about the timestamps and URLs for data that needs to be updated.
-     * updated.
      */
     private DatabaseProperties properties;
     /**
@@ -79,10 +77,8 @@ public class StandardUpdate {
      * Constructs a new Standard Update Task.
      *
      * @throws MalformedURLException thrown if a configured URL is malformed
-     * @throws DownloadFailedException thrown if a timestamp cannot be checked
+     * @throws DownloadFailedException thrown if a timestamp cannot be checked on a configured URL
-     * on a configured URL
+     * @throws UpdateException thrown if there is an exception generating the update task
-     * @throws UpdateException thrown if there is an exception generating the
-     * update task
      */
     public StandardUpdate() throws MalformedURLException, DownloadFailedException, UpdateException {
         openDataStores();
@@ -91,11 +87,10 @@ public class StandardUpdate {
     }
 
     /**
-     * <p>Downloads the latest NVD CVE XML file from the web and imports it into
+     * <p>
-     * the current CVE Database.</p>
+     * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
      *
-     * @throws UpdateException is thrown if there is an error updating the
+     * @throws UpdateException is thrown if there is an error updating the database
-     * database
      */
     public void update() throws UpdateException {
         int maxUpdates = 0;
@@ -187,18 +182,14 @@ public class StandardUpdate {
     }
 
     /**
-     * Determines if the index needs to be updated. This is done by fetching the
+     * Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last
-     * NVD CVE meta data and checking the last update date. If the data needs to
+     * update date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to
-     * be refreshed this method will return the NvdCveUrl for the files that
+     * be updated.
-     * need to be updated.
      *
      * @return the collection of files that need to be updated
-     * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta
+     * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect
-     * data is incorrect
+     * @throws DownloadFailedException is thrown if there is an error. downloading the NVD CVE download data file
-     * @throws DownloadFailedException is thrown if there is an error.
+     * @throws UpdateException Is thrown if there is an issue with the last updated properties file
-     * downloading the NVD CVE download data file
-     * @throws UpdateException Is thrown if there is an issue with the last
-     * updated properties file
      */
     protected final UpdateableNvdCve updatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException {
         UpdateableNvdCve updates = null;
@@ -244,7 +235,7 @@ public class StandardUpdate {
                                         DatabaseProperties.LAST_UPDATED_BASE, entry.getId());
                                 Logger
                                         .getLogger(StandardUpdate.class
-                                        .getName()).log(Level.FINE, msg, ex);
+                                                .getName()).log(Level.FINE, msg, ex);
                             }
                             if (currentTimestamp == entry.getTimestamp()) {
                                 entry.setNeedsUpdate(false);
@@ -256,7 +247,7 @@ public class StandardUpdate {
                 final String msg = "An invalid schema version or timestamp exists in the data.properties file.";
                 Logger
                         .getLogger(StandardUpdate.class
-                        .getName()).log(Level.WARNING, msg);
+                                .getName()).log(Level.WARNING, msg);
                 Logger.getLogger(StandardUpdate.class
                         .getName()).log(Level.FINE, null, ex);
             }
@@ -268,12 +259,9 @@ public class StandardUpdate {
      * Retrieves the timestamps from the NVD CVE meta data file.
      *
      * @return the timestamp from the currently published nvdcve downloads page
-     * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data
+     * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data is incorrect.
-     * is incorrect.
+     * @throws DownloadFailedException thrown if there is an error downloading the nvd cve meta data file
-     * @throws DownloadFailedException thrown if there is an error downloading
+     * @throws InvalidDataException thrown if there is an exception parsing the timestamps
-     * the nvd cve meta data file
-     * @throws InvalidDataException thrown if there is an exception parsing the
-     * timestamps
      * @throws InvalidSettingException thrown if the settings are invalid
      */
     private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()
@@ -330,10 +318,9 @@ public class StandardUpdate {
     }
 
     /**
-     * Determines if the epoch date is within the range specified of the
+     * Determines if the epoch date is within the range specified of the compareTo epoch time. This takes the
-     * compareTo epoch time. This takes the (compareTo-date)/1000/60/60/24 to
+     * (compareTo-date)/1000/60/60/24 to get the number of days. If the calculated days is less then the range the date
-     * get the number of days. If the calculated days is less then the range the
+     * is considered valid.
-     * date is considered valid.
      *
      * @param date the date to be checked.
      * @param compareTo the date to compare to.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -56,8 +55,7 @@ public final class UpdateService {
     }
 
     /**
-     * Returns an Iterator for all instances of the CachedWebDataSource
+     * Returns an Iterator for all instances of the CachedWebDataSource interface.
-     * interface.
      *
      * @return an iterator of CachedWebDataSource.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateableNvdCve.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,8 +27,8 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 
 /**
- * Contains a collection of updateable NvdCveInfo objects. This is used to
+ * Contains a collection of updateable NvdCveInfo objects. This is used to determine which files need to be downloaded
- * determine which files need to be downloaded and processed.
+ * and processed.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -41,8 +40,7 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     private Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
 
     /**
-     * Returns the collection of NvdCveInfo objects. This method is mainly used
+     * Returns the collection of NvdCveInfo objects. This method is mainly used for testing.
-     * for testing.
      *
      * @return the collection of NvdCveInfo objects
      */
@@ -69,8 +67,8 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
      *
      * @param id the key for the item to be added
      * @param url the URL to download the item
-     * @param oldUrl the URL for the old version of the item (the NVD CVE old
+     * @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we
-     * schema still contains useful data we need).
+     * need).
      * @throws MalformedURLException thrown if the URL provided is invalid
      * @throws DownloadFailedException thrown if the download fails.
      */
@@ -83,8 +81,8 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
      *
      * @param id the key for the item to be added
      * @param url the URL to download the item
-     * @param oldUrl the URL for the old version of the item (the NVD CVE old
+     * @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we
-     * schema still contains useful data we need).
+     * need).
      * @param needsUpdate whether or not the data needs to be updated
      * @throws MalformedURLException thrown if the URL provided is invalid
      * @throws DownloadFailedException thrown if the download fails.
@@ -121,8 +119,10 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     private Iterator<Entry<String, NvdCveInfo>> iterableContent = null;
 
     /**
-     * <p>Returns an iterator for the NvdCveInfo contained.</p>
+     * <p>
-     * <p><b>This method is not thread safe.</b></p>
+     * Returns an iterator for the NvdCveInfo contained.</p>
+     * <p>
+     * <b>This method is not thread safe.</b></p>
      *
      * @return an NvdCveInfo Iterator
      */
@@ -133,11 +133,12 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     }
 
     /**
-     * <p>Returns whether or not there is another item in the collection.</p>
+     * <p>
-     * <p><b>This method is not thread safe.</b></p>
+     * Returns whether or not there is another item in the collection.</p>
+     * <p>
+     * <b>This method is not thread safe.</b></p>
      *
-     * @return true or false depending on whether or not another item exists in
+     * @return true or false depending on whether or not another item exists in the collection
-     * the collection
      */
     @Override
     public boolean hasNext() {
@@ -145,8 +146,10 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     }
 
     /**
-     * <p>Returns the next item in the collection.</p>
+     * <p>
-     * <p><b>This method is not thread safe.</b></p>
+     * Returns the next item in the collection.</p>
+     * <p>
+     * <b>This method is not thread safe.</b></p>
      *
      * @return the next NvdCveInfo item in the collection
      */
@@ -156,8 +159,10 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     }
 
     /**
-     * <p>Removes the current NvdCveInfo object from the collection.</p>
+     * <p>
-     * <p><b>This method is not thread safe.</b></p>
+     * Removes the current NvdCveInfo object from the collection.</p>
+     * <p>
+     * <b>This method is not thread safe.</b></p>
      */
     @Override
     public void remove() {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/exception/InvalidDataException.java

@@ -1,26 +1,24 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.update.exception;
 
 /**
- * An InvalidDataDataException is a generic exception used when trying to load
+ * An InvalidDataDataException is a generic exception used when trying to load the NVD CVE meta data.
- * the NVD CVE meta data.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/exception/UpdateException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -53,7 +52,6 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
         final File file1;
         final File file2;
 
-
         try {
             file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml");
             file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml");

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java

@@ -1,27 +1,22 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.update.task;
 
-import org.owasp.dependencycheck.data.update.xml.NvdCve20Handler;
-import org.owasp.dependencycheck.data.update.xml.NvdCve12Handler;
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -36,13 +31,16 @@ import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.StandardUpdate;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.data.update.xml.NvdCve12Handler;
+import org.owasp.dependencycheck.data.update.xml.NvdCve20Handler;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.xml.sax.SAXException;
 
 /**
- * A callable task that will process a given set of NVD CVE xml files and update
+ * A callable task that will process a given set of NVD CVE xml files and update the Cve Database accordingly.
- * the Cve Database accordingly.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -87,8 +85,7 @@ public class ProcessTask implements Callable<ProcessTask> {
      * Constructs a new ProcessTask used to process an NVD CVE update.
      *
      * @param cveDB the data store object
-     * @param filePair the download task that contains the URL references to
+     * @param filePair the download task that contains the URL references to download
-     * download
      */
     public ProcessTask(final CveDB cveDB, final CallableDownloadTask filePair) {
         this.cveDB = cveDB;
@@ -100,8 +97,8 @@ public class ProcessTask implements Callable<ProcessTask> {
      * Implements the callable interface.
      *
      * @return this object
-     * @throws Exception thrown if there is an exception; note that any
+     * @throws Exception thrown if there is an exception; note that any UpdateExceptions are simply added to the tasks
-     * UpdateExceptions are simply added to the tasks exception collection
+     * exception collection
      */
     @Override
     public ProcessTask call() throws Exception {
@@ -118,14 +115,12 @@ public class ProcessTask implements Callable<ProcessTask> {
      *
      * @param file the file containing the NVD CVE XML
      * @param oldVersion contains the file containing the NVD CVE XML 1.2
-     * @throws ParserConfigurationException is thrown if there is a parser
+     * @throws ParserConfigurationException is thrown if there is a parser configuration exception
-     * configuration exception
      * @throws SAXException is thrown if there is a SAXException
      * @throws IOException is thrown if there is a IO Exception
      * @throws SQLException is thrown if there is a SQL exception
      * @throws DatabaseException is thrown if there is a database exception
-     * @throws ClassNotFoundException thrown if the h2 database driver cannot be
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
-     * loaded
      */
     protected void importXML(File file, File oldVersion) throws ParserConfigurationException,
             SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
@@ -146,8 +141,7 @@ public class ProcessTask implements Callable<ProcessTask> {
     /**
      * Processes the NVD CVE XML file and imports the data into the DB.
      *
-     * @throws UpdateException thrown if there is an error loading the data into
+     * @throws UpdateException thrown if there is an error loading the data into the database
-     * the database
      */
     private void processFiles() throws UpdateException {
         String msg = String.format("Processing Started for NVD CVE - %s", filePair.getNvdCveInfo().getId());

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve12Handler.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,11 +28,9 @@ import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.helpers.DefaultHandler;
 
 /**
- * A SAX Handler that will parse the NVD CVE XML (schema version 1.2). This
+ * A SAX Handler that will parse the NVD CVE XML (schema version 1.2). This parses the xml and retrieves a listing of
- * parses the xml and retrieves a listing of CPEs that have previous versions
+ * CPEs that have previous versions specified. The previous version information is not in the 2.0 version of the schema
- * specified. The previous version information is not in the 2.0 version of the
+ * and is useful to ensure accurate identification (or at least complete).
- * schema and is useful to ensure accurate identification (or at least
- * complete).
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -150,8 +147,7 @@ public class NvdCve12Handler extends DefaultHandler {
 
     // <editor-fold defaultstate="collapsed" desc="The Element Class that maintains state information about the current node">
     /**
-     * A simple class to maintain information about the current element while
+     * A simple class to maintain information about the current element while parsing the NVD CVE XML.
-     * parsing the NVD CVE XML.
      */
     protected static class Element {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve20Handler.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -229,16 +228,14 @@ public class NvdCve20Handler extends DefaultHandler {
         cveDB = db;
     }
     /**
-     * A list of CVE entries and associated VulnerableSoftware entries that
+     * A list of CVE entries and associated VulnerableSoftware entries that contain previous entries.
-     * contain previous entries.
      */
     private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
 
     /**
      * Sets the prevVersionVulnMap.
      *
-     * @param map the map of vulnerable software with previous versions being
+     * @param map the map of vulnerable software with previous versions being vulnerable
-     * vulnerable
      */
     public void setPrevVersionVulnMap(Map<String, List<VulnerableSoftware>> map) {
         prevVersionVulnMap = map;
@@ -248,8 +245,7 @@ public class NvdCve20Handler extends DefaultHandler {
      * Saves a vulnerability to the CVE Database.
      *
      * @param vuln the vulnerability to store in the database
-     * @throws DatabaseException thrown if there is an error writing to the
+     * @throws DatabaseException thrown if there is an error writing to the database
-     * database
      * @throws CorruptIndexException is thrown if the CPE Index is corrupt
      * @throws IOException thrown if there is an IOException with the CPE Index
      */
@@ -269,8 +265,7 @@ public class NvdCve20Handler extends DefaultHandler {
 
     // <editor-fold defaultstate="collapsed" desc="The Element Class that maintains state information about the current node">
     /**
-     * A simple class to maintain information about the current element while
+     * A simple class to maintain information about the current element while parsing the NVD CVE XML.
-     * parsing the NVD CVE XML.
      */
     protected static class Element {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -32,9 +31,8 @@ import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileUtils;
 
 /**
- * A program dependency. This object is one of the core components within
+ * A program dependency. This object is one of the core components within DependencyCheck. It is used to collect
- * DependencyCheck. It is used to collect information about the dependency in
+ * information about the dependency in the form of evidence. The Evidence is then used to determine if there are any
- * the form of evidence. The Evidence is then used to determine if there are any
  * known, published, vulnerabilities associated with the program dependency.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
@@ -153,9 +151,11 @@ public class Dependency implements Comparable<Dependency> {
     }
 
     /**
-     * <p>Gets the file path of the dependency.</p> <p><b>NOTE:</b> This may not
+     * <p>
-     * be the actual path of the file on disk. The actual path of the file on
+     * Gets the file path of the dependency.</p>
-     * disk can be obtained via the getActualFilePath().</p>
+     * <p>
+     * <b>NOTE:</b> This may not be the actual path of the file on disk. The actual path of the file on disk can be
+     * obtained via the getActualFilePath().</p>
      *
      * @return the file path of the dependency.
      */
@@ -236,8 +236,7 @@ public class Dependency implements Comparable<Dependency> {
     }
 
     /**
-     * Adds an entry to the list of detected Identifiers for the dependency
+     * Adds an entry to the list of detected Identifiers for the dependency file.
-     * file.
      *
      * @param type the type of identifier (such as CPE)
      * @param value the value of the identifier
@@ -249,8 +248,7 @@ public class Dependency implements Comparable<Dependency> {
     }
 
     /**
-     * Adds an entry to the list of detected Identifiers for the dependency
+     * Adds an entry to the list of detected Identifiers for the dependency file.
-     * file.
      *
      * @param identifier the identifier to add
      */
@@ -465,8 +463,7 @@ public class Dependency implements Comparable<Dependency> {
     }
 
     /**
-     * Implementation of the Comparable<Dependency> interface. The comparison is
+     * Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file name.
-     * solely based on the file name.
      *
      * @param o a dependency to compare
      * @return an integer representing the natural ordering
@@ -567,8 +564,7 @@ public class Dependency implements Comparable<Dependency> {
     }
 
     /**
-     * Standard toString() implementation showing the filename, actualFilePath,
+     * Standard toString() implementation showing the filename, actualFilePath, and filePath.
-     * and filePath.
      *
      * @return the string representation of the file
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -128,11 +127,9 @@ public class Evidence implements Comparable<Evidence> {
     }
 
     /**
-     * Get the value of value. If setUsed is set to false this call to get will
+     * Get the value of value. If setUsed is set to false this call to get will not mark the evidence as used.
-     * not mark the evidence as used.
      *
-     * @param setUsed whether or not this call to getValue should cause the used
+     * @param setUsed whether or not this call to getValue should cause the used flag to be updated
-     * flag to be updated
      * @return the value of value
      */
     public String getValue(Boolean setUsed) {
@@ -229,8 +226,7 @@ public class Evidence implements Comparable<Evidence> {
     }
 
     /**
-     * Simple equality test for use within the equals method. This does a case
+     * Simple equality test for use within the equals method. This does a case insensitive compare.
-     * insensitive compare.
      *
      * @param l a string to compare.
      * @param r another string to compare.

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -40,8 +39,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
 public class EvidenceCollection implements Iterable<Evidence> {
 
     /**
-     * Used to iterate over highest confidence evidence contained in the
+     * Used to iterate over highest confidence evidence contained in the collection.
-     * collection.
      */
     private static final Filter<Evidence> HIGHEST_CONFIDENCE = new Filter<Evidence>() {
         public boolean passes(Evidence evidence) {
@@ -49,8 +47,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
         }
     };
     /**
-     * Used to iterate over high confidence evidence contained in the
+     * Used to iterate over high confidence evidence contained in the collection.
-     * collection.
      */
     private static final Filter<Evidence> HIGH_CONFIDENCE = new Filter<Evidence>() {
         public boolean passes(Evidence evidence) {
@@ -58,8 +55,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
         }
     };
     /**
-     * Used to iterate over medium confidence evidence contained in the
+     * Used to iterate over medium confidence evidence contained in the collection.
-     * collection.
      */
     private static final Filter<Evidence> MEDIUM_CONFIDENCE = new Filter<Evidence>() {
         public boolean passes(Evidence evidence) {
@@ -75,8 +71,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
         }
     };
     /**
-     * Used to iterate over evidence that has was used (aka read) from the
+     * Used to iterate over evidence that has was used (aka read) from the collection.
-     * collection.
      */
     private static final Filter<Evidence> EVIDENCE_USED = new Filter<Evidence>() {
         public boolean passes(Evidence evidence) {
@@ -87,8 +82,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
     /**
      * Used to iterate over evidence of the specified confidence.
      *
-     * @param confidence the confidence level for the evidence to be iterated
+     * @param confidence the confidence level for the evidence to be iterated over.
-     * over.
      * @return Iterable<Evidence> an iterable collection of evidence
      */
     public final Iterable<Evidence> iterator(Evidence.Confidence confidence) {
@@ -129,8 +123,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
     }
 
     /**
-     * Creates an Evidence object from the parameters and adds the resulting
+     * Creates an Evidence object from the parameters and adds the resulting object to the collection.
-     * object to the collection.
      *
      * @param source the source of the Evidence.
      * @param name the name of the Evidence.
@@ -143,17 +136,13 @@ public class EvidenceCollection implements Iterable<Evidence> {
     }
 
     /**
-     * Adds term to the weighting collection. The terms added here are used
+     * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms.
-     * later to boost the score of other terms. This is a way of combining
+     * This is a way of combining evidence from multiple sources to boost the confidence of the given evidence.
-     * evidence from multiple sources to boost the confidence of the given
-     * evidence.
      *
-     * Example: The term 'Apache' is found in the manifest of a JAR and is added
+     * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the
-     * to the Collection. When we parse the package names within the JAR file we
+     * package names within the JAR file we may add these package names to the "weighted" strings collection to boost
-     * may add these package names to the "weighted" strings collection to boost
+     * the score in the Lucene query. That way when we construct the Lucene query we find the term Apache in the
-     * the score in the Lucene query. That way when we construct the Lucene
+     * collection AND in the weighted strings; as such, we will boost the confidence of the term Apache.
-     * query we find the term Apache in the collection AND in the weighted
-     * strings; as such, we will boost the confidence of the term Apache.
      *
      * @param str to add to the weighting collection.
      */
@@ -162,8 +151,8 @@ public class EvidenceCollection implements Iterable<Evidence> {
     }
 
     /**
-     * Returns a set of Weightings - a list of terms that are believed to be of
+     * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in
-     * higher confidence when also found in another location.
+     * another location.
      *
      * @return Set<String>
      */
@@ -251,8 +240,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
     }
 
     /**
-     * Used to determine if a given version was used (aka read) from the
+     * Used to determine if a given version was used (aka read) from the EvidenceCollection.
-     * EvidenceCollection.
      *
      * @param version the version to search for within the collected evidence.
      * @return whether or not the string was used.
@@ -272,8 +260,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
     }
 
     /**
-     * Returns whether or not the collection contains evidence of a specified
+     * Returns whether or not the collection contains evidence of a specified Confidence.
-     * Confidence.
      *
      * @param confidence A Confidence value.
      * @return boolean.
@@ -288,8 +275,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
     }
 
     /**
-     * Merges multiple EvidenceCollections together, only merging evidence that
+     * Merges multiple EvidenceCollections together, only merging evidence that was used, into a new EvidenceCollection.
-     * was used, into a new EvidenceCollection.
      *
      * @param ec One or more EvidenceCollections.
      * @return a new EvidenceCollection containing the used evidence.
@@ -345,16 +331,18 @@ public class EvidenceCollection implements Iterable<Evidence> {
     }
 
     /**
-     * <p>Takes a string that may contain a fully qualified domain and it will
+     * <p>
-     * return the string having removed the query string, the protocol, the
+     * Takes a string that may contain a fully qualified domain and it will return the string having removed the query
-     * sub-domain of 'www', and the file extension of the path.</p>
+     * string, the protocol, the sub-domain of 'www', and the file extension of the path.</p>
-     * <p>This is useful for checking if the evidence contains a specific
+     * <p>
-     * string. The presence of the protocol, file extension, etc. may produce
+     * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file
-     * false positives.
+     * extension, etc. may produce false positives.
      *
-     * <p>Example, given the following input:</p>
+     * <p>
+     * Example, given the following input:</p>
      * <code>'Please visit https://www.somedomain.com/path1/path2/file.php?id=439'</code>
-     * <p>The function would return:</p>
+     * <p>
+     * The function would return:</p>
      * <code>'Please visit somedomain path1 path2 file'</code>
      *
      * @param value the value that may contain a url

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -108,7 +107,9 @@ public class Identifier implements Comparable<Identifier> {
     }
 
     /**
-     * <p>Set the value of type.</p><p>Example would be "CPE".</p>
+     * <p>
+     * Set the value of type.</p><p>
+     * Example would be "CPE".</p>
      *
      * @param type new value of type
      */
@@ -175,8 +176,7 @@ public class Identifier implements Comparable<Identifier> {
     }
 
     /**
-     * Implementation of the comparator interface. This compares the value of
+     * Implementation of the comparator interface. This compares the value of the identifier only.
-     * the identifier only.
      *
      * @param o the object being compared
      * @return an integer indicating the ordering

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,8 +20,7 @@ package org.owasp.dependencycheck.dependency;
 import java.io.Serializable;
 
 /**
- * An external reference for a vulnerability. This contains a name, URL, and a
+ * An external reference for a vulnerability. This contains a name, URL, and a source.
- * source.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -161,8 +160,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
      * Adds an entry for vulnerable software.
      *
      * @param cpe string representation of a cpe
-     * @param previousVersion the previous version (previousVersion - cpe would
+     * @param previousVersion the previous version (previousVersion - cpe would be considered vulnerable)
-     * be considered vulnerable)
      * @return if the add succeeded
      */
     public boolean addVulnerableSoftware(String cpe, String previousVersion) {
@@ -389,8 +387,8 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
      * Compares two vulnerabilities.
      *
      * @param v a vulnerability to be compared
-     * @return a negative integer, zero, or a positive integer as this object is
+     * @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than
-     * less than, equal to, or greater than the specified vulnerability
+     * the specified vulnerability
      */
     public int compareTo(Vulnerability v) {
         return v.getName().compareTo(this.getName());

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,8 +25,7 @@ import java.util.logging.Logger;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
 
 /**
- * A record containing information about vulnerable software. This is referenced
+ * A record containing information about vulnerable software. This is referenced from a vulnerability.
- * from a vulnerability.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -55,12 +53,15 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
     }
 
     /**
-     * <p>Parses a name attribute value, from the cpe.xml, into its
+     * <p>
-     * corresponding parts: vendor, product, version, revision.</p>
+     * Parses a name attribute value, from the cpe.xml, into its corresponding parts: vendor, product, version,
-     * <p>Example:</p>
+     * revision.</p>
+     * <p>
+     * Example:</p>
      * <code>&nbsp;&nbsp;&nbsp;cpe:/a:apache:struts:1.1:rc2</code>
      *
-     * <p>Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
+     * <p>
+     * Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
      * <li>Version: 1.1</li> <li>Revision: rc2</li> </ul>
      *
      * @param cpeName the cpe name
@@ -121,8 +122,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
     }
 
     /**
-     * Standard equals implementation to compare this VulnerableSoftware to
+     * Standard equals implementation to compare this VulnerableSoftware to another object.
-     * another object.
      *
      * @param obj the object to compare
      * @return whether or not the objects are equal
@@ -155,8 +155,7 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
     }
 
     /**
-     * Standard toString() implementation display the name and whether or not
+     * Standard toString() implementation display the name and whether or not previous versions are also affected.
-     * previous versions are also affected.
      *
      * @return a string representation of the object
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/NoDataException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/MavenNamespaceFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -23,9 +22,9 @@ import org.xml.sax.SAXException;
 import org.xml.sax.helpers.XMLFilterImpl;
 
 /**
- * This filter is used when parsing POM documents. Some POM documents do not
+ * This filter is used when parsing POM documents. Some POM documents do not specify the
- * specify the xmlns="http://maven.apache.org/POM/4.0.0". This filter ensures
+ * xmlns="http://maven.apache.org/POM/4.0.0". This filter ensures that the correct namespace is added so that both types
- * that the correct namespace is added so that both types of POMs can be read.
+ * of POMs can be read.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -1,25 +1,24 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.reporting;
 
-import java.io.FileInputStream;
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -40,10 +39,8 @@ import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.dependency.Dependency;
 
 /**
- * The ReportGenerator is used to, as the name implies, generate reports.
+ * The ReportGenerator is used to, as the name implies, generate reports. Internally the generator uses the Velocity
- * Internally the generator uses the Velocity Templating Engine. The
+ * Templating Engine. The ReportGenerator exposes a list of Dependencies to the template when generating the report.
- * ReportGenerator exposes a list of Dependencies to the template when
- * generating the report.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -152,8 +149,7 @@ public class ReportGenerator {
      * Generates the Dependency Reports for the identified dependencies.
      *
      * @param outputDir the path where the reports should be written
-     * @param outputFormat the format the report should be written in (XML,
+     * @param outputFormat the format the report should be written in (XML, HTML, ALL)
-     * HTML, ALL)
      * @throws IOException is thrown when the template file does not exist
      * @throws Exception is thrown if there is an error writing out the reports.
      */
@@ -176,9 +172,8 @@ public class ReportGenerator {
     }
 
     /**
-     * Generates a report from a given Velocity Template. The template name
+     * Generates a report from a given Velocity Template. The template name provided can be the name of a template
-     * provided can be the name of a template contained in the jar file, such as
+     * contained in the jar file, such as 'XmlReport' or 'HtmlReport', or the template name can be the path to a
-     * 'XmlReport' or 'HtmlReport', or the template name can be the path to a
      * template file.
      *
      * @param templateName the name of the template to load.

dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java

@@ -1,41 +1,37 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Steve Springett. All Rights Reserved.
  */
 package org.owasp.dependencycheck.reporting;
 
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.apache.velocity.app.Velocity;
 import org.apache.velocity.runtime.RuntimeServices;
 import org.apache.velocity.runtime.log.LogChute;
 
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
 /**
- * <p>DependencyCheck uses {@link java.util.logging.Logger} as a logging
+ * <p>
- * framework, and Apache Velocity uses a custom logging implementation that
+ * DependencyCheck uses {@link java.util.logging.Logger} as a logging framework, and Apache Velocity uses a custom
- * outputs to a file named velocity.log by default. This class is an
+ * logging implementation that outputs to a file named velocity.log by default. This class is an implementation of a
- * implementation of a custom Velocity logger that redirects all velocity
+ * custom Velocity logger that redirects all velocity logging to the Java Logger class.
- * logging to the Java Logger class.
  * </p><p>
- * This class was written to address permission issues when using
+ * This class was written to address permission issues when using Dependency-Check in a server environment (such as the
- * Dependency-Check in a server environment (such as the Jenkins plugin). In
+ * Jenkins plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable
- * some circumstances, Velocity would attempt to create velocity.log in an
+ * directory.</p>
- * un-writable directory.</p>
  *
  * @author Steve Springett (steve.springett@owasp.org)
  */
@@ -51,8 +47,8 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level and message, this method will call the
+     * Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified
-     * appropriate Logger level and log the specified values.
+     * values.
      *
      * @param level the logging level
      * @param message the message to be logged
@@ -62,8 +58,8 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level, message and Throwable, this method will call
+     * Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the
-     * the appropriate Logger level and log the specified values.
+     * specified values.
      *
      * @param level the logging level
      * @param message the message to be logged

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/PropertyType.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -21,9 +20,8 @@ package org.owasp.dependencycheck.suppression;
 import java.util.regex.Pattern;
 
 /**
- * A simple PropertyType used to represent a string value that could be used as
+ * A simple PropertyType used to represent a string value that could be used as a regular expression or could be case
- * a regular expression or could be case insensitive. The equals method has been
+ * insensitive. The equals method has been over-ridden so that the object will correctly compare to strings.
- * over-ridden so that the object will correctly compare to strings.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -104,8 +102,7 @@ public class PropertyType {
     //</editor-fold>
 
     /**
-     * Uses the object's properties to determine if the supplied string matches
+     * Uses the object's properties to determine if the supplied string matches the value of this property.
-     * the value of this property.
      *
      * @param text the String to validate
      * @return whether the text supplied is matched by the value of the property

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParseException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -237,9 +236,8 @@ public class SuppressionRule {
     }
 
     /**
-     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS
+     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
-     * scores should be suppressed. If any should be, they are removed from the
+     * should be, they are removed from the dependency.
-     * dependency.
      *
      * @param dependency a project dependency to analyze
      */
@@ -301,12 +299,10 @@ public class SuppressionRule {
     }
 
     /**
-     * Identifies if the cpe specified by the cpe suppression rule does not
+     * Identifies if the cpe specified by the cpe suppression rule does not specify a version.
-     * specify a version.
      *
      * @param c a suppression rule identifier
-     * @return true if the property type does not specify a version; otherwise
+     * @return true if the property type does not specify a version; otherwise false
-     * false
      */
     boolean cpeHasNoVersion(PropertyType c) {
         if (c.isRegex()) {
@@ -319,8 +315,7 @@ public class SuppressionRule {
     }
 
     /**
-     * Counts the number of occurrences of the character found within the
+     * Counts the number of occurrences of the character found within the string.
-     * string.
      *
      * @param str the string to check
      * @param c the character to count
@@ -337,8 +332,7 @@ public class SuppressionRule {
     }
 
     /**
-     * Determines if the cpeEntry specified as a PropertyType matches the given
+     * Determines if the cpeEntry specified as a PropertyType matches the given Identifier.
-     * Identifier.
      *
      * @param cpeEntry a suppression rule entry
      * @param identifier a CPE identifier to check

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -44,8 +43,7 @@ public final class DBUtils {
      *
      * @param statement a prepared statement that just executed an insert
      * @return a primary key
-     * @throws DatabaseException thrown if there is an exception obtaining the
+     * @throws DatabaseException thrown if there is an exception obtaining the key
-     * key
      */
     public static int getGeneratedKey(PreparedStatement statement) throws DatabaseException {
         ResultSet rs = null;
@@ -79,8 +77,7 @@ public final class DBUtils {
     }
 
     /**
-     * Closes the result set capturing and ignoring any SQLExceptions that
+     * Closes the result set capturing and ignoring any SQLExceptions that occur.
-     * occur.
      *
      * @param rs a ResultSet to close
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -26,15 +25,15 @@ import java.util.regex.Pattern;
 import org.apache.commons.lang.StringUtils;
 
 /**
- * <p>Simple object to track the parts of a version number. The parts are
+ * <p>
- * contained in a List such that version 1.2.3 will be stored as:
+ * Simple object to track the parts of a version number. The parts are contained in a List such that version 1.2.3 will
- * <code>versionParts[0] = 1;
+ * be stored as:  <code>versionParts[0] = 1;
  * versionParts[1] = 2;
  * versionParts[2] = 3;
  * </code></p>
- * <p>Note, the parser contained in this class expects the version numbers to be
+ * <p>
- * separated by periods. If a different separator is used the parser will likely
+ * Note, the parser contained in this class expects the version numbers to be separated by periods. If a different
- * fail.</p>
+ * separator is used the parser will likely fail.</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -48,9 +47,8 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
 
     /**
      * Constructor for a DependencyVersion that will parse a version string.
-     * <b>Note</b>, this should only be used when the version passed in is
+     * <b>Note</b>, this should only be used when the version passed in is already known to be a well formated version
-     * already known to be a well formated version number. Otherwise,
+     * number. Otherwise, DependencyVersionUtil.parseVersion() should be used instead.
-     * DependencyVersionUtil.parseVersion() should be used instead.
      *
      * @param version the well formated version number to parse
      */
@@ -59,9 +57,8 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
     }
 
     /**
-     * Parses a version string into its sub parts: major, minor, revision,
+     * Parses a version string into its sub parts: major, minor, revision, build, etc. <b>Note</b>, this should only be
-     * build, etc. <b>Note</b>, this should only be used to parse something that
+     * used to parse something that is already known to be a version number.
-     * is already known to be a version number.
      *
      * @param version the version string to parse
      */
@@ -182,9 +179,8 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
     }
 
     /**
-     * Determines if the three most major major version parts are identical. For
+     * Determines if the three most major major version parts are identical. For instances, if version 1.2.3.4 was
-     * instances, if version 1.2.3.4 was compared to 1.2.3 this function would
+     * compared to 1.2.3 this function would return true.
-     * return true.
      *
      * @param version the version number to compare
      * @return true if the first three major parts of the version are identical

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -23,8 +22,8 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
- * <p>A utility class to extract version numbers from file names (or other
+ * <p>
- * strings containing version numbers.</p>
+ * A utility class to extract version numbers from file names (or other strings containing version numbers.</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -35,9 +34,8 @@ public final class DependencyVersionUtil {
      */
     private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d{1,6})+(\\.?([_-](release|beta|alpha)|[a-zA-Z_-]{1,3}\\d{1,8}))?");
     /**
-     * Regular expression to extract a single version number without periods.
+     * Regular expression to extract a single version number without periods. This is a last ditch effort just to check
-     * This is a last ditch effort just to check in case we are missing a
+     * in case we are missing a version number using the previous regex.
-     * version number using the previous regex.
      */
     private static final Pattern RX_SINGLE_VERSION = Pattern.compile("\\d+(\\.?([_-](release|beta|alpha)|[a-zA-Z_-]{1,3}\\d{1,8}))?");
 
@@ -48,8 +46,8 @@ public final class DependencyVersionUtil {
     }
 
     /**
-     * <p>A utility class to extract version numbers from file names (or other
+     * <p>
-     * strings containing version numbers.<br/>
+     * A utility class to extract version numbers from file names (or other strings containing version numbers.<br/>
      * Example:<br/>
      * Give the file name: library-name-1.4.1r2-release.jar<br/>
      * This function would return: 1.4.1.r2</p>

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -54,8 +53,7 @@ public final class Downloader {
      *
      * @param url the URL of the file to download.
      * @param outputPath the path to the save the file to.
-     * @throws DownloadFailedException is thrown if there is an error
+     * @throws DownloadFailedException is thrown if there is an error downloading the file.
-     * downloading the file.
      */
     public static void fetchFile(URL url, File outputPath) throws DownloadFailedException {
         HttpURLConnection conn = null;
@@ -120,14 +118,12 @@ public final class Downloader {
     }
 
     /**
-     * Makes an HTTP Head request to retrieve the last modified date of the
+     * Makes an HTTP Head request to retrieve the last modified date of the given URL. If the file:// protocol is
-     * given URL. If the file:// protocol is specified, then the lastTimestamp
+     * specified, then the lastTimestamp of the file is returned.
-     * of the file is returned.
      *
      * @param url the URL to retrieve the timestamp from
      * @return an epoch timestamp
-     * @throws DownloadFailedException is thrown if an exception occurs making
+     * @throws DownloadFailedException is thrown if an exception occurs making the HTTP request
-     * the HTTP request
      */
     public static long getLastModified(URL url) throws DownloadFailedException {
         long timestamp = 0;
@@ -173,9 +169,8 @@ public final class Downloader {
     }
 
     /**
-     * Utility method to get an HttpURLConnection. If the app is configured to
+     * Utility method to get an HttpURLConnection. If the app is configured to use a proxy this method will retrieve the
-     * use a proxy this method will retrieve the proxy settings and use them
+     * proxy settings and use them when setting up the connection.
-     * when setting up the connection.
      *
      * @param url the url to connect to
      * @return an HttpURLConnection

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -67,8 +66,7 @@ public final class FileUtils {
     }
 
     /**
-     * Deletes a file. If the File is a directory it will recursively delete the
+     * Deletes a file. If the File is a directory it will recursively delete the contents.
-     * contents.
      *
      * @param file the File to delete
      * @throws IOException is thrown if the file could not be deleted
@@ -91,19 +89,16 @@ public final class FileUtils {
     }
 
     /**
-     * Returns the data directory. If a path was specified in
+     * Returns the data directory. If a path was specified in dependencycheck.properties or was specified using the
-     * dependencycheck.properties or was specified using the Settings object,
+     * Settings object, and the path exists, that path will be returned as a File object. If it does not exist, then a
-     * and the path exists, that path will be returned as a File object. If it
+     * File object will be created based on the file location of the JAR containing the specified class.
-     * does not exist, then a File object will be created based on the file
-     * location of the JAR containing the specified class.
      *
      * @param configuredFilePath the configured relative or absolute path
      * @param clazz the class to resolve the path
      * @return a File object
      * @throws IOException is thrown if the path could not be decoded
-     * @deprecated This method should no longer be used. See the implementation
+     * @deprecated This method should no longer be used. See the implementation in dependency-check-cli/App.java to see
-     * in dependency-check-cli/App.java to see how the data directory should be
+     * how the data directory should be set.
-     * set.
      */
     @java.lang.Deprecated
     public static File getDataDirectory(String configuredFilePath, Class clazz) throws IOException {
@@ -117,10 +112,8 @@ public final class FileUtils {
     }
 
     /**
-     * Retrieves the physical path to the parent directory containing the
+     * Retrieves the physical path to the parent directory containing the provided class. For example, if a JAR file
-     * provided class. For example, if a JAR file contained a class
+     * contained a class org.something.clazz this method would return the parent directory of the JAR file.
-     * org.something.clazz this method would return the parent directory of the
-     * JAR file.
      *
      * @param clazz the class to determine the parent directory of
      * @return the parent directory of the file containing the specified class.
@@ -140,24 +133,21 @@ public final class FileUtils {
      *
      * @param archive an archive file such as a WAR or EAR
      * @param extractTo a directory to extract the contents to
-     * @throws ExtractionException thrown if an exception occurs while
+     * @throws ExtractionException thrown if an exception occurs while extracting the files
-     * extracting the files
      */
     public static void extractFiles(File archive, File extractTo) throws ExtractionException {
         extractFiles(archive, extractTo, null);
     }
 
     /**
-     * Extracts the contents of an archive into the specified directory. The
+     * Extracts the contents of an archive into the specified directory. The files are only extracted if they are
-     * files are only extracted if they are supported by the analyzers loaded
+     * supported by the analyzers loaded into the specified engine. If the engine is specified as null then all files
-     * into the specified engine. If the engine is specified as null then all
+     * are extracted.
-     * files are extracted.
      *
      * @param archive an archive file such as a WAR or EAR
      * @param extractTo a directory to extract the contents to
      * @param engine the scanning engine
-     * @throws ExtractionException thrown if there is an error extracting the
+     * @throws ExtractionException thrown if there is an error extracting the files
-     * files
      */
     public static void extractFiles(File archive, File extractTo, Engine engine) throws ExtractionException {
         if (archive == null || extractTo == null) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/LogFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -22,9 +21,8 @@ import java.util.logging.Filter;
 import java.util.logging.LogRecord;
 
 /**
- * A simple log filter to limit the entries written to the verbose log file. The
+ * A simple log filter to limit the entries written to the verbose log file. The verbose log file uses the root logger
- * verbose log file uses the root logger as I couldn't get anything else to
+ * as I couldn't get anything else to work; as such, this filter limits the log entries to specific classes.
- * work; as such, this filter limits the log entries to specific classes.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/LogUtils.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,9 +21,8 @@ import java.io.FilterInputStream;
 import java.io.InputStream;
 
 /**
- * NonClosingStream is a stream filter which prevents another class that
+ * NonClosingStream is a stream filter which prevents another class that processes the stream from closing it. This is
- * processes the stream from closing it. This is necessary when dealing with
+ * necessary when dealing with things like JAXB and zipInputStreams.
- * things like JAXB and zipInputStreams.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -42,30 +41,25 @@ public final class Settings {
     public static final class KEYS {
 
         /**
-         * private constructor because this is a "utility" class containing
+         * private constructor because this is a "utility" class containing constants
-         * constants
          */
         private KEYS() {
             //do nothing
         }
         /**
-         * The properties key indicating whether or not the cached data sources
+         * The properties key indicating whether or not the cached data sources should be updated.
-         * should be updated.
          */
         public static final String AUTO_UPDATE = "autoupdate";
         /**
-         * The database driver class name. If this is not in the properties file
+         * The database driver class name. If this is not in the properties file the embedded database is used.
-         * the embedded database is used.
          */
         public static final String DB_DRIVER_NAME = "data.driver_name";
         /**
-         * The database driver class name. If this is not in the properties file
+         * The database driver class name. If this is not in the properties file the embedded database is used.
-         * the embedded database is used.
          */
         public static final String DB_DRIVER_PATH = "data.driver_path";
         /**
-         * The database connection string. If this is not in the properties file
+         * The database connection string. If this is not in the properties file the embedded database is used.
-         * the embedded database is used.
          */
         public static final String DB_CONNECTION_STRING = "data.connection_string";
         /**
@@ -81,29 +75,26 @@ public final class Settings {
          */
         public static final String DATA_DIRECTORY = "data.directory";
         /**
-         * The properties key for the URL to retrieve the "meta" data from about
+         * The properties key for the URL to retrieve the "meta" data from about the CVE entries.
-         * the CVE entries.
          */
         public static final String CVE_META_URL = "cve.url.meta";
         /**
-         * The properties key for the URL to retrieve the recently modified and
+         * The properties key for the URL to retrieve the recently modified and added CVE entries (last 8 days) using
-         * added CVE entries (last 8 days) using the 2.0 schema.
+         * the 2.0 schema.
          */
         public static final String CVE_MODIFIED_20_URL = "cve.url-2.0.modified";
         /**
-         * The properties key for the URL to retrieve the recently modified and
+         * The properties key for the URL to retrieve the recently modified and added CVE entries (last 8 days) using
-         * added CVE entries (last 8 days) using the 1.2 schema.
+         * the 1.2 schema.
          */
         public static final String CVE_MODIFIED_12_URL = "cve.url-1.2.modified";
         /**
-         * The properties key for the URL to retrieve the recently modified and
+         * The properties key for the URL to retrieve the recently modified and added CVE entries (last 8 days).
-         * added CVE entries (last 8 days).
          */
         public static final String CVE_MODIFIED_VALID_FOR_DAYS = "cve.url.modified.validfordays";
         /**
-         * The properties key for the telling us how many cvr.url.* URLs exists.
+         * The properties key for the telling us how many cvr.url.* URLs exists. This is used in combination with
-         * This is used in combination with CVE_BASE_URL to be able to retrieve
+         * CVE_BASE_URL to be able to retrieve the URLs for all of the files that make up the NVD CVE listing.
-         * the URLs for all of the files that make up the NVD CVE listing.
          */
         public static final String CVE_START_YEAR = "cve.startyear";
         /**
@@ -119,8 +110,7 @@ public final class Settings {
          */
         public static final String PROXY_URL = "proxy.url";
         /**
-         * The properties key for the proxy port - this must be an integer
+         * The properties key for the proxy port - this must be an integer value.
-         * value.
          */
         public static final String PROXY_PORT = "proxy.port";
         /**
@@ -170,8 +160,7 @@ public final class Settings {
     private Properties props = null;
 
     /**
-     * Private constructor for the Settings class. This class loads the
+     * Private constructor for the Settings class. This class loads the properties files.
-     * properties files.
      */
     private Settings() {
         InputStream in = null;
@@ -218,16 +207,13 @@ public final class Settings {
     }
 
     /**
-     * Merges a new properties file into the current properties. This method
+     * Merges a new properties file into the current properties. This method allows for the loading of a user provided
-     * allows for the loading of a user provided properties file.<br/><br/>
+     * properties file.<br/><br/>
-     * Note: even if using this method - system properties will be loaded before
+     * Note: even if using this method - system properties will be loaded before properties loaded from files.
-     * properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
-     * @throws FileNotFoundException is thrown when the filePath points to a
+     * @throws FileNotFoundException is thrown when the filePath points to a non-existent file
-     * non-existent file
+     * @throws IOException is thrown when there is an exception loading/merging the properties
-     * @throws IOException is thrown when there is an exception loading/merging
-     * the properties
      */
     public static void mergeProperties(File filePath) throws FileNotFoundException, IOException {
         final FileInputStream fis = new FileInputStream(filePath);
@@ -235,16 +221,13 @@ public final class Settings {
     }
 
     /**
-     * Merges a new properties file into the current properties. This method
+     * Merges a new properties file into the current properties. This method allows for the loading of a user provided
-     * allows for the loading of a user provided properties file.<br/><br/>
+     * properties file.<br/><br/>
-     * Note: even if using this method - system properties will be loaded before
+     * Note: even if using this method - system properties will be loaded before properties loaded from files.
-     * properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
-     * @throws FileNotFoundException is thrown when the filePath points to a
+     * @throws FileNotFoundException is thrown when the filePath points to a non-existent file
-     * non-existent file
+     * @throws IOException is thrown when there is an exception loading/merging the properties
-     * @throws IOException is thrown when there is an exception loading/merging
-     * the properties
      */
     public static void mergeProperties(String filePath) throws FileNotFoundException, IOException {
         final FileInputStream fis = new FileInputStream(filePath);
@@ -252,24 +235,21 @@ public final class Settings {
     }
 
     /**
-     * Merges a new properties file into the current properties. This method
+     * Merges a new properties file into the current properties. This method allows for the loading of a user provided
-     * allows for the loading of a user provided properties file.<br/><br/>
+     * properties file.<br/><br/>
-     * Note: even if using this method - system properties will be loaded before
+     * Note: even if using this method - system properties will be loaded before properties loaded from files.
-     * properties loaded from files.
      *
      * @param stream an Input Stream pointing at a properties file to merge
-     * @throws IOException is thrown when there is an exception loading/merging
+     * @throws IOException is thrown when there is an exception loading/merging the properties
-     * the properties
      */
     public static void mergeProperties(InputStream stream) throws IOException {
         INSTANCE.props.load(stream);
     }
 
     /**
-     * Returns a value from the properties file as a File object. If the value
+     * Returns a value from the properties file as a File object. If the value was specified as a system property or
-     * was specified as a system property or passed in via the -Dprop=value
+     * passed in via the -Dprop=value argument - this method will return the value from the system properties before the
-     * argument - this method will return the value from the system properties
+     * values in the contained configuration file.
-     * before the values in the contained configuration file.
      *
      * @param key the key to lookup within the properties file
      * @return the property from the properties file converted to a File object
@@ -283,15 +263,13 @@ public final class Settings {
     }
 
     /**
-     * Returns a value from the properties file as a File object. If the value
+     * Returns a value from the properties file as a File object. If the value was specified as a system property or
-     * was specified as a system property or passed in via the -Dprop=value
+     * passed in via the -Dprop=value argument - this method will return the value from the system properties before the
-     * argument - this method will return the value from the system properties
+     * values in the contained configuration file.
-     * before the values in the contained configuration file.
      *
-     * This method will check the configured base directory and will use this as
+     * This method will check the configured base directory and will use this as the base of the file path.
-     * the base of the file path. Additionally, if the base directory begins
+     * Additionally, if the base directory begins with a leading "[JAR]\" sequence with the path to the folder
-     * with a leading "[JAR]\" sequence with the path to the folder containing
+     * containing the JAR file containing this class.
-     * the JAR file containing this class.
      *
      * @param key the key to lookup within the properties file
      * @return the property from the properties file converted to a File object
@@ -310,8 +288,7 @@ public final class Settings {
     }
 
     /**
-     * Attempts to retrieve the folder containing the Jar file containing the
+     * Attempts to retrieve the folder containing the Jar file containing the Settings class.
-     * Settings class.
      *
      * @return a File object
      */
@@ -333,9 +310,8 @@ public final class Settings {
     }
 
     /**
-     * Returns a value from the properties file. If the value was specified as a
+     * Returns a value from the properties file. If the value was specified as a system property or passed in via the
-     * system property or passed in via the -Dprop=value argument - this method
+     * -Dprop=value argument - this method will return the value from the system properties before the values in the
-     * will return the value from the system properties before the values in the
      * contained configuration file.
      *
      * @param key the key to lookup within the properties file
@@ -357,9 +333,8 @@ public final class Settings {
     }
 
     /**
-     * Returns a value from the properties file. If the value was specified as a
+     * Returns a value from the properties file. If the value was specified as a system property or passed in via the
-     * system property or passed in via the -Dprop=value argument - this method
+     * -Dprop=value argument - this method will return the value from the system properties before the values in the
-     * will return the value from the system properties before the values in the
      * contained configuration file.
      *
      * @param key the key to lookup within the properties file
@@ -370,8 +345,7 @@ public final class Settings {
     }
 
     /**
-     * Removes a property from the local properties collection. This is mainly
+     * Removes a property from the local properties collection. This is mainly used in test cases.
-     * used in test cases.
      *
      * @param key the property key to remove
      */
@@ -380,15 +354,13 @@ public final class Settings {
     }
 
     /**
-     * Returns an int value from the properties file. If the value was specified
+     * Returns an int value from the properties file. If the value was specified as a system property or passed in via
-     * as a system property or passed in via the -Dprop=value argument - this
+     * the -Dprop=value argument - this method will return the value from the system properties before the values in the
-     * method will return the value from the system properties before the values
+     * contained configuration file.
-     * in the contained configuration file.
      *
      * @param key the key to lookup within the properties file
      * @return the property from the properties file
-     * @throws InvalidSettingException is thrown if there is an error retrieving
+     * @throws InvalidSettingException is thrown if there is an error retrieving the setting
-     * the setting
      */
     public static int getInt(String key) throws InvalidSettingException {
         int value;
@@ -401,15 +373,14 @@ public final class Settings {
     }
 
     /**
-     * Returns an int value from the properties file. If the value was specified
+     * Returns an int value from the properties file. If the value was specified as a system property or passed in via
-     * as a system property or passed in via the -Dprop=value argument - this
+     * the -Dprop=value argument - this method will return the value from the system properties before the values in the
-     * method will return the value from the system properties before the values
+     * contained configuration file.
-     * in the contained configuration file.
      *
      * @param key the key to lookup within the properties file
      * @param defaultValue the default value to return
-     * @return the property from the properties file or the defaultValue if the
+     * @return the property from the properties file or the defaultValue if the property does not exist or cannot be
-     * property does not exist or cannot be converted to an integer
+     * converted to an integer
      */
     public static int getInt(String key, int defaultValue) {
         int value;
@@ -424,15 +395,13 @@ public final class Settings {
     }
 
     /**
-     * Returns a long value from the properties file. If the value was specified
+     * Returns a long value from the properties file. If the value was specified as a system property or passed in via
-     * as a system property or passed in via the -Dprop=value argument - this
+     * the -Dprop=value argument - this method will return the value from the system properties before the values in the
-     * method will return the value from the system properties before the values
+     * contained configuration file.
-     * in the contained configuration file.
      *
      * @param key the key to lookup within the properties file
      * @return the property from the properties file
-     * @throws InvalidSettingException is thrown if there is an error retrieving
+     * @throws InvalidSettingException is thrown if there is an error retrieving the setting
-     * the setting
      */
     public static long getLong(String key) throws InvalidSettingException {
         long value;
@@ -445,16 +414,13 @@ public final class Settings {
     }
 
     /**
-     * Returns a boolean value from the properties file. If the value was
+     * Returns a boolean value from the properties file. If the value was specified as a system property or passed in
-     * specified as a system property or passed in via the
+     * via the <code>-Dprop=value</code> argument this method will return the value from the system properties before
-     * <code>-Dprop=value</code> argument this method will return the value from
+     * the values in the contained configuration file.
-     * the system properties before the values in the contained configuration
-     * file.
      *
      * @param key the key to lookup within the properties file
      * @return the property from the properties file
-     * @throws InvalidSettingException is thrown if there is an error retrieving
+     * @throws InvalidSettingException is thrown if there is an error retrieving the setting
-     * the setting
      */
     public static boolean getBoolean(String key) throws InvalidSettingException {
         boolean value;

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * Licensed under the Apache License, Version 2.0 (the "License");
- * under the terms of the GNU General Public License as published by the Free
+ * you may not use this file except in compliance with the License.
- * Software Foundation, either version 3 of the License, or (at your option) any
+ * You may obtain a copy of the License at
- * later version.
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
+ *     http://www.apache.org/licenses/LICENSE-2.0
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * Unless required by applicable law or agreed to in writing, software
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -47,8 +46,8 @@ public final class UrlStringUtils {
     private static final Pattern IS_URL_TEST = Pattern.compile("^(ht|f)tps?://.*", Pattern.CASE_INSENSITIVE);
 
     /**
-     * Tests if the text provided contains a URL. This is somewhat limited
+     * Tests if the text provided contains a URL. This is somewhat limited search in that it only looks for
-     * search in that it only looks for (ftp|http|https)://
+     * (ftp|http|https)://
      *
      * @param text the text to search
      * @return true if the text contains a url, otherwise false
@@ -67,18 +66,19 @@ public final class UrlStringUtils {
         return IS_URL_TEST.matcher(text).matches();
     }
     /**
-     * A listing of domain parts that should not be used as evidence. Yes, this
+     * A listing of domain parts that should not be used as evidence. Yes, this is an incomplete list.
-     * is an incomplete list.
      */
     private static final HashSet<String> IGNORE_LIST = new HashSet<String>(
             Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
 
     /**
-     * <p>Takes a URL, in String format, and adds the important parts of the URL
+     * <p>
-     * to a list of strings.</p>
+     * Takes a URL, in String format, and adds the important parts of the URL to a list of strings.</p>
-     * <p>Example, given the following input:</p>
+     * <p>
+     * Example, given the following input:</p>
      * <code>"https://www.somedomain.com/path1/path2/file.php?id=439"</code>
-     * <p>The function would return:</p>
+     * <p>
+     * The function would return:</p>
      * <code>{"some.domain", "path1", "path2", "file"}</code>
      *
      * @param text a URL

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -1,18 +1,17 @@
 #**
-This file is part of Dependency-Check.
+This file is part of dependency-check-core.
 
-Dependency-Check is free software: you can redistribute it and/or modify
+Licensed under the Apache License, Version 2.0 (the "License");
-it under the terms of the GNU General Public License as published by
+you may not use this file except in compliance with the License.
-the Free Software Foundation, either version 3 of the License, or
+You may obtain a copy of the License at
-(at your option) any later version.
 
-Dependency-Check is distributed in the hope that it will be useful,
+    http://www.apache.org/licenses/LICENSE-2.0
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
 
-You should have received a copy of the GNU General Public License
+Unless required by applicable law or agreed to in writing, software
-along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 
 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 

dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl

@@ -1,18 +1,17 @@
 #**
 This file is part of Dependency-Check.
 
-Dependency-Check is free software: you can redistribute it and/or modify
+Licensed under the Apache License, Version 2.0 (the "License");
-it under the terms of the GNU General Public License as published by
+you may not use this file except in compliance with the License.
-the Free Software Foundation, either version 3 of the License, or
+You may obtain a copy of the License at
-(at your option) any later version.
 
-Dependency-Check is distributed in the hope that it will be useful,
+    http://www.apache.org/licenses/LICENSE-2.0
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
 
-You should have received a copy of the GNU General Public License
+Unless required by applicable law or agreed to in writing, software
-along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 
 Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 

dependency-check-core/src/main/resources/templates/XmlReport.vsl

@@ -1,18 +1,17 @@
 #**
 This file is part of Dependency-Check.
 
-Dependency-Check is free software: you can redistribute it and/or modify
+Licensed under the Apache License, Version 2.0 (the "License");
-it under the terms of the GNU General Public License as published by
+you may not use this file except in compliance with the License.
-the Free Software Foundation, either version 3 of the License, or
+You may obtain a copy of the License at
-(at your option) any later version.
 
-Dependency-Check is distributed in the hope that it will be useful,
+    http://www.apache.org/licenses/LICENSE-2.0
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
 
-You should have received a copy of the GNU General Public License
+Unless required by applicable law or agreed to in writing, software
-along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 
 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 

dependency-check-core/src/site/site.xml

@@ -2,18 +2,17 @@
 <!--
 This file is part of dependency-check-core.
 
-Dependency-check-core is free software: you can redistribute it and/or modify it
+Licensed under the Apache License, Version 2.0 (the "License");
-under the terms of the GNU General Public License as published by the Free
+you may not use this file except in compliance with the License.
-Software Foundation, either version 3 of the License, or (at your option) any
+You may obtain a copy of the License at
-later version.
 
-Dependency-check-core is distributed in the hope that it will be useful, but
+    http://www.apache.org/licenses/LICENSE-2.0
-WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
-details.
 
-You should have received a copy of the GNU General Public License along with
+Unless required by applicable law or agreed to in writing, software
-dependency-check-core. If not, see http://www.gnu.org/licenses/.
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 
 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 -->