diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java index b25979f67..d121f21c1 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java @@ -357,10 +357,13 @@ public class Update extends Purge { this.cveUrl20Base = cveUrl20Base; } + /** + * The number of hours to wait before re-checking for updates. + */ private Integer cveValidForHours; /** - * Get the value of cveValidForHours + * Get the value of cveValidForHours. * * @return the value of cveValidForHours */ @@ -369,7 +372,7 @@ public class Update extends Purge { } /** - * Set the value of cveValidForHours + * Set the value of cveValidForHours. * * @param cveValidForHours new value of cveValidForHours */ diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 3d2221454..855baa471 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -91,10 +91,10 @@ public final class CliParser { */ private void validateArgs() throws FileNotFoundException, ParseException { if (isUpdateOnly() || isRunScan()) { - String value = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS); + final String value = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS); if (value != null) { try { - int i = Integer.parseInt(value); + final int i = Integer.parseInt(value); if (i < 0) { throw new ParseException("Invalid Setting: cveValidForHours must be a number greater than or equal to 0."); } @@ -989,12 +989,12 @@ public final class CliParser { } /** - * Get the value of cveValidForHours + * Get the value of cveValidForHours. * * @return the value of cveValidForHours */ public Integer getCveValidForHours() { - String v = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS); + final String v = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS); if (v != null) { return Integer.parseInt(v); } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java index 092595c84..df01561b0 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java @@ -22,7 +22,7 @@ package org.owasp.dependencycheck; * * @author Jeremy Long */ -class InvalidScanPathException extends Exception { +public class InvalidScanPathException extends Exception { /** * The serial version UID for serialization. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 750b99432..4bf4755e5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -114,7 +114,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { static { final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS); if (additionalZipExt != null) { - String[] ext = additionalZipExt.split("\\s*,\\s*"); + final String[] ext = additionalZipExt.split("\\s*,\\s*"); Collections.addAll(ZIPPABLES, ext); } EXTENSIONS.addAll(ZIPPABLES); @@ -195,8 +195,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { if (tempFileLocation != null && tempFileLocation.exists()) { LOGGER.debug("Attempting to delete temporary files"); final boolean success = FileUtils.delete(tempFileLocation); - if (!success && tempFileLocation.exists() && tempFileLocation.list().length > 0) { - LOGGER.warn("Failed to delete some temporary files, see the log for more details"); + if (!success && tempFileLocation.exists()) { + final String[] l = tempFileLocation.list(); + if (l != null && l.length > 0) { + LOGGER.warn("Failed to delete some temporary files, see the log for more details"); + } } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index 6c483137c..0435fa7a7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -62,11 +62,19 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { private static final int REGEX_OPTIONS = Pattern.DOTALL | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE; + /** + * Regex to extract the product information. + */ private static final Pattern PROJECT = Pattern.compile( "^ *project *\\([ \\n]*(\\w+)[ \\n]*.*?\\)", REGEX_OPTIONS); - // Group 1: Product - // Group 2: Version + /** + * Regex to extract product and version information. + * + * Group 1: Product + * + * Group 2: Version + */ private static final Pattern SET_VERSION = Pattern .compile( "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)", @@ -172,8 +180,17 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { } } + /** + * Extracts the version information from the contents. If more then one version is found additional dependencies are added to + * the dependency list. + * + * @param dependency the dependency being analyzed + * @param engine the dependency-check engine + * @param contents the version information + */ private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) { - final Dependency orig = dependency; + Dependency currentDep = dependency; + final Matcher m = SET_VERSION.matcher(contents); int count = 0; while (m.find()) { @@ -190,19 +207,19 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { } if (count > 1) { //TODO - refactor so we do not assign to the parameter (checkstyle) - dependency = new Dependency(orig.getActualFile()); - dependency.setDisplayFileName(String.format("%s:%s", orig.getDisplayFileName(), product)); - final String filePath = String.format("%s:%s", orig.getFilePath(), product); - dependency.setFilePath(filePath); + currentDep = new Dependency(dependency.getActualFile()); + currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product)); + final String filePath = String.format("%s:%s", dependency.getFilePath(), product); + currentDep.setFilePath(filePath); // prevents coalescing into the dependency provided by engine - dependency.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes()))); - engine.getDependencies().add(dependency); + currentDep.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes()))); + engine.getDependencies().add(currentDep); } - final String source = dependency.getDisplayFileName(); - dependency.getProductEvidence().addEvidence(source, "Product", + final String source = currentDep.getDisplayFileName(); + currentDep.getProductEvidence().addEvidence(source, "Product", product, Confidence.MEDIUM); - dependency.getVersionEvidence().addEvidence(source, "Version", + currentDep.getVersionEvidence().addEvidence(source, "Version", version, Confidence.MEDIUM); } LOGGER.debug(String.format("Found %d matches.", count)); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 4c74b36cf..2cf35171d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -213,10 +213,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal //version check final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1); final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2); - if (version1 != null && version2 != null) { - if (!version1.equals(version2)) { - return false; - } + if (version1 != null && version2 != null && !version1.equals(version2)) { + return false; } //filename check diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java index 1dcdd6e6c..7dbdd6adb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java @@ -18,12 +18,11 @@ package org.owasp.dependencycheck.data.nvdcve; /** - * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure - * of the db. + * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure of the db. * * @author Jeremy Long */ -class CorruptDatabaseException extends DatabaseException { +public class CorruptDatabaseException extends DatabaseException { /** * the serial version uid. @@ -31,7 +30,7 @@ class CorruptDatabaseException extends DatabaseException { private static final long serialVersionUID = 1L; /** - * Creates an CorruptDatabaseException + * Creates an CorruptDatabaseException. * * @param msg the exception message */ @@ -40,7 +39,7 @@ class CorruptDatabaseException extends DatabaseException { } /** - * Creates an CorruptDatabaseException + * Creates an CorruptDatabaseException. * * @param msg the exception message * @param ex the cause of the exception diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java index c845e12b4..c2f792bc7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java @@ -63,15 +63,13 @@ public final class DriverLoader { } /** - * Loads the specified class by registering the supplied paths to the class loader and then registers the driver - * with the driver manager. The pathToDriver argument is added to the class loader so that an external driver can be - * loaded. Note, the pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added - * as needed. If a path in the pathToDriver argument is a directory all files in the directory are added to the - * class path. + * Loads the specified class by registering the supplied paths to the class loader and then registers the driver with the + * driver manager. The pathToDriver argument is added to the class loader so that an external driver can be loaded. Note, the + * pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added as needed. If a path in the + * pathToDriver argument is a directory all files in the directory are added to the class path. * * @param className the fully qualified name of the desired class - * @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list - * of paths + * @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list of paths * @return the loaded Driver * @throws DriverLoadException thrown if the driver cannot be loaded */ @@ -83,14 +81,15 @@ public final class DriverLoader { final File file = new File(path); if (file.isDirectory()) { final File[] files = file.listFiles(); - - for (File f : files) { - try { - urls.add(f.toURI().toURL()); - } catch (MalformedURLException ex) { - LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'", - className, f.getAbsoluteFile(), ex); - throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex); + if (files != null) { + for (File f : files) { + try { + urls.add(f.toURI().toURL()); + } catch (MalformedURLException ex) { + LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'", + className, f.getAbsoluteFile(), ex); + throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex); + } } } } else if (file.exists()) { @@ -98,7 +97,7 @@ public final class DriverLoader { urls.add(file.toURI().toURL()); } catch (MalformedURLException ex) { LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'", - className, file.getAbsoluteFile(), ex); + className, file.getAbsoluteFile(), ex); throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index 3b3215e94..61032c1ac 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -90,14 +90,14 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { } /** - * Checks if the NVD CVE XML files were last checked recently. - * As an optimization, we can avoid repetitive checks against the NVD. - * Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again. - * A database property stores the timestamp of the last check. + * Checks if the NVD CVE XML files were last checked recently. As an optimization, we can avoid repetitive checks against the + * NVD. Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again. A database property + * stores the timestamp of the last check. * * @return true to proceed with the check, or false to skip. + * @throws UpdateException thrown when there is an issue checking for updates. */ - private boolean checkUpdate () throws UpdateException { + private boolean checkUpdate() throws UpdateException { boolean proceed = true; // If the valid setting has not been specified, then we proceed to check... final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0); @@ -112,7 +112,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { } else { LOGGER.info("Skipping NVD check since last check was within {} hours.", validForHours); LOGGER.debug("Last NVD was at {}, and now {} is within {} ms.", - lastChecked, now, msValid); + lastChecked, now, msValid); } } return proceed; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java index 9c901f09b..93de5232e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java @@ -322,12 +322,26 @@ public class Model { */ private static class PropertyLookup extends StrLookup { + /** + * Reference to the properties to lookup. + */ private final Properties props; - public PropertyLookup(Properties props) { + /** + * Constructs a new property lookup. + * + * @param props the properties to wrap. + */ + PropertyLookup(Properties props) { this.props = props; } + /** + * Looks up the given property. + * + * @param key the key to the property + * @return the value of the property specified by the key + */ @Override public String lookup(String key) { return props.getProperty(key); diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java index e6a1e41d9..90fb80065 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java @@ -144,10 +144,10 @@ public class AggregateMojo extends BaseDependencyCheckMojo { try { File mpp = new File(project.getBasedir(), m); mpp = mpp.getCanonicalFile(); - if (mpp.compareTo(mod.getBasedir()) == 0 && descendants.add(mod)) { - if (getLog().isDebugEnabled()) { - getLog().debug(String.format("Decendent module %s added", mod.getName())); - } + if (mpp.compareTo(mod.getBasedir()) == 0 && descendants.add(mod) + && getLog().isDebugEnabled()) { + getLog().debug(String.format("Decendent module %s added", mod.getName())); + } } catch (IOException ex) { if (getLog().isDebugEnabled()) { @@ -160,17 +160,15 @@ public class AggregateMojo extends BaseDependencyCheckMojo { size = descendants.size(); for (MavenProject p : getReactorProjects()) { if (project.equals(p.getParent()) || descendants.contains(p.getParent())) { - if (descendants.add(p)) { - if (getLog().isDebugEnabled()) { - getLog().debug(String.format("Decendent %s added", p.getName())); - } + if (descendants.add(p) && getLog().isDebugEnabled()) { + getLog().debug(String.format("Decendent %s added", p.getName())); + } for (MavenProject modTest : getReactorProjects()) { if (p.getModules() != null && p.getModules().contains(modTest.getName()) - && descendants.add(modTest)) { - if (getLog().isDebugEnabled()) { - getLog().debug(String.format("Decendent %s added", modTest.getName())); - } + && descendants.add(modTest) + && getLog().isDebugEnabled()) { + getLog().debug(String.format("Decendent %s added", modTest.getName())); } } }