diff --git a/.gitignore b/.gitignore
index 1c55ffdfe..09bf20505 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
*/target/**
+# IntelliJ test run side-effects
+dependency-check-core/data/
# Intellij project files
*.iml
*.ipr
diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml
index 2fa1b66c9..820458255 100644
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -198,7 +198,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
${reporting.javadoc-plugin.version}
false
- Copyright© 2012-15 Jeremy Long. All Rights Reserved.
+ Copyright� 2012-15 Jeremy Long. All Rights Reserved.
@@ -333,7 +333,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
ch.qos.logback
logback-classic
- ${logback.version}
diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
index 81e0008e7..d068d435b 100644
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -351,22 +351,27 @@ public class App {
}
}
+ /**
+ * Creates a file appender and adds it to logback.
+ *
+ * @param verboseLog the path to the verbose log file
+ */
private void prepareLogger(String verboseLog) {
- StaticLoggerBinder loggerBinder = StaticLoggerBinder.getSingleton();
- LoggerContext context = (LoggerContext) loggerBinder.getLoggerFactory();
+ final StaticLoggerBinder loggerBinder = StaticLoggerBinder.getSingleton();
+ final LoggerContext context = (LoggerContext) loggerBinder.getLoggerFactory();
final PatternLayoutEncoder encoder = new PatternLayoutEncoder();
encoder.setPattern("%d %C:%L%n%-5level - %msg%n");
encoder.setContext(context);
encoder.start();
- FileAppender fa = new FileAppender();
+ final FileAppender fa = new FileAppender();
fa.setAppend(true);
fa.setEncoder(encoder);
fa.setContext(context);
fa.setFile(verboseLog);
final File f = new File(verboseLog);
String name = f.getName();
- int i = name.lastIndexOf('.');
+ final int i = name.lastIndexOf('.');
if (i > 1) {
name = name.substring(0, i);
}
diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
index e0eeb24ad..313537ab3 100644
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
@@ -497,9 +497,9 @@ public final class CliParser {
*
* @return true if the disableAutoconf command line argument was specified; otherwise false
*/
- public boolean isAutoconfDisabled() {
+ public boolean isAutoconfDisabled() {
return (line != null) && line.hasOption(ARGUMENT.DISABLE_AUTOCONF);
- }
+ }
/**
* Returns true if the disableNexus command line argument was specified.
diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml
index c38321a85..0af57a434 100644
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -372,8 +372,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- org.slf4j
- slf4j-simple
+ ch.qos.logback
+ logback-core
+ test
+
+
+ ch.qos.logback
+ logback-classic
test
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
index 949c4ce47..69036b9a9 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -17,13 +17,6 @@
*/
package org.owasp.dependencycheck;
-import java.io.File;
-import java.util.ArrayList;
-import java.util.EnumMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Set;
import org.owasp.dependencycheck.analyzer.AnalysisPhase;
import org.owasp.dependencycheck.analyzer.Analyzer;
import org.owasp.dependencycheck.analyzer.AnalyzerService;
@@ -43,6 +36,14 @@ import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.io.File;
+import java.util.ArrayList;
+import java.util.EnumMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
/**
* Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the scan, if a
* file is encountered and an Analyzer is associated with the file type then the file is turned into a dependency.
@@ -167,7 +168,6 @@ public class Engine {
*
* @param paths an array of paths to files or directories to be analyzed
* @return the list of dependencies scanned
- *
* @since v0.3.2.5
*/
public List scan(String[] paths) {
@@ -200,7 +200,6 @@ public class Engine {
*
* @param files an array of paths to files or directories to be analyzed.
* @return the list of dependencies
- *
* @since v0.3.2.5
*/
public List scan(File[] files) {
@@ -220,7 +219,6 @@ public class Engine {
*
* @param files a set of paths to files or directories to be analyzed
* @return the list of dependencies scanned
- *
* @since v0.3.2.5
*/
public List scan(Set files) {
@@ -240,7 +238,6 @@ public class Engine {
*
* @param files a set of paths to files or directories to be analyzed
* @return the list of dependencies scanned
- *
* @since v0.3.2.5
*/
public List scan(List files) {
@@ -260,9 +257,7 @@ public class Engine {
*
* @param file the path to a file or directory to be analyzed
* @return the list of dependencies scanned
- *
* @since v0.3.2.4
- *
*/
public List scan(File file) {
if (file.exists()) {
@@ -324,7 +319,7 @@ public class Engine {
Dependency dependency = null;
if (supportsExtension(extension)) {
dependency = new Dependency(file);
- if (extension == null ? fileName == null : extension.equals(fileName)) {
+ if (extension.equals(fileName)) {
dependency.setFileExtension(extension);
}
dependencies.add(dependency);
@@ -333,7 +328,10 @@ public class Engine {
}
/**
- * Runs the analyzers against all of the dependencies.
+ * Runs the analyzers against all of the dependencies. Since the mutable dependencies list is exposed via
+ * {@link #getDependencies()}, this method iterates over a copy of the dependencies list. Thus, the potential for
+ * {@link java.util.ConcurrentModificationException}s is avoided, and analyzers may safely add or remove entries
+ * from the dependencies list.
*/
public void analyzeDependencies() {
boolean autoUpdate = true;
@@ -512,7 +510,7 @@ public class Engine {
/**
* Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown.
*
- * @throws NoDataException thrown if no data exists in the CPE Index
+ * @throws NoDataException thrown if no data exists in the CPE Index
* @throws DatabaseException thrown if there is an exception opening the database
*/
private void ensureDataExists() throws NoDataException, DatabaseException {
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
index 054adde34..f8eade81e 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -42,7 +42,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.DCResources;
import org.owasp.dependencycheck.utils.Settings;
-import org.slf4j.Logger;
import org.slf4j.cal10n.LocLogger;
import org.slf4j.cal10n.LocLoggerFactory;
import org.w3c.dom.Document;
@@ -79,15 +78,15 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Message Conveyer
*/
- private IMessageConveyor messageConveyer = new MessageConveyor(Locale.getDefault());
+ private final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault());
/**
* LocLoggerFactory for localized logger
*/
- private LocLoggerFactory llFactory = new LocLoggerFactory(messageConveyer);
+ private final LocLoggerFactory LLFACTORY = new LocLoggerFactory(MESSAGE_CONVERYOR);
/**
* Logger
*/
- private LocLogger LOGGER = llFactory.getLocLogger(AssemblyAnalyzer.class);
+ private final LocLogger LOGGER = LLFACTORY.getLocLogger(AssemblyAnalyzer.class);
/**
* Builds the beginnings of a List for ProcessBuilder
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
index 47d038d66..1e81a0df6 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
@@ -35,219 +35,238 @@ import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.UrlStringUtils;
/**
- * Used to analyze Autoconf input files named configure.ac or configure.in.
- * Files simply named "configure" are also analyzed, assuming they are generated
- * by Autoconf, and contain certain special package descriptor variables.
+ * Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
+ * assuming they are generated by Autoconf, and contain certain special package descriptor variables.
*
* @author Dale Visser
* @see Autoconf - GNU Project - Free Software Foundation (FSF)
*/
public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
- /**
- * Autoconf output filename.
- */
- private static final String CONFIGURE = "configure";
+ /**
+ * Autoconf output filename.
+ */
+ private static final String CONFIGURE = "configure";
- /**
- * Autoconf input filename.
- */
- private static final String CONFIGURE_IN = "configure.in";
+ /**
+ * Autoconf input filename.
+ */
+ private static final String CONFIGURE_IN = "configure.in";
- /**
- * Autoconf input filename.
- */
- private static final String CONFIGURE_AC = "configure.ac";
+ /**
+ * Autoconf input filename.
+ */
+ private static final String CONFIGURE_AC = "configure.ac";
- /**
- * The name of the analyzer.
- */
- private static final String ANALYZER_NAME = "Autoconf Analyzer";
+ /**
+ * The name of the analyzer.
+ */
+ private static final String ANALYZER_NAME = "Autoconf Analyzer";
- /**
- * The phase that this analyzer is intended to run in.
- */
- private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+ /**
+ * The phase that this analyzer is intended to run in.
+ */
+ private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
- /**
- * The set of file extensions supported by this analyzer.
- */
- private static final Set EXTENSIONS = newHashSet("ac", "in",
- CONFIGURE);
+ /**
+ * The set of file extensions supported by this analyzer.
+ */
+ private static final Set EXTENSIONS = newHashSet("ac", "in",
+ CONFIGURE);
- /**
- * Matches AC_INIT variables in the output configure script.
- */
- private static final Pattern PACKAGE_VAR = Pattern.compile(
- "PACKAGE_(.+?)='(.*?)'", Pattern.DOTALL | Pattern.CASE_INSENSITIVE);
+ /**
+ * Matches AC_INIT variables in the output configure script.
+ */
+ private static final Pattern PACKAGE_VAR = Pattern.compile(
+ "PACKAGE_(.+?)='(.*?)'", Pattern.DOTALL | Pattern.CASE_INSENSITIVE);
- /**
- * Matches AC_INIT statement in configure.ac file.
- */
- private static final Pattern AC_INIT_PATTERN;
- static {
- // each instance of param or sep_param has a capture group
- final String param = "\\[{0,2}(.+?)\\]{0,2}";
- final String sep_param = "\\s*,\\s*" + param;
- // Group 1: Package
- // Group 2: Version
- // Group 3: optional
- // Group 4: Bug report address (if it exists)
- // Group 5: optional
- // Group 6: Tarname (if it exists)
- // Group 7: optional
- // Group 8: URL (if it exists)
- AC_INIT_PATTERN = Pattern.compile(String.format(
- "AC_INIT\\(%s%s(%s)?(%s)?(%s)?\\s*\\)", param, sep_param,
- sep_param, sep_param, sep_param), Pattern.DOTALL
- | Pattern.CASE_INSENSITIVE);
- }
+ /**
+ * Matches AC_INIT statement in configure.ac file.
+ */
+ private static final Pattern AC_INIT_PATTERN;
- /**
- * Returns a list of file EXTENSIONS supported by this analyzer.
- *
- * @return a list of file EXTENSIONS supported by this analyzer.
- */
- @Override
- public Set getSupportedExtensions() {
- return EXTENSIONS;
- }
+ static {
+ // each instance of param or sep_param has a capture group
+ final String param = "\\[{0,2}(.+?)\\]{0,2}";
+ final String sepParam = "\\s*,\\s*" + param;
+ // Group 1: Package
+ // Group 2: Version
+ // Group 3: optional
+ // Group 4: Bug report address (if it exists)
+ // Group 5: optional
+ // Group 6: Tarname (if it exists)
+ // Group 7: optional
+ // Group 8: URL (if it exists)
+ AC_INIT_PATTERN = Pattern.compile(String.format(
+ "AC_INIT\\(%s%s(%s)?(%s)?(%s)?\\s*\\)", param, sepParam,
+ sepParam, sepParam, sepParam), Pattern.DOTALL
+ | Pattern.CASE_INSENSITIVE);
+ }
- /**
- * Returns the name of the analyzer.
- *
- * @return the name of the analyzer.
- */
- @Override
- public String getName() {
- return ANALYZER_NAME;
- }
+ /**
+ * Returns a list of file EXTENSIONS supported by this analyzer.
+ *
+ * @return a list of file EXTENSIONS supported by this analyzer.
+ */
+ @Override
+ public Set getSupportedExtensions() {
+ return EXTENSIONS;
+ }
- /**
- * Returns the phase that the analyzer is intended to run in.
- *
- * @return the phase that the analyzer is intended to run in.
- */
- public AnalysisPhase getAnalysisPhase() {
- return ANALYSIS_PHASE;
- }
+ /**
+ * Returns the name of the analyzer.
+ *
+ * @return the name of the analyzer.
+ */
+ @Override
+ public String getName() {
+ return ANALYZER_NAME;
+ }
- /**
- * Returns the key used in the properties file to reference the analyzer's
- * enabled property.
- *
- * @return the analyzer's enabled property setting key
- */
- @Override
- protected String getAnalyzerEnabledSettingKey() {
- return Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED;
- }
+ /**
+ * Returns the phase that the analyzer is intended to run in.
+ *
+ * @return the phase that the analyzer is intended to run in.
+ */
+ public AnalysisPhase getAnalysisPhase() {
+ return ANALYSIS_PHASE;
+ }
- @Override
- protected void analyzeFileType(Dependency dependency, Engine engine)
- throws AnalysisException {
- final File actualFile = dependency.getActualFile();
- final String name = actualFile.getName();
- if (name.startsWith(CONFIGURE)) {
- final File parent = actualFile.getParentFile();
- final String parentName = parent.getName();
- dependency.setDisplayFileName(parentName + "/" + name);
- final boolean isOutputScript = CONFIGURE.equals(name);
- if (isOutputScript || CONFIGURE_AC.equals(name)
- || CONFIGURE_IN.equals(name)) {
- final String contents = getFileContents(actualFile);
- if (!contents.isEmpty()) {
- if (isOutputScript) {
- extractConfigureScriptEvidence(dependency, name,
- contents);
- } else {
- gatherEvidence(dependency, name, contents);
- }
- }
- }
- } else {
- // copy, alter and set in case some other thread is iterating over
- final List deps = new ArrayList(
- engine.getDependencies());
- deps.remove(dependency);
- engine.setDependencies(deps);
- }
- }
+ /**
+ * Returns the key used in the properties file to reference the analyzer's enabled property.
+ *
+ * @return the analyzer's enabled property setting key
+ */
+ @Override
+ protected String getAnalyzerEnabledSettingKey() {
+ return Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED;
+ }
- private void extractConfigureScriptEvidence(Dependency dependency,
- final String name, final String contents) {
- final Matcher matcher = PACKAGE_VAR.matcher(contents);
- while (matcher.find()) {
- final String variable = matcher.group(1);
- final String value = matcher.group(2);
- if (!value.isEmpty()) {
- if (variable.endsWith("NAME")) {
- dependency.getProductEvidence().addEvidence(name, variable,
- value, Confidence.HIGHEST);
- } else if ("VERSION".equals(variable)) {
- dependency.getVersionEvidence().addEvidence(name, variable,
- value, Confidence.HIGHEST);
- } else if ("BUGREPORT".equals(variable)) {
- dependency.getVendorEvidence().addEvidence(name, variable,
- value, Confidence.HIGH);
- } else if ("URL".equals(variable)) {
- dependency.getVendorEvidence().addEvidence(name, variable,
- value, Confidence.HIGH);
- }
- }
- }
- }
+ @Override
+ protected void analyzeFileType(Dependency dependency, Engine engine)
+ throws AnalysisException {
+ final File actualFile = dependency.getActualFile();
+ final String name = actualFile.getName();
+ if (name.startsWith(CONFIGURE)) {
+ final File parent = actualFile.getParentFile();
+ final String parentName = parent.getName();
+ dependency.setDisplayFileName(parentName + "/" + name);
+ final boolean isOutputScript = CONFIGURE.equals(name);
+ if (isOutputScript || CONFIGURE_AC.equals(name)
+ || CONFIGURE_IN.equals(name)) {
+ final String contents = getFileContents(actualFile);
+ if (!contents.isEmpty()) {
+ if (isOutputScript) {
+ extractConfigureScriptEvidence(dependency, name,
+ contents);
+ } else {
+ gatherEvidence(dependency, name, contents);
+ }
+ }
+ }
+ } else {
+ // copy, alter and set in case some other thread is iterating over
+ final List deps = new ArrayList(
+ engine.getDependencies());
+ deps.remove(dependency);
+ engine.setDependencies(deps);
+ }
+ }
- private String getFileContents(final File actualFile)
- throws AnalysisException {
- String contents = "";
- try {
- contents = FileUtils.readFileToString(actualFile).trim();
- } catch (IOException e) {
- throw new AnalysisException(
- "Problem occured while reading dependency file.", e);
- }
- return contents;
- }
+ /**
+ * Extracts evidence from the configuration.
+ *
+ * @param dependency the dependency being analyzed
+ * @param name the name of the source of evidence
+ * @param contents the contents to analyze for evidence
+ */
+ private void extractConfigureScriptEvidence(Dependency dependency,
+ final String name, final String contents) {
+ final Matcher matcher = PACKAGE_VAR.matcher(contents);
+ while (matcher.find()) {
+ final String variable = matcher.group(1);
+ final String value = matcher.group(2);
+ if (!value.isEmpty()) {
+ if (variable.endsWith("NAME")) {
+ dependency.getProductEvidence().addEvidence(name, variable,
+ value, Confidence.HIGHEST);
+ } else if ("VERSION".equals(variable)) {
+ dependency.getVersionEvidence().addEvidence(name, variable,
+ value, Confidence.HIGHEST);
+ } else if ("BUGREPORT".equals(variable)) {
+ dependency.getVendorEvidence().addEvidence(name, variable,
+ value, Confidence.HIGH);
+ } else if ("URL".equals(variable)) {
+ dependency.getVendorEvidence().addEvidence(name, variable,
+ value, Confidence.HIGH);
+ }
+ }
+ }
+ }
- private void gatherEvidence(Dependency dependency, final String name,
- String contents) {
- final Matcher matcher = AC_INIT_PATTERN.matcher(contents);
- if (matcher.find()) {
- final EvidenceCollection productEvidence = dependency
- .getProductEvidence();
- productEvidence.addEvidence(name, "Package", matcher.group(1),
- Confidence.HIGHEST);
- dependency.getVersionEvidence().addEvidence(name,
- "Package Version", matcher.group(2), Confidence.HIGHEST);
- final EvidenceCollection vendorEvidence = dependency
- .getVendorEvidence();
- if (null != matcher.group(3)) {
- vendorEvidence.addEvidence(name, "Bug report address",
- matcher.group(4), Confidence.HIGH);
- }
- if (null != matcher.group(5)) {
- productEvidence.addEvidence(name, "Tarname", matcher.group(6),
- Confidence.HIGH);
- }
- if (null != matcher.group(7)) {
- final String url = matcher.group(8);
- if (UrlStringUtils.isUrl(url)) {
- vendorEvidence.addEvidence(name, "URL", url,
- Confidence.HIGH);
- }
- }
- }
- }
+ /**
+ * Retrieves the contents of a given file.
+ *
+ * @param actualFile the file to read
+ * @return the contents of the file
+ * @throws AnalysisException thrown if there is an IO Exception
+ */
+ private String getFileContents(final File actualFile)
+ throws AnalysisException {
+ String contents = "";
+ try {
+ contents = FileUtils.readFileToString(actualFile).trim();
+ } catch (IOException e) {
+ throw new AnalysisException(
+ "Problem occured while reading dependency file.", e);
+ }
+ return contents;
+ }
- /**
- * Initializes the file type analyzer.
- *
- * @throws Exception
- * thrown if there is an exception during initialization
- */
- @Override
- protected void initializeFileTypeAnalyzer() throws Exception {
- // No initialization needed.
- }
-}
\ No newline at end of file
+ /**
+ * Gathers evidence from a given file
+ *
+ * @param dependency the dependency to add evidence to
+ * @param name the source of the evidence
+ * @param contents the evidence to analyze
+ */
+ private void gatherEvidence(Dependency dependency, final String name,
+ String contents) {
+ final Matcher matcher = AC_INIT_PATTERN.matcher(contents);
+ if (matcher.find()) {
+ final EvidenceCollection productEvidence = dependency
+ .getProductEvidence();
+ productEvidence.addEvidence(name, "Package", matcher.group(1),
+ Confidence.HIGHEST);
+ dependency.getVersionEvidence().addEvidence(name,
+ "Package Version", matcher.group(2), Confidence.HIGHEST);
+ final EvidenceCollection vendorEvidence = dependency
+ .getVendorEvidence();
+ if (null != matcher.group(3)) {
+ vendorEvidence.addEvidence(name, "Bug report address",
+ matcher.group(4), Confidence.HIGH);
+ }
+ if (null != matcher.group(5)) {
+ productEvidence.addEvidence(name, "Tarname", matcher.group(6),
+ Confidence.HIGH);
+ }
+ if (null != matcher.group(7)) {
+ final String url = matcher.group(8);
+ if (UrlStringUtils.isUrl(url)) {
+ vendorEvidence.addEvidence(name, "URL", url,
+ Confidence.HIGH);
+ }
+ }
+ }
+ }
+
+ /**
+ * Initializes the file type analyzer.
+ *
+ * @throws Exception thrown if there is an exception during initialization
+ */
+ @Override
+ protected void initializeFileTypeAnalyzer() throws Exception {
+ // No initialization needed.
+ }
+}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
index a44b7f5f5..f9c180446 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -657,6 +657,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
final String source = "Manifest";
+ String specificationVersion = null;
+ boolean hasImplementationVersion = false;
+
for (Entry entry : atts.entrySet()) {
String key = entry.getKey().toString();
String value = atts.getValue(key);
@@ -670,8 +673,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
productEvidence.addEvidence(source, key, value, Confidence.HIGH);
addMatchingValues(classInformation, value, productEvidence);
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
+ hasImplementationVersion = true;
foundSomething = true;
versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
+ } else if ("specification-version".equalsIgnoreCase(key)) {
+ specificationVersion = key;
} else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
foundSomething = true;
vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
@@ -724,9 +730,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
foundSomething = true;
if (key.contains("version")) {
- if (key.contains("specification")) {
- versionEvidence.addEvidence(source, key, value, Confidence.LOW);
- } else {
+ if (!key.contains("specification")) {
+ //versionEvidence.addEvidence(source, key, value, Confidence.LOW);
+ //} else {
versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
}
} else if ("build-id".equals(key)) {
@@ -778,6 +784,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
}
}
}
+ if (specificationVersion != null && !hasImplementationVersion) {
+ foundSomething = true;
+ versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH);
+ }
} finally {
if (jar != null) {
jar.close();
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
index 996826ba5..e0863d7f3 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
@@ -48,14 +48,6 @@ public class NexusSearch {
* Whether to use the Proxy when making requests.
*/
private boolean useProxy;
- /**
- * The username to use if the Nexus requires authentication.
- */
- private String userName = null;
- /**
- * The password to use if the Nexus requires authentication.
- */
- private char[] password;
/**
* Used for logging.
*/
@@ -156,7 +148,7 @@ public class NexusSearch {
throw new FileNotFoundException("Artifact not found in Nexus");
} else {
LOGGER.debug("Could not connect to Nexus received response code: {} {}",
- conn.getResponseCode(), conn.getResponseMessage());
+ conn.getResponseCode(), conn.getResponseMessage());
throw new IOException("Could not connect to Nexus");
}
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
index cdb522378..6d4a34f25 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -73,7 +73,7 @@ public class CveDB {
*/
public CveDB() throws DatabaseException {
super();
- statementBundle = java.util.ResourceBundle.getBundle("data/dbStatements");
+ statementBundle = ResourceBundle.getBundle("data/dbStatements");
try {
open();
databaseProperties = new DatabaseProperties(this);
@@ -638,7 +638,7 @@ public class CveDB {
+ "If the problem persist try deleting the files in '{}' and running {} again. If the problem continues, please "
+ "create a log file (see documentation at http://jeremylong.github.io/DependencyCheck/) and open a ticket at "
+ "https://github.com/jeremylong/DependencyCheck/issues and include the log file.\n\n",
- dd, dd, Settings.getString(Settings.KEYS.APPLICATION_VAME));
+ dd, dd, Settings.getString(Settings.KEYS.APPLICATION_VAME));
LOGGER.debug("", ex);
} finally {
DBUtils.closeResultSet(rs);
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
index dc5016c21..d5f1c2c22 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
@@ -189,9 +189,8 @@ public class StandardUpdate {
}
/**
- * Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last
- * update date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to
- * be updated.
+ * Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last update
+ * date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to be updated.
*
* @return the collection of files that need to be updated
* @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect
@@ -239,7 +238,7 @@ public class StandardUpdate {
currentTimestamp = Long.parseLong(properties.getProperty(DatabaseProperties.LAST_UPDATED_BASE + entry.getId(), "0"));
} catch (NumberFormatException ex) {
LOGGER.debug("Error parsing '{}' '{}' from nvdcve.lastupdated",
- DatabaseProperties.LAST_UPDATED_BASE, entry.getId(), ex);
+ DatabaseProperties.LAST_UPDATED_BASE, entry.getId(), ex);
}
if (currentTimestamp == entry.getTimestamp()) {
entry.setNeedsUpdate(false);
@@ -249,7 +248,7 @@ public class StandardUpdate {
}
} catch (NumberFormatException ex) {
LOGGER.warn("An invalid schema version or timestamp exists in the data.properties file.");
- LOGGER.debug( "", ex);
+ LOGGER.debug("", ex);
}
}
return updates;
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
index df2942bf6..0cbcef15e 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -306,9 +306,9 @@ public class Dependency implements Serializable, Comparable {
/**
* Adds an entry to the list of detected Identifiers for the dependency file.
*
- * @param type the type of identifier (such as CPE)
+ * @param type the type of identifier (such as CPE)
* @param value the value of the identifier
- * @param url the URL of the identifier
+ * @param url the URL of the identifier
*/
public void addIdentifier(String type, String value, String url) {
final Identifier i = new Identifier(type, value, url);
@@ -318,9 +318,9 @@ public class Dependency implements Serializable, Comparable {
/**
* Adds an entry to the list of detected Identifiers for the dependency file.
*
- * @param type the type of identifier (such as CPE)
- * @param value the value of the identifier
- * @param url the URL of the identifier
+ * @param type the type of identifier (such as CPE)
+ * @param value the value of the identifier
+ * @param url the URL of the identifier
* @param confidence the confidence in the Identifier being accurate
*/
public void addIdentifier(String type, String value, String url, Confidence confidence) {
@@ -332,9 +332,9 @@ public class Dependency implements Serializable, Comparable {
/**
* Adds the maven artifact as evidence.
*
- * @param source The source of the evidence
+ * @param source The source of the evidence
* @param mavenArtifact The maven artifact
- * @param confidence The confidence level of this evidence
+ * @param confidence The confidence level of this evidence
*/
public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) {
if (mavenArtifact.getGroupId() != null && !mavenArtifact.getGroupId().isEmpty()) {
@@ -599,8 +599,8 @@ public class Dependency implements Serializable, Comparable {
private Set relatedDependencies = new TreeSet();
/**
- * Get the value of {@link #relatedDependencies}. This field is used to collect other dependencies which really
- * represent the same dependency, and may be presented as one item in reports.
+ * Get the value of {@link #relatedDependencies}. This field is used to collect other dependencies which really represent the
+ * same dependency, and may be presented as one item in reports.
*
* @return the value of relatedDependencies
*/
@@ -660,22 +660,19 @@ public class Dependency implements Serializable, Comparable {
/**
* Adds a related dependency. The internal collection is normally a {@link java.util.TreeSet}, which relies on
- * {@link #compareTo(Dependency)}. A consequence of this is that if you attempt to add a dependency with the
- * same file path (modulo character case) as one that is already in the collection, it won't get added.
+ * {@link #compareTo(Dependency)}. A consequence of this is that if you attempt to add a dependency with the same file path
+ * (modulo character case) as one that is already in the collection, it won't get added.
*
* @param dependency a reference to the related dependency
*/
public void addRelatedDependency(Dependency dependency) {
- boolean debug = false;
if (this == dependency) {
LOGGER.warn("Attempted to add a circular reference - please post the log file to issue #172 here "
+ "https://github.com/jeremylong/DependencyCheck/issues/172");
- debug = true;
+ LOGGER.debug("this: {}", this);
+ LOGGER.debug("dependency: {}", dependency);
} else if (!relatedDependencies.add(dependency)) {
- LOGGER.warn("Failed to add dependency, likely due to referencing the same file as another dependency in the set.");
- debug = true;
- }
- if (debug) {
+ LOGGER.debug("Failed to add dependency, likely due to referencing the same file as another dependency in the set.");
LOGGER.debug("this: {}", this);
LOGGER.debug("dependency: {}", dependency);
}
@@ -735,22 +732,22 @@ public class Dependency implements Serializable, Comparable {
return false;
}
final Dependency other = (Dependency) obj;
- return ObjectUtils.equals(this.actualFilePath, other.actualFilePath) &&
- ObjectUtils.equals(this.filePath, other.filePath) &&
- ObjectUtils.equals(this.fileName, other.fileName) &&
- ObjectUtils.equals(this.fileExtension, other.fileExtension) &&
- ObjectUtils.equals(this.md5sum, other.md5sum) &&
- ObjectUtils.equals(this.sha1sum, other.sha1sum) &&
- ObjectUtils.equals(this.identifiers, other.identifiers) &&
- ObjectUtils.equals(this.vendorEvidence, other.vendorEvidence) &&
- ObjectUtils.equals(this.productEvidence, other.productEvidence) &&
- ObjectUtils.equals(this.versionEvidence, other.versionEvidence) &&
- ObjectUtils.equals(this.description, other.description) &&
- ObjectUtils.equals(this.license, other.license) &&
- ObjectUtils.equals(this.vulnerabilities, other.vulnerabilities) &&
- ObjectUtils.equals(this.relatedDependencies, other.relatedDependencies) &&
- ObjectUtils.equals(this.projectReferences, other.projectReferences) &&
- ObjectUtils.equals(this.availableVersions, other.availableVersions);
+ return ObjectUtils.equals(this.actualFilePath, other.actualFilePath)
+ && ObjectUtils.equals(this.filePath, other.filePath)
+ && ObjectUtils.equals(this.fileName, other.fileName)
+ && ObjectUtils.equals(this.fileExtension, other.fileExtension)
+ && ObjectUtils.equals(this.md5sum, other.md5sum)
+ && ObjectUtils.equals(this.sha1sum, other.sha1sum)
+ && ObjectUtils.equals(this.identifiers, other.identifiers)
+ && ObjectUtils.equals(this.vendorEvidence, other.vendorEvidence)
+ && ObjectUtils.equals(this.productEvidence, other.productEvidence)
+ && ObjectUtils.equals(this.versionEvidence, other.versionEvidence)
+ && ObjectUtils.equals(this.description, other.description)
+ && ObjectUtils.equals(this.license, other.license)
+ && ObjectUtils.equals(this.vulnerabilities, other.vulnerabilities)
+ && ObjectUtils.equals(this.relatedDependencies, other.relatedDependencies)
+ && ObjectUtils.equals(this.projectReferences, other.projectReferences)
+ && ObjectUtils.equals(this.availableVersions, other.availableVersions);
}
/**
@@ -762,9 +759,9 @@ public class Dependency implements Serializable, Comparable {
public int hashCode() {
int hash = MAGIC_HASH_INIT_VALUE;
for (Object field : new Object[]{this.actualFilePath, this.filePath, this.fileName, this.fileExtension, this.md5sum,
- this.sha1sum, this.identifiers, this.vendorEvidence, this.productEvidence, this.versionEvidence,
- this.description, this.license, this.vulnerabilities, this.relatedDependencies, this.projectReferences,
- this.availableVersions}) {
+ this.sha1sum, this.identifiers, this.vendorEvidence, this.productEvidence, this.versionEvidence,
+ this.description, this.license, this.vulnerabilities, this.relatedDependencies, this.projectReferences,
+ this.availableVersions}) {
hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(field);
}
return hash;
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
index 1f3d8e40e..4fa29805b 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
@@ -17,6 +17,9 @@
*/
package org.owasp.dependencycheck.dependency;
+import org.apache.commons.lang.ObjectUtils;
+import org.apache.commons.lang.StringUtils;
+
import java.io.Serializable;
/**
@@ -26,6 +29,16 @@ import java.io.Serializable;
*/
public class Evidence implements Serializable, Comparable {
+ /**
+ * Used as starting point for generating the value in {@link #hashCode()}.
+ */
+ private static final int MAGIC_HASH_INIT_VALUE = 3;
+
+ /**
+ * Used as a multiplier for generating the value in {@link #hashCode()}.
+ */
+ private static final int MAGIC_HASH_MULTIPLIER = 67;
+
/**
* Creates a new Evidence object.
*/
@@ -35,9 +48,9 @@ public class Evidence implements Serializable, Comparable {
/**
* Creates a new Evidence objects.
*
- * @param source the source of the evidence.
- * @param name the name of the evidence.
- * @param value the value of the evidence.
+ * @param source the source of the evidence.
+ * @param name the name of the evidence.
+ * @param value the value of the evidence.
* @param confidence the confidence of the evidence.
*/
public Evidence(String source, String name, String value, Confidence confidence) {
@@ -46,6 +59,7 @@ public class Evidence implements Serializable, Comparable {
this.value = value;
this.confidence = confidence;
}
+
/**
* The name of the evidence.
*/
@@ -68,6 +82,7 @@ public class Evidence implements Serializable, Comparable {
public void setName(String name) {
this.name = name;
}
+
/**
* The source of the evidence.
*/
@@ -90,6 +105,7 @@ public class Evidence implements Serializable, Comparable {
public void setSource(String source) {
this.source = source;
}
+
/**
* The value of the evidence.
*/
@@ -124,6 +140,7 @@ public class Evidence implements Serializable, Comparable {
public void setValue(String value) {
this.value = value;
}
+
/**
* A value indicating if the Evidence has been "used" (aka read).
*/
@@ -146,6 +163,7 @@ public class Evidence implements Serializable, Comparable {
public void setUsed(boolean used) {
this.used = used;
}
+
/**
* The confidence level for the evidence.
*/
@@ -176,11 +194,11 @@ public class Evidence implements Serializable, Comparable {
*/
@Override
public int hashCode() {
- int hash = 3;
- hash = 67 * hash + (this.name != null ? this.name.hashCode() : 0);
- hash = 67 * hash + (this.source != null ? this.source.hashCode() : 0);
- hash = 67 * hash + (this.value != null ? this.value.hashCode() : 0);
- hash = 67 * hash + (this.confidence != null ? this.confidence.hashCode() : 0);
+ int hash = MAGIC_HASH_INIT_VALUE;
+ hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(StringUtils.lowerCase(this.name));
+ hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(StringUtils.lowerCase(this.source));
+ hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(StringUtils.lowerCase(this.value));
+ hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(this.confidence);
return hash;
}
@@ -200,19 +218,10 @@ public class Evidence implements Serializable, Comparable {
}
final Evidence e = (Evidence) that;
- return testEquality(name, e.name) && testEquality(source, e.source) && testEquality(value, e.value)
- && (confidence == null ? e.confidence == null : confidence == e.confidence);
- }
-
- /**
- * Simple equality test for use within the equals method. This does a case insensitive compare.
- *
- * @param l a string to compare.
- * @param r another string to compare.
- * @return whether the two strings are the same.
- */
- private boolean testEquality(String l, String r) {
- return l == null ? r == null : l.equalsIgnoreCase(r);
+ return StringUtils.equalsIgnoreCase(name, e.name)
+ && StringUtils.equalsIgnoreCase(source, e.source)
+ && StringUtils.equalsIgnoreCase(value, e.value)
+ && ObjectUtils.equals(confidence, e.confidence);
}
/**
@@ -225,13 +234,13 @@ public class Evidence implements Serializable, Comparable {
if (o == null) {
return 1;
}
- if (equalsWithNullCheck(source, o.source)) {
- if (equalsWithNullCheck(name, o.name)) {
- if (equalsWithNullCheck(value, o.value)) {
- if (equalsWithNullCheck(confidence, o.confidence)) {
+ if (StringUtils.equalsIgnoreCase(source, o.source)) {
+ if (StringUtils.equalsIgnoreCase(name, o.name)) {
+ if (StringUtils.equalsIgnoreCase(value, o.value)) {
+ if (ObjectUtils.equals(confidence, o.confidence)) {
return 0; //they are equal
} else {
- return compareToWithNullCheck(confidence, o.confidence);
+ return ObjectUtils.compare(confidence, o.confidence);
}
} else {
return compareToIgnoreCaseWithNullCheck(value, o.value);
@@ -244,43 +253,11 @@ public class Evidence implements Serializable, Comparable {
}
}
- /**
- * Equality check with an exhaustive, possibly duplicative, check against nulls.
- *
- * @param me the value to be compared
- * @param other the other value to be compared
- * @return true if the values are equal; otherwise false
- */
- private boolean equalsWithNullCheck(String me, String other) {
- if (me == null && other == null) {
- return true;
- } else if (me == null || other == null) {
- return false;
- }
- return me.equalsIgnoreCase(other);
- }
-
- /**
- * Equality check with an exhaustive, possibly duplicative, check against nulls.
- *
- * @param me the value to be compared
- * @param other the other value to be compared
- * @return true if the values are equal; otherwise false
- */
- private boolean equalsWithNullCheck(Confidence me, Confidence other) {
- if (me == null && other == null) {
- return true;
- } else if (me == null || other == null) {
- return false;
- }
- return me.equals(other);
- }
-
/**
* Wrapper around {@link java.lang.String#compareToIgnoreCase(java.lang.String) String.compareToIgnoreCase} with an
* exhaustive, possibly duplicative, check against nulls.
*
- * @param me the value to be compared
+ * @param me the value to be compared
* @param other the other value to be compared
* @return true if the values are equal; otherwise false
*/
@@ -295,25 +272,6 @@ public class Evidence implements Serializable, Comparable {
return me.compareToIgnoreCase(other);
}
- /**
- * Wrapper around {@link java.lang.Enum#compareTo(java.lang.Enum) Enum.compareTo} with an exhaustive, possibly duplicative,
- * check against nulls.
- *
- * @param me the value to be compared
- * @param other the other value to be compared
- * @return true if the values are equal; otherwise false
- */
- private int compareToWithNullCheck(Confidence me, Confidence other) {
- if (me == null && other == null) {
- return 0;
- } else if (me == null) {
- return -1; //the other string is greater then me
- } else if (other == null) {
- return 1; //me is greater then the other string
- }
- return me.compareTo(other);
- }
-
/**
* Standard toString() implementation.
*
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java
index 10454861d..4eedc5f36 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java
@@ -32,13 +32,40 @@ import ch.qos.cal10n.LocaleData;
)
public enum DCResources {
+ /**
+ * Not deployed.
+ */
NOTDEPLOYED,
+ /**
+ * grok error.
+ */
GROKERROR,
+ /**
+ * The dependency is not an assembly.
+ */
NOTASSEMBLY,
+ /**
+ * GROK Return Code.
+ */
GROKRC,
+ /**
+ * Grok assembly was extracted.
+ */
GROKDEPLOYED,
+ /**
+ * Grok assembly was not extracted.
+ */
GROKNOTDEPLOYED,
+ /**
+ * Grok failed to initialize.
+ */
GROKINITFAIL,
+ /**
+ * Grok initialized.
+ */
GROKINITMSG,
+ /**
+ * Grok assembly was not deleted.
+ */
GROKNOTDELETED
}
diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties
index 6a737631c..6bbba2235 100644
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -70,3 +70,6 @@ analyzer.nexus.proxy=true
# the URL for searching search.maven.org for SHA-1 and whether it's enabled
analyzer.central.enabled=true
analyzer.central.url=http://search.maven.org/solrsearch/select
+
+# the number of nested archives that will be searched.
+archive.scan.depth=3
\ No newline at end of file
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
index 34b2b9873..3333227a3 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
@@ -34,8 +34,6 @@ import org.owasp.dependencycheck.dependency.Evidence;
import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.slf4j.impl.SimpleLogger;
-import org.slf4j.impl.SimpleLoggerFactory;
/**
* Tests for the AssemblyAnalyzer.
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
index 2214c4d3b..3625537a3 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
@@ -96,7 +96,7 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:vmware:springsource_spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
- callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+ callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
callDetermineCPE_full("ehcache-core-2.2.0.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
} finally {
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java
index 42a506edd..56b7e6393 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java
@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.dependency;
import org.junit.Test;
import static org.junit.Assert.*;
+import static org.hamcrest.CoreMatchers.*;
/**
*
@@ -53,6 +54,14 @@ public class EvidenceTest {
assertTrue(instance.equals(that8));
}
+ @Test
+ public void testHashcodeContract() throws Exception {
+ final Evidence titleCase = new Evidence("Manifest", "Implementation-Title", "Spring Framework", Confidence.HIGH);
+ final Evidence lowerCase = new Evidence("manifest", "implementation-title", "spring framework", Confidence.HIGH);
+ assertThat(titleCase, is(equalTo(lowerCase)));
+ assertThat(titleCase.hashCode(), is(equalTo(lowerCase.hashCode())));
+ }
+
/**
* Test of compareTo method, of class Evidence.
*/
diff --git a/dependency-check-core/src/test/resources/log.properties b/dependency-check-core/src/test/resources/log.properties
deleted file mode 100644
index 158c15ef8..000000000
--- a/dependency-check-core/src/test/resources/log.properties
+++ /dev/null
@@ -1,21 +0,0 @@
-handlers=java.util.logging.ConsoleHandler, java.util.logging.FileHandler
-
-# logging levels
-# FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE.
-
-# Configure the ConsoleHandler.
-java.util.logging.ConsoleHandler.level=SEVERE
-
-# Configure the FileHandler.
-java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
-java.util.logging.FileHandler.level=FINEST
-
-# The following special tokens can be used in the pattern property
-# which specifies the location and name of the log file.
-# / - standard path separator
-# %t - system temporary directory
-# %h - value of the user.home system property
-# %g - generation number for rotating logs
-# %u - unique number to avoid conflicts
-# FileHandler writes to %h/demo0.log by default.
-java.util.logging.FileHandler.pattern=./logs/DependencyCheck%g.log
\ No newline at end of file
diff --git a/dependency-check-core/src/test/resources/logback-test.xml b/dependency-check-core/src/test/resources/logback-test.xml
new file mode 100644
index 000000000..a1c62eae5
--- /dev/null
+++ b/dependency-check-core/src/test/resources/logback-test.xml
@@ -0,0 +1,23 @@
+
+ dependency-check
+
+
+ System.out
+
+ [%level] %msg%n
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
index c33e4356a..38ecf9f81 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java
@@ -149,7 +149,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
if (mpp.compareTo(mod.getBasedir()) == 0 && descendants.add(mod)) {
if (getLog().isDebugEnabled()) {
getLog().debug(String.format("Decendent module %s added", mod.getName()));
- };
+ }
}
} catch (IOException ex) {
if (getLog().isDebugEnabled()) {
diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 6d4bc935d..ef223cd92 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -67,10 +67,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
* The properties file location.
*/
private static final String PROPERTIES_FILE = "mojo.properties";
- /**
- * Name of the logging properties file.
- */
- private static final String LOG_PROPERTIES_FILE = "log.properties";
/**
* System specific new line character.
*/
@@ -949,10 +945,11 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
} else {
file = new File(writeTo, dataFileName);
}
- File parent = file.getParentFile();
+ final File parent = file.getParentFile();
if (!parent.isDirectory()) {
if (parent.mkdirs()) {
- getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.", parent.getAbsolutePath()));
+ getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.",
+ parent.getAbsolutePath()));
}
}
diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java
index ca132299f..d5aee3047 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java
@@ -18,22 +18,32 @@
package org.owasp.dependencycheck.maven.slf4j;
import org.apache.maven.plugin.logging.Log;
-import org.slf4j.helpers.FormattingTuple;
import org.slf4j.helpers.MarkerIgnoringBase;
import org.slf4j.helpers.MessageFormatter;
/**
- * Created by colezlaw on 6/14/15.
+ * Created on 6/14/15.
+ *
+ * @author colezlaw
*/
public class MavenLoggerAdapter extends MarkerIgnoringBase {
private Log log;
+ /**
+ * Creates a new Maven Logger Adapter.
+ *
+ * @param log the maven log
+ */
public MavenLoggerAdapter(Log log) {
super();
this.log = log;
}
+ /**
+ *
+ * @return
+ */
@Override
public boolean isTraceEnabled() {
if (log != null) {
diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java
index 091f16fa9..00bd98912 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java
@@ -22,7 +22,9 @@ import org.slf4j.ILoggerFactory;
import org.slf4j.Logger;
/**
- * Created by colezlaw on 6/14/15.
+ * Created on 6/14/15.
+ *
+ * @author colezlaw
*/
public class MavenLoggerFactory implements ILoggerFactory {
diff --git a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
index 5b61ea85c..41327792a 100644
--- a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
+++ b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
@@ -48,7 +48,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
/**
* Maven mojos have their own logger, so we'll use one of those
*/
- private Log log;
+ private Log log = null;
/**
* Set the Task which will this is to log through.
@@ -70,7 +70,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
private static final String loggerFactoryClassStr = MavenLoggerFactory.class.getName();
/**
- * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the smae object
+ * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the same object
*/
private ILoggerFactory loggerFactory;
@@ -83,6 +83,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
*
* @return the logger factory
*/
+ @Override
public ILoggerFactory getLoggerFactory() {
return loggerFactory;
}
@@ -92,6 +93,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
*
* @return the logger factory class string
*/
+ @Override
public String getLoggerFactoryClassStr() {
return loggerFactoryClassStr;
}
diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml
index f80e2e7c3..7595be28d 100644
--- a/dependency-check-utils/pom.xml
+++ b/dependency-check-utils/pom.xml
@@ -230,8 +230,13 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
compile
- org.slf4j
- slf4j-simple
+ ch.qos.logback
+ logback-core
+ test
+
+
+ ch.qos.logback
+ logback-classic
test
diff --git a/dependency-check-utils/src/test/resources/logback-test.xml b/dependency-check-utils/src/test/resources/logback-test.xml
new file mode 100644
index 000000000..2c55ad5ff
--- /dev/null
+++ b/dependency-check-utils/src/test/resources/logback-test.xml
@@ -0,0 +1,13 @@
+
+ dependency-check
+
+
+ System.out
+
+ [%level] %msg%n
+
+
+
+
+
+
\ No newline at end of file