From aba7b47fa871ad7ca3b07cd622ce5fd35d4ea198 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 21 Jun 2015 20:09:14 -0400 Subject: [PATCH 01/20] removed logback-classic version number because it is in dependency-management Former-commit-id: 231224b23957508f2084ec06f1debf09b6513b90 --- dependency-check-cli/pom.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index 8758bd827..dbacd989d 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -198,7 +198,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. 2.9.1 false - Copyright© 2012-15 Jeremy Long. All Rights Reserved. + Copyright� 2012-15 Jeremy Long. All Rights Reserved. @@ -333,7 +333,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. ch.qos.logback logback-classic - ${logback.version} From 47fa6e67d97d7bad172a04c2c32ca02fca3c6386 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 21 Jun 2015 20:10:23 -0400 Subject: [PATCH 02/20] converted to logback instead of slfj-simple Former-commit-id: 1b3854eeb5ad098931d5603b5206d88a900176da --- dependency-check-core/pom.xml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index a1cf447ee..cebf8d724 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -372,8 +372,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. - org.slf4j - slf4j-simple + ch.qos.logback + logback-core + test + + + ch.qos.logback + logback-classic test From 02acd3162e0f54b065359445112442418dce4171 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 21 Jun 2015 20:11:03 -0400 Subject: [PATCH 03/20] removed simplelogger references Former-commit-id: 5ab1de428d8d69a9d3f7bd8e80af0779f46b1fa0 --- .../owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java index 34b2b9873..3333227a3 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java @@ -34,8 +34,6 @@ import org.owasp.dependencycheck.dependency.Evidence; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.slf4j.impl.SimpleLogger; -import org.slf4j.impl.SimpleLoggerFactory; /** * Tests for the AssemblyAnalyzer. From 190e17e6b96b177c1b09a734f9dd21103b323434 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 21 Jun 2015 20:11:27 -0400 Subject: [PATCH 04/20] converted to logback instead of slfj-simple Former-commit-id: ad06d3bf039bbb30b1f10ce2ae5861000b1c05f6 --- dependency-check-utils/pom.xml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml index 9dd12c78c..3fb9dcd26 100644 --- a/dependency-check-utils/pom.xml +++ b/dependency-check-utils/pom.xml @@ -230,8 +230,13 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. compile - org.slf4j - slf4j-simple + ch.qos.logback + logback-core + test + + + ch.qos.logback + logback-classic test From 13db27854b719e93438c46e390a636047c17531d Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 21 Jun 2015 20:12:31 -0400 Subject: [PATCH 05/20] logback test configuration Former-commit-id: f7af8edab353b7900eb20f088707ad9c38d9330e --- .../src/test/resources/logback-test.xml | 23 +++++++++++++++++++ .../src/test/resources/logback-test.xml | 13 +++++++++++ 2 files changed, 36 insertions(+) create mode 100644 dependency-check-core/src/test/resources/logback-test.xml create mode 100644 dependency-check-utils/src/test/resources/logback-test.xml diff --git a/dependency-check-core/src/test/resources/logback-test.xml b/dependency-check-core/src/test/resources/logback-test.xml new file mode 100644 index 000000000..575a86bbc --- /dev/null +++ b/dependency-check-core/src/test/resources/logback-test.xml @@ -0,0 +1,23 @@ + + dependency-check + + + System.out + + [%level] %msg%n + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/dependency-check-utils/src/test/resources/logback-test.xml b/dependency-check-utils/src/test/resources/logback-test.xml new file mode 100644 index 000000000..b2d692e5c --- /dev/null +++ b/dependency-check-utils/src/test/resources/logback-test.xml @@ -0,0 +1,13 @@ + + dependency-check + + + System.out + + [%level] %msg%n + + + + + + \ No newline at end of file From 2494fec2a78e1fe6297faf90d38eb0d1a20b85fe Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 22 Jun 2015 05:53:11 -0400 Subject: [PATCH 06/20] checkstyle/findbugs/pmd corrections Former-commit-id: 7e1758362e3e3da13678e5e2a8bffa28b8ad5a87 --- .../java/org/owasp/dependencycheck/App.java | 13 +- .../org/owasp/dependencycheck/CliParser.java | 4 +- .../analyzer/AssemblyAnalyzer.java | 7 +- .../analyzer/AutoconfAnalyzer.java | 407 +++++++++--------- .../data/nexus/NexusSearch.java | 10 +- .../dependencycheck/data/nvdcve/CveDB.java | 4 +- .../data/update/StandardUpdate.java | 9 +- .../dependency/Dependency.java | 60 +-- .../dependencycheck/utils/DCResources.java | 27 ++ .../dependencycheck/maven/AggregateMojo.java | 2 +- .../maven/BaseDependencyCheckMojo.java | 9 +- .../maven/slf4j/MavenLoggerAdapter.java | 14 +- .../maven/slf4j/MavenLoggerFactory.java | 4 +- .../org/slf4j/impl/StaticLoggerBinder.java | 6 +- 14 files changed, 314 insertions(+), 262 deletions(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 81e0008e7..d068d435b 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -351,22 +351,27 @@ public class App { } } + /** + * Creates a file appender and adds it to logback. + * + * @param verboseLog the path to the verbose log file + */ private void prepareLogger(String verboseLog) { - StaticLoggerBinder loggerBinder = StaticLoggerBinder.getSingleton(); - LoggerContext context = (LoggerContext) loggerBinder.getLoggerFactory(); + final StaticLoggerBinder loggerBinder = StaticLoggerBinder.getSingleton(); + final LoggerContext context = (LoggerContext) loggerBinder.getLoggerFactory(); final PatternLayoutEncoder encoder = new PatternLayoutEncoder(); encoder.setPattern("%d %C:%L%n%-5level - %msg%n"); encoder.setContext(context); encoder.start(); - FileAppender fa = new FileAppender(); + final FileAppender fa = new FileAppender(); fa.setAppend(true); fa.setEncoder(encoder); fa.setContext(context); fa.setFile(verboseLog); final File f = new File(verboseLog); String name = f.getName(); - int i = name.lastIndexOf('.'); + final int i = name.lastIndexOf('.'); if (i > 1) { name = name.substring(0, i); } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index e0eeb24ad..313537ab3 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -497,9 +497,9 @@ public final class CliParser { * * @return true if the disableAutoconf command line argument was specified; otherwise false */ - public boolean isAutoconfDisabled() { + public boolean isAutoconfDisabled() { return (line != null) && line.hasOption(ARGUMENT.DISABLE_AUTOCONF); - } + } /** * Returns true if the disableNexus command line argument was specified. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 054adde34..f8eade81e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -42,7 +42,6 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; import org.owasp.dependencycheck.utils.DCResources; import org.owasp.dependencycheck.utils.Settings; -import org.slf4j.Logger; import org.slf4j.cal10n.LocLogger; import org.slf4j.cal10n.LocLoggerFactory; import org.w3c.dom.Document; @@ -79,15 +78,15 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { /** * Message Conveyer */ - private IMessageConveyor messageConveyer = new MessageConveyor(Locale.getDefault()); + private final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault()); /** * LocLoggerFactory for localized logger */ - private LocLoggerFactory llFactory = new LocLoggerFactory(messageConveyer); + private final LocLoggerFactory LLFACTORY = new LocLoggerFactory(MESSAGE_CONVERYOR); /** * Logger */ - private LocLogger LOGGER = llFactory.getLocLogger(AssemblyAnalyzer.class); + private final LocLogger LOGGER = LLFACTORY.getLocLogger(AssemblyAnalyzer.class); /** * Builds the beginnings of a List for ProcessBuilder diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java index 47d038d66..1e81a0df6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java @@ -35,219 +35,238 @@ import org.owasp.dependencycheck.utils.Settings; import org.owasp.dependencycheck.utils.UrlStringUtils; /** - * Used to analyze Autoconf input files named configure.ac or configure.in. - * Files simply named "configure" are also analyzed, assuming they are generated - * by Autoconf, and contain certain special package descriptor variables. + * Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed, + * assuming they are generated by Autoconf, and contain certain special package descriptor variables. * * @author Dale Visser * @see Autoconf - GNU Project - Free Software Foundation (FSF) */ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { - /** - * Autoconf output filename. - */ - private static final String CONFIGURE = "configure"; + /** + * Autoconf output filename. + */ + private static final String CONFIGURE = "configure"; - /** - * Autoconf input filename. - */ - private static final String CONFIGURE_IN = "configure.in"; + /** + * Autoconf input filename. + */ + private static final String CONFIGURE_IN = "configure.in"; - /** - * Autoconf input filename. - */ - private static final String CONFIGURE_AC = "configure.ac"; + /** + * Autoconf input filename. + */ + private static final String CONFIGURE_AC = "configure.ac"; - /** - * The name of the analyzer. - */ - private static final String ANALYZER_NAME = "Autoconf Analyzer"; + /** + * The name of the analyzer. + */ + private static final String ANALYZER_NAME = "Autoconf Analyzer"; - /** - * The phase that this analyzer is intended to run in. - */ - private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; + /** + * The phase that this analyzer is intended to run in. + */ + private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION; - /** - * The set of file extensions supported by this analyzer. - */ - private static final Set EXTENSIONS = newHashSet("ac", "in", - CONFIGURE); + /** + * The set of file extensions supported by this analyzer. + */ + private static final Set EXTENSIONS = newHashSet("ac", "in", + CONFIGURE); - /** - * Matches AC_INIT variables in the output configure script. - */ - private static final Pattern PACKAGE_VAR = Pattern.compile( - "PACKAGE_(.+?)='(.*?)'", Pattern.DOTALL | Pattern.CASE_INSENSITIVE); + /** + * Matches AC_INIT variables in the output configure script. + */ + private static final Pattern PACKAGE_VAR = Pattern.compile( + "PACKAGE_(.+?)='(.*?)'", Pattern.DOTALL | Pattern.CASE_INSENSITIVE); - /** - * Matches AC_INIT statement in configure.ac file. - */ - private static final Pattern AC_INIT_PATTERN; - static { - // each instance of param or sep_param has a capture group - final String param = "\\[{0,2}(.+?)\\]{0,2}"; - final String sep_param = "\\s*,\\s*" + param; - // Group 1: Package - // Group 2: Version - // Group 3: optional - // Group 4: Bug report address (if it exists) - // Group 5: optional - // Group 6: Tarname (if it exists) - // Group 7: optional - // Group 8: URL (if it exists) - AC_INIT_PATTERN = Pattern.compile(String.format( - "AC_INIT\\(%s%s(%s)?(%s)?(%s)?\\s*\\)", param, sep_param, - sep_param, sep_param, sep_param), Pattern.DOTALL - | Pattern.CASE_INSENSITIVE); - } + /** + * Matches AC_INIT statement in configure.ac file. + */ + private static final Pattern AC_INIT_PATTERN; - /** - * Returns a list of file EXTENSIONS supported by this analyzer. - * - * @return a list of file EXTENSIONS supported by this analyzer. - */ - @Override - public Set getSupportedExtensions() { - return EXTENSIONS; - } + static { + // each instance of param or sep_param has a capture group + final String param = "\\[{0,2}(.+?)\\]{0,2}"; + final String sepParam = "\\s*,\\s*" + param; + // Group 1: Package + // Group 2: Version + // Group 3: optional + // Group 4: Bug report address (if it exists) + // Group 5: optional + // Group 6: Tarname (if it exists) + // Group 7: optional + // Group 8: URL (if it exists) + AC_INIT_PATTERN = Pattern.compile(String.format( + "AC_INIT\\(%s%s(%s)?(%s)?(%s)?\\s*\\)", param, sepParam, + sepParam, sepParam, sepParam), Pattern.DOTALL + | Pattern.CASE_INSENSITIVE); + } - /** - * Returns the name of the analyzer. - * - * @return the name of the analyzer. - */ - @Override - public String getName() { - return ANALYZER_NAME; - } + /** + * Returns a list of file EXTENSIONS supported by this analyzer. + * + * @return a list of file EXTENSIONS supported by this analyzer. + */ + @Override + public Set getSupportedExtensions() { + return EXTENSIONS; + } - /** - * Returns the phase that the analyzer is intended to run in. - * - * @return the phase that the analyzer is intended to run in. - */ - public AnalysisPhase getAnalysisPhase() { - return ANALYSIS_PHASE; - } + /** + * Returns the name of the analyzer. + * + * @return the name of the analyzer. + */ + @Override + public String getName() { + return ANALYZER_NAME; + } - /** - * Returns the key used in the properties file to reference the analyzer's - * enabled property. - * - * @return the analyzer's enabled property setting key - */ - @Override - protected String getAnalyzerEnabledSettingKey() { - return Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED; - } + /** + * Returns the phase that the analyzer is intended to run in. + * + * @return the phase that the analyzer is intended to run in. + */ + public AnalysisPhase getAnalysisPhase() { + return ANALYSIS_PHASE; + } - @Override - protected void analyzeFileType(Dependency dependency, Engine engine) - throws AnalysisException { - final File actualFile = dependency.getActualFile(); - final String name = actualFile.getName(); - if (name.startsWith(CONFIGURE)) { - final File parent = actualFile.getParentFile(); - final String parentName = parent.getName(); - dependency.setDisplayFileName(parentName + "/" + name); - final boolean isOutputScript = CONFIGURE.equals(name); - if (isOutputScript || CONFIGURE_AC.equals(name) - || CONFIGURE_IN.equals(name)) { - final String contents = getFileContents(actualFile); - if (!contents.isEmpty()) { - if (isOutputScript) { - extractConfigureScriptEvidence(dependency, name, - contents); - } else { - gatherEvidence(dependency, name, contents); - } - } - } - } else { - // copy, alter and set in case some other thread is iterating over - final List deps = new ArrayList( - engine.getDependencies()); - deps.remove(dependency); - engine.setDependencies(deps); - } - } + /** + * Returns the key used in the properties file to reference the analyzer's enabled property. + * + * @return the analyzer's enabled property setting key + */ + @Override + protected String getAnalyzerEnabledSettingKey() { + return Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED; + } - private void extractConfigureScriptEvidence(Dependency dependency, - final String name, final String contents) { - final Matcher matcher = PACKAGE_VAR.matcher(contents); - while (matcher.find()) { - final String variable = matcher.group(1); - final String value = matcher.group(2); - if (!value.isEmpty()) { - if (variable.endsWith("NAME")) { - dependency.getProductEvidence().addEvidence(name, variable, - value, Confidence.HIGHEST); - } else if ("VERSION".equals(variable)) { - dependency.getVersionEvidence().addEvidence(name, variable, - value, Confidence.HIGHEST); - } else if ("BUGREPORT".equals(variable)) { - dependency.getVendorEvidence().addEvidence(name, variable, - value, Confidence.HIGH); - } else if ("URL".equals(variable)) { - dependency.getVendorEvidence().addEvidence(name, variable, - value, Confidence.HIGH); - } - } - } - } + @Override + protected void analyzeFileType(Dependency dependency, Engine engine) + throws AnalysisException { + final File actualFile = dependency.getActualFile(); + final String name = actualFile.getName(); + if (name.startsWith(CONFIGURE)) { + final File parent = actualFile.getParentFile(); + final String parentName = parent.getName(); + dependency.setDisplayFileName(parentName + "/" + name); + final boolean isOutputScript = CONFIGURE.equals(name); + if (isOutputScript || CONFIGURE_AC.equals(name) + || CONFIGURE_IN.equals(name)) { + final String contents = getFileContents(actualFile); + if (!contents.isEmpty()) { + if (isOutputScript) { + extractConfigureScriptEvidence(dependency, name, + contents); + } else { + gatherEvidence(dependency, name, contents); + } + } + } + } else { + // copy, alter and set in case some other thread is iterating over + final List deps = new ArrayList( + engine.getDependencies()); + deps.remove(dependency); + engine.setDependencies(deps); + } + } - private String getFileContents(final File actualFile) - throws AnalysisException { - String contents = ""; - try { - contents = FileUtils.readFileToString(actualFile).trim(); - } catch (IOException e) { - throw new AnalysisException( - "Problem occured while reading dependency file.", e); - } - return contents; - } + /** + * Extracts evidence from the configuration. + * + * @param dependency the dependency being analyzed + * @param name the name of the source of evidence + * @param contents the contents to analyze for evidence + */ + private void extractConfigureScriptEvidence(Dependency dependency, + final String name, final String contents) { + final Matcher matcher = PACKAGE_VAR.matcher(contents); + while (matcher.find()) { + final String variable = matcher.group(1); + final String value = matcher.group(2); + if (!value.isEmpty()) { + if (variable.endsWith("NAME")) { + dependency.getProductEvidence().addEvidence(name, variable, + value, Confidence.HIGHEST); + } else if ("VERSION".equals(variable)) { + dependency.getVersionEvidence().addEvidence(name, variable, + value, Confidence.HIGHEST); + } else if ("BUGREPORT".equals(variable)) { + dependency.getVendorEvidence().addEvidence(name, variable, + value, Confidence.HIGH); + } else if ("URL".equals(variable)) { + dependency.getVendorEvidence().addEvidence(name, variable, + value, Confidence.HIGH); + } + } + } + } - private void gatherEvidence(Dependency dependency, final String name, - String contents) { - final Matcher matcher = AC_INIT_PATTERN.matcher(contents); - if (matcher.find()) { - final EvidenceCollection productEvidence = dependency - .getProductEvidence(); - productEvidence.addEvidence(name, "Package", matcher.group(1), - Confidence.HIGHEST); - dependency.getVersionEvidence().addEvidence(name, - "Package Version", matcher.group(2), Confidence.HIGHEST); - final EvidenceCollection vendorEvidence = dependency - .getVendorEvidence(); - if (null != matcher.group(3)) { - vendorEvidence.addEvidence(name, "Bug report address", - matcher.group(4), Confidence.HIGH); - } - if (null != matcher.group(5)) { - productEvidence.addEvidence(name, "Tarname", matcher.group(6), - Confidence.HIGH); - } - if (null != matcher.group(7)) { - final String url = matcher.group(8); - if (UrlStringUtils.isUrl(url)) { - vendorEvidence.addEvidence(name, "URL", url, - Confidence.HIGH); - } - } - } - } + /** + * Retrieves the contents of a given file. + * + * @param actualFile the file to read + * @return the contents of the file + * @throws AnalysisException thrown if there is an IO Exception + */ + private String getFileContents(final File actualFile) + throws AnalysisException { + String contents = ""; + try { + contents = FileUtils.readFileToString(actualFile).trim(); + } catch (IOException e) { + throw new AnalysisException( + "Problem occured while reading dependency file.", e); + } + return contents; + } - /** - * Initializes the file type analyzer. - * - * @throws Exception - * thrown if there is an exception during initialization - */ - @Override - protected void initializeFileTypeAnalyzer() throws Exception { - // No initialization needed. - } -} \ No newline at end of file + /** + * Gathers evidence from a given file + * + * @param dependency the dependency to add evidence to + * @param name the source of the evidence + * @param contents the evidence to analyze + */ + private void gatherEvidence(Dependency dependency, final String name, + String contents) { + final Matcher matcher = AC_INIT_PATTERN.matcher(contents); + if (matcher.find()) { + final EvidenceCollection productEvidence = dependency + .getProductEvidence(); + productEvidence.addEvidence(name, "Package", matcher.group(1), + Confidence.HIGHEST); + dependency.getVersionEvidence().addEvidence(name, + "Package Version", matcher.group(2), Confidence.HIGHEST); + final EvidenceCollection vendorEvidence = dependency + .getVendorEvidence(); + if (null != matcher.group(3)) { + vendorEvidence.addEvidence(name, "Bug report address", + matcher.group(4), Confidence.HIGH); + } + if (null != matcher.group(5)) { + productEvidence.addEvidence(name, "Tarname", matcher.group(6), + Confidence.HIGH); + } + if (null != matcher.group(7)) { + final String url = matcher.group(8); + if (UrlStringUtils.isUrl(url)) { + vendorEvidence.addEvidence(name, "URL", url, + Confidence.HIGH); + } + } + } + } + + /** + * Initializes the file type analyzer. + * + * @throws Exception thrown if there is an exception during initialization + */ + @Override + protected void initializeFileTypeAnalyzer() throws Exception { + // No initialization needed. + } +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java index 996826ba5..e0863d7f3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java @@ -48,14 +48,6 @@ public class NexusSearch { * Whether to use the Proxy when making requests. */ private boolean useProxy; - /** - * The username to use if the Nexus requires authentication. - */ - private String userName = null; - /** - * The password to use if the Nexus requires authentication. - */ - private char[] password; /** * Used for logging. */ @@ -156,7 +148,7 @@ public class NexusSearch { throw new FileNotFoundException("Artifact not found in Nexus"); } else { LOGGER.debug("Could not connect to Nexus received response code: {} {}", - conn.getResponseCode(), conn.getResponseMessage()); + conn.getResponseCode(), conn.getResponseMessage()); throw new IOException("Could not connect to Nexus"); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index cdb522378..6d4a34f25 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -73,7 +73,7 @@ public class CveDB { */ public CveDB() throws DatabaseException { super(); - statementBundle = java.util.ResourceBundle.getBundle("data/dbStatements"); + statementBundle = ResourceBundle.getBundle("data/dbStatements"); try { open(); databaseProperties = new DatabaseProperties(this); @@ -638,7 +638,7 @@ public class CveDB { + "If the problem persist try deleting the files in '{}' and running {} again. If the problem continues, please " + "create a log file (see documentation at http://jeremylong.github.io/DependencyCheck/) and open a ticket at " + "https://github.com/jeremylong/DependencyCheck/issues and include the log file.\n\n", - dd, dd, Settings.getString(Settings.KEYS.APPLICATION_VAME)); + dd, dd, Settings.getString(Settings.KEYS.APPLICATION_VAME)); LOGGER.debug("", ex); } finally { DBUtils.closeResultSet(rs); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java index dc5016c21..d5f1c2c22 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java @@ -189,9 +189,8 @@ public class StandardUpdate { } /** - * Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last - * update date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to - * be updated. + * Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last update + * date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to be updated. * * @return the collection of files that need to be updated * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect @@ -239,7 +238,7 @@ public class StandardUpdate { currentTimestamp = Long.parseLong(properties.getProperty(DatabaseProperties.LAST_UPDATED_BASE + entry.getId(), "0")); } catch (NumberFormatException ex) { LOGGER.debug("Error parsing '{}' '{}' from nvdcve.lastupdated", - DatabaseProperties.LAST_UPDATED_BASE, entry.getId(), ex); + DatabaseProperties.LAST_UPDATED_BASE, entry.getId(), ex); } if (currentTimestamp == entry.getTimestamp()) { entry.setNeedsUpdate(false); @@ -249,7 +248,7 @@ public class StandardUpdate { } } catch (NumberFormatException ex) { LOGGER.warn("An invalid schema version or timestamp exists in the data.properties file."); - LOGGER.debug( "", ex); + LOGGER.debug("", ex); } } return updates; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index df2942bf6..4b9ad3627 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -306,9 +306,9 @@ public class Dependency implements Serializable, Comparable { /** * Adds an entry to the list of detected Identifiers for the dependency file. * - * @param type the type of identifier (such as CPE) + * @param type the type of identifier (such as CPE) * @param value the value of the identifier - * @param url the URL of the identifier + * @param url the URL of the identifier */ public void addIdentifier(String type, String value, String url) { final Identifier i = new Identifier(type, value, url); @@ -318,9 +318,9 @@ public class Dependency implements Serializable, Comparable { /** * Adds an entry to the list of detected Identifiers for the dependency file. * - * @param type the type of identifier (such as CPE) - * @param value the value of the identifier - * @param url the URL of the identifier + * @param type the type of identifier (such as CPE) + * @param value the value of the identifier + * @param url the URL of the identifier * @param confidence the confidence in the Identifier being accurate */ public void addIdentifier(String type, String value, String url, Confidence confidence) { @@ -332,9 +332,9 @@ public class Dependency implements Serializable, Comparable { /** * Adds the maven artifact as evidence. * - * @param source The source of the evidence + * @param source The source of the evidence * @param mavenArtifact The maven artifact - * @param confidence The confidence level of this evidence + * @param confidence The confidence level of this evidence */ public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) { if (mavenArtifact.getGroupId() != null && !mavenArtifact.getGroupId().isEmpty()) { @@ -599,8 +599,8 @@ public class Dependency implements Serializable, Comparable { private Set relatedDependencies = new TreeSet(); /** - * Get the value of {@link #relatedDependencies}. This field is used to collect other dependencies which really - * represent the same dependency, and may be presented as one item in reports. + * Get the value of {@link #relatedDependencies}. This field is used to collect other dependencies which really represent the + * same dependency, and may be presented as one item in reports. * * @return the value of relatedDependencies */ @@ -660,8 +660,8 @@ public class Dependency implements Serializable, Comparable { /** * Adds a related dependency. The internal collection is normally a {@link java.util.TreeSet}, which relies on - * {@link #compareTo(Dependency)}. A consequence of this is that if you attempt to add a dependency with the - * same file path (modulo character case) as one that is already in the collection, it won't get added. + * {@link #compareTo(Dependency)}. A consequence of this is that if you attempt to add a dependency with the same file path + * (modulo character case) as one that is already in the collection, it won't get added. * * @param dependency a reference to the related dependency */ @@ -735,22 +735,22 @@ public class Dependency implements Serializable, Comparable { return false; } final Dependency other = (Dependency) obj; - return ObjectUtils.equals(this.actualFilePath, other.actualFilePath) && - ObjectUtils.equals(this.filePath, other.filePath) && - ObjectUtils.equals(this.fileName, other.fileName) && - ObjectUtils.equals(this.fileExtension, other.fileExtension) && - ObjectUtils.equals(this.md5sum, other.md5sum) && - ObjectUtils.equals(this.sha1sum, other.sha1sum) && - ObjectUtils.equals(this.identifiers, other.identifiers) && - ObjectUtils.equals(this.vendorEvidence, other.vendorEvidence) && - ObjectUtils.equals(this.productEvidence, other.productEvidence) && - ObjectUtils.equals(this.versionEvidence, other.versionEvidence) && - ObjectUtils.equals(this.description, other.description) && - ObjectUtils.equals(this.license, other.license) && - ObjectUtils.equals(this.vulnerabilities, other.vulnerabilities) && - ObjectUtils.equals(this.relatedDependencies, other.relatedDependencies) && - ObjectUtils.equals(this.projectReferences, other.projectReferences) && - ObjectUtils.equals(this.availableVersions, other.availableVersions); + return ObjectUtils.equals(this.actualFilePath, other.actualFilePath) + && ObjectUtils.equals(this.filePath, other.filePath) + && ObjectUtils.equals(this.fileName, other.fileName) + && ObjectUtils.equals(this.fileExtension, other.fileExtension) + && ObjectUtils.equals(this.md5sum, other.md5sum) + && ObjectUtils.equals(this.sha1sum, other.sha1sum) + && ObjectUtils.equals(this.identifiers, other.identifiers) + && ObjectUtils.equals(this.vendorEvidence, other.vendorEvidence) + && ObjectUtils.equals(this.productEvidence, other.productEvidence) + && ObjectUtils.equals(this.versionEvidence, other.versionEvidence) + && ObjectUtils.equals(this.description, other.description) + && ObjectUtils.equals(this.license, other.license) + && ObjectUtils.equals(this.vulnerabilities, other.vulnerabilities) + && ObjectUtils.equals(this.relatedDependencies, other.relatedDependencies) + && ObjectUtils.equals(this.projectReferences, other.projectReferences) + && ObjectUtils.equals(this.availableVersions, other.availableVersions); } /** @@ -762,9 +762,9 @@ public class Dependency implements Serializable, Comparable { public int hashCode() { int hash = MAGIC_HASH_INIT_VALUE; for (Object field : new Object[]{this.actualFilePath, this.filePath, this.fileName, this.fileExtension, this.md5sum, - this.sha1sum, this.identifiers, this.vendorEvidence, this.productEvidence, this.versionEvidence, - this.description, this.license, this.vulnerabilities, this.relatedDependencies, this.projectReferences, - this.availableVersions}) { + this.sha1sum, this.identifiers, this.vendorEvidence, this.productEvidence, this.versionEvidence, + this.description, this.license, this.vulnerabilities, this.relatedDependencies, this.projectReferences, + this.availableVersions}) { hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(field); } return hash; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java index 10454861d..4eedc5f36 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java @@ -32,13 +32,40 @@ import ch.qos.cal10n.LocaleData; ) public enum DCResources { + /** + * Not deployed. + */ NOTDEPLOYED, + /** + * grok error. + */ GROKERROR, + /** + * The dependency is not an assembly. + */ NOTASSEMBLY, + /** + * GROK Return Code. + */ GROKRC, + /** + * Grok assembly was extracted. + */ GROKDEPLOYED, + /** + * Grok assembly was not extracted. + */ GROKNOTDEPLOYED, + /** + * Grok failed to initialize. + */ GROKINITFAIL, + /** + * Grok initialized. + */ GROKINITMSG, + /** + * Grok assembly was not deleted. + */ GROKNOTDELETED } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java index c33e4356a..38ecf9f81 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java @@ -149,7 +149,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { if (mpp.compareTo(mod.getBasedir()) == 0 && descendants.add(mod)) { if (getLog().isDebugEnabled()) { getLog().debug(String.format("Decendent module %s added", mod.getName())); - }; + } } } catch (IOException ex) { if (getLog().isDebugEnabled()) { diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 6d4bc935d..ef223cd92 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -67,10 +67,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma * The properties file location. */ private static final String PROPERTIES_FILE = "mojo.properties"; - /** - * Name of the logging properties file. - */ - private static final String LOG_PROPERTIES_FILE = "log.properties"; /** * System specific new line character. */ @@ -949,10 +945,11 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma } else { file = new File(writeTo, dataFileName); } - File parent = file.getParentFile(); + final File parent = file.getParentFile(); if (!parent.isDirectory()) { if (parent.mkdirs()) { - getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.", parent.getAbsolutePath())); + getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.", + parent.getAbsolutePath())); } } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java index ca132299f..d5aee3047 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java @@ -18,22 +18,32 @@ package org.owasp.dependencycheck.maven.slf4j; import org.apache.maven.plugin.logging.Log; -import org.slf4j.helpers.FormattingTuple; import org.slf4j.helpers.MarkerIgnoringBase; import org.slf4j.helpers.MessageFormatter; /** - * Created by colezlaw on 6/14/15. + * Created on 6/14/15. + * + * @author colezlaw */ public class MavenLoggerAdapter extends MarkerIgnoringBase { private Log log; + /** + * Creates a new Maven Logger Adapter. + * + * @param log the maven log + */ public MavenLoggerAdapter(Log log) { super(); this.log = log; } + /** + * + * @return + */ @Override public boolean isTraceEnabled() { if (log != null) { diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java index 091f16fa9..00bd98912 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java @@ -22,7 +22,9 @@ import org.slf4j.ILoggerFactory; import org.slf4j.Logger; /** - * Created by colezlaw on 6/14/15. + * Created on 6/14/15. + * + * @author colezlaw */ public class MavenLoggerFactory implements ILoggerFactory { diff --git a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java index 5b61ea85c..41327792a 100644 --- a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java +++ b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java @@ -48,7 +48,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { /** * Maven mojos have their own logger, so we'll use one of those */ - private Log log; + private Log log = null; /** * Set the Task which will this is to log through. @@ -70,7 +70,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { private static final String loggerFactoryClassStr = MavenLoggerFactory.class.getName(); /** - * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the smae object + * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the same object */ private ILoggerFactory loggerFactory; @@ -83,6 +83,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { * * @return the logger factory */ + @Override public ILoggerFactory getLoggerFactory() { return loggerFactory; } @@ -92,6 +93,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { * * @return the logger factory class string */ + @Override public String getLoggerFactoryClassStr() { return loggerFactoryClassStr; } From 802e4fc238f829535061e19bbd2648386d882f59 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 22 Jun 2015 05:53:51 -0400 Subject: [PATCH 07/20] changed default logging for tests to INFO Former-commit-id: 45b4dc2707e0a267d2ef41a84627c5fee5ba92f1 --- dependency-check-core/src/test/resources/logback-test.xml | 2 +- dependency-check-utils/src/test/resources/logback-test.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/test/resources/logback-test.xml b/dependency-check-core/src/test/resources/logback-test.xml index 575a86bbc..a1c62eae5 100644 --- a/dependency-check-core/src/test/resources/logback-test.xml +++ b/dependency-check-core/src/test/resources/logback-test.xml @@ -7,7 +7,7 @@ [%level] %msg%n - + diff --git a/dependency-check-utils/src/test/resources/logback-test.xml b/dependency-check-utils/src/test/resources/logback-test.xml index b2d692e5c..2c55ad5ff 100644 --- a/dependency-check-utils/src/test/resources/logback-test.xml +++ b/dependency-check-utils/src/test/resources/logback-test.xml @@ -7,7 +7,7 @@ [%level] %msg%n - + \ No newline at end of file From aa66e5ab15d14e037c6346d1a59098b55f25ab08 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 22 Jun 2015 05:54:18 -0400 Subject: [PATCH 08/20] removed unused JUL properties file Former-commit-id: e02cb926d9c52fbd6f8e99dc612dea6707fac51a --- .../src/test/resources/log.properties | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 dependency-check-core/src/test/resources/log.properties diff --git a/dependency-check-core/src/test/resources/log.properties b/dependency-check-core/src/test/resources/log.properties deleted file mode 100644 index 158c15ef8..000000000 --- a/dependency-check-core/src/test/resources/log.properties +++ /dev/null @@ -1,21 +0,0 @@ -handlers=java.util.logging.ConsoleHandler, java.util.logging.FileHandler - -# logging levels -# FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE. - -# Configure the ConsoleHandler. -java.util.logging.ConsoleHandler.level=SEVERE - -# Configure the FileHandler. -java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter -java.util.logging.FileHandler.level=FINEST - -# The following special tokens can be used in the pattern property -# which specifies the location and name of the log file. -# / - standard path separator -# %t - system temporary directory -# %h - value of the user.home system property -# %g - generation number for rotating logs -# %u - unique number to avoid conflicts -# FileHandler writes to %h/demo0.log by default. -java.util.logging.FileHandler.pattern=./logs/DependencyCheck%g.log \ No newline at end of file From fa16a960a55de6c770c9da235b27c11533363ae8 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Tue, 23 Jun 2015 11:56:09 -0400 Subject: [PATCH 09/20] Added explanatory text to analyzeDependencies() javadoc. Fixed IDE warning about unnecessary ternary expression. Slight code reformat. Former-commit-id: 2b2887308c853cae85a4a6f9572e3fde20f0c990 --- .../org/owasp/dependencycheck/Engine.java | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index 949c4ce47..69036b9a9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -17,13 +17,6 @@ */ package org.owasp.dependencycheck; -import java.io.File; -import java.util.ArrayList; -import java.util.EnumMap; -import java.util.HashSet; -import java.util.Iterator; -import java.util.List; -import java.util.Set; import org.owasp.dependencycheck.analyzer.AnalysisPhase; import org.owasp.dependencycheck.analyzer.Analyzer; import org.owasp.dependencycheck.analyzer.AnalyzerService; @@ -43,6 +36,14 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.File; +import java.util.ArrayList; +import java.util.EnumMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; + /** * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the scan, if a * file is encountered and an Analyzer is associated with the file type then the file is turned into a dependency. @@ -167,7 +168,6 @@ public class Engine { * * @param paths an array of paths to files or directories to be analyzed * @return the list of dependencies scanned - * * @since v0.3.2.5 */ public List scan(String[] paths) { @@ -200,7 +200,6 @@ public class Engine { * * @param files an array of paths to files or directories to be analyzed. * @return the list of dependencies - * * @since v0.3.2.5 */ public List scan(File[] files) { @@ -220,7 +219,6 @@ public class Engine { * * @param files a set of paths to files or directories to be analyzed * @return the list of dependencies scanned - * * @since v0.3.2.5 */ public List scan(Set files) { @@ -240,7 +238,6 @@ public class Engine { * * @param files a set of paths to files or directories to be analyzed * @return the list of dependencies scanned - * * @since v0.3.2.5 */ public List scan(List files) { @@ -260,9 +257,7 @@ public class Engine { * * @param file the path to a file or directory to be analyzed * @return the list of dependencies scanned - * * @since v0.3.2.4 - * */ public List scan(File file) { if (file.exists()) { @@ -324,7 +319,7 @@ public class Engine { Dependency dependency = null; if (supportsExtension(extension)) { dependency = new Dependency(file); - if (extension == null ? fileName == null : extension.equals(fileName)) { + if (extension.equals(fileName)) { dependency.setFileExtension(extension); } dependencies.add(dependency); @@ -333,7 +328,10 @@ public class Engine { } /** - * Runs the analyzers against all of the dependencies. + * Runs the analyzers against all of the dependencies. Since the mutable dependencies list is exposed via + * {@link #getDependencies()}, this method iterates over a copy of the dependencies list. Thus, the potential for + * {@link java.util.ConcurrentModificationException}s is avoided, and analyzers may safely add or remove entries + * from the dependencies list. */ public void analyzeDependencies() { boolean autoUpdate = true; @@ -512,7 +510,7 @@ public class Engine { /** * Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown. * - * @throws NoDataException thrown if no data exists in the CPE Index + * @throws NoDataException thrown if no data exists in the CPE Index * @throws DatabaseException thrown if there is an exception opening the database */ private void ensureDataExists() throws NoDataException, DatabaseException { From d76799cfd0cae7349f1fe70cff07db1da93cad02 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 24 Jun 2015 06:16:12 -0400 Subject: [PATCH 10/20] changed a warning log message to debug Former-commit-id: dee9cc935de19052dc0d25b927b6dc4b5948504c --- .../org/owasp/dependencycheck/dependency/Dependency.java | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 4b9ad3627..0cbcef15e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -666,16 +666,13 @@ public class Dependency implements Serializable, Comparable { * @param dependency a reference to the related dependency */ public void addRelatedDependency(Dependency dependency) { - boolean debug = false; if (this == dependency) { LOGGER.warn("Attempted to add a circular reference - please post the log file to issue #172 here " + "https://github.com/jeremylong/DependencyCheck/issues/172"); - debug = true; + LOGGER.debug("this: {}", this); + LOGGER.debug("dependency: {}", dependency); } else if (!relatedDependencies.add(dependency)) { - LOGGER.warn("Failed to add dependency, likely due to referencing the same file as another dependency in the set."); - debug = true; - } - if (debug) { + LOGGER.debug("Failed to add dependency, likely due to referencing the same file as another dependency in the set."); LOGGER.debug("this: {}", this); LOGGER.debug("dependency: {}", dependency); } From e8353089f31a6505d1be3f2933bfda9699318b89 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 24 Jun 2015 14:41:20 -0400 Subject: [PATCH 11/20] Made hashCode() implement satisfy the Object.hashCode() contract, i.e., a.equals(b) implies a.hashCode() == b.hashCode() Former-commit-id: 9f347a57b740b572d2d6a9a9e523de44e384773e --- .gitignore | 2 ++ .../owasp/dependencycheck/dependency/Evidence.java | 13 ++++++++----- .../dependencycheck/dependency/EvidenceTest.java | 9 +++++++++ 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 1c55ffdfe..09bf20505 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ */target/** +# IntelliJ test run side-effects +dependency-check-core/data/ # Intellij project files *.iml *.ipr diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index 1f3d8e40e..fd2c0ce20 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -26,6 +26,9 @@ import java.io.Serializable; */ public class Evidence implements Serializable, Comparable { + public static final int MAGIC_HASH_INIT_VALUE = 3; + public static final int MAGIC_HASH_MULTIPLIER = 67; + /** * Creates a new Evidence object. */ @@ -176,11 +179,11 @@ public class Evidence implements Serializable, Comparable { */ @Override public int hashCode() { - int hash = 3; - hash = 67 * hash + (this.name != null ? this.name.hashCode() : 0); - hash = 67 * hash + (this.source != null ? this.source.hashCode() : 0); - hash = 67 * hash + (this.value != null ? this.value.hashCode() : 0); - hash = 67 * hash + (this.confidence != null ? this.confidence.hashCode() : 0); + int hash = MAGIC_HASH_INIT_VALUE; + hash = MAGIC_HASH_MULTIPLIER * hash + (this.name != null ? this.name.toLowerCase().hashCode() : 0); + hash = MAGIC_HASH_MULTIPLIER * hash + (this.source != null ? this.source.toLowerCase().hashCode() : 0); + hash = MAGIC_HASH_MULTIPLIER * hash + (this.value != null ? this.value.toLowerCase().hashCode() : 0); + hash = MAGIC_HASH_MULTIPLIER * hash + (this.confidence != null ? this.confidence.hashCode() : 0); return hash; } diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java index 42a506edd..56b7e6393 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java @@ -19,6 +19,7 @@ package org.owasp.dependencycheck.dependency; import org.junit.Test; import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.*; /** * @@ -53,6 +54,14 @@ public class EvidenceTest { assertTrue(instance.equals(that8)); } + @Test + public void testHashcodeContract() throws Exception { + final Evidence titleCase = new Evidence("Manifest", "Implementation-Title", "Spring Framework", Confidence.HIGH); + final Evidence lowerCase = new Evidence("manifest", "implementation-title", "spring framework", Confidence.HIGH); + assertThat(titleCase, is(equalTo(lowerCase))); + assertThat(titleCase.hashCode(), is(equalTo(lowerCase.hashCode()))); + } + /** * Test of compareTo method, of class Evidence. */ From 42e77c77a9590acaaa343e287b50b589183a4ea9 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 24 Jun 2015 14:48:48 -0400 Subject: [PATCH 12/20] More expressive/readable code using commons-lang. Former-commit-id: bf24d6d4672c57fdbe6c1f113ddb25628ec97db4 --- .../owasp/dependencycheck/dependency/Evidence.java | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index fd2c0ce20..f69731401 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -17,6 +17,9 @@ */ package org.owasp.dependencycheck.dependency; +import org.apache.commons.lang.ObjectUtils; +import org.apache.commons.lang.StringUtils; + import java.io.Serializable; /** @@ -180,10 +183,10 @@ public class Evidence implements Serializable, Comparable { @Override public int hashCode() { int hash = MAGIC_HASH_INIT_VALUE; - hash = MAGIC_HASH_MULTIPLIER * hash + (this.name != null ? this.name.toLowerCase().hashCode() : 0); - hash = MAGIC_HASH_MULTIPLIER * hash + (this.source != null ? this.source.toLowerCase().hashCode() : 0); - hash = MAGIC_HASH_MULTIPLIER * hash + (this.value != null ? this.value.toLowerCase().hashCode() : 0); - hash = MAGIC_HASH_MULTIPLIER * hash + (this.confidence != null ? this.confidence.hashCode() : 0); + hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(StringUtils.lowerCase(this.name)); + hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(StringUtils.lowerCase(this.source)); + hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(StringUtils.lowerCase(this.value)); + hash = MAGIC_HASH_MULTIPLIER * hash + ObjectUtils.hashCode(this.confidence); return hash; } From 39e587085f69a381906d0247a96bbc82e25b0b59 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 24 Jun 2015 14:57:10 -0400 Subject: [PATCH 13/20] Replaced private method with equivalent ObjectUtils.equals() call. Former-commit-id: 9d460788899a3cb6e0891d63e39f50c3f96fc385 --- .../dependencycheck/dependency/Evidence.java | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index f69731401..241791dea 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -234,7 +234,7 @@ public class Evidence implements Serializable, Comparable { if (equalsWithNullCheck(source, o.source)) { if (equalsWithNullCheck(name, o.name)) { if (equalsWithNullCheck(value, o.value)) { - if (equalsWithNullCheck(confidence, o.confidence)) { + if (ObjectUtils.equals(confidence, o.confidence)) { return 0; //they are equal } else { return compareToWithNullCheck(confidence, o.confidence); @@ -266,22 +266,6 @@ public class Evidence implements Serializable, Comparable { return me.equalsIgnoreCase(other); } - /** - * Equality check with an exhaustive, possibly duplicative, check against nulls. - * - * @param me the value to be compared - * @param other the other value to be compared - * @return true if the values are equal; otherwise false - */ - private boolean equalsWithNullCheck(Confidence me, Confidence other) { - if (me == null && other == null) { - return true; - } else if (me == null || other == null) { - return false; - } - return me.equals(other); - } - /** * Wrapper around {@link java.lang.String#compareToIgnoreCase(java.lang.String) String.compareToIgnoreCase} with an * exhaustive, possibly duplicative, check against nulls. From e2389b49922b639b9d468c1d99c28e3a7c92dbbd Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 24 Jun 2015 15:01:32 -0400 Subject: [PATCH 14/20] Replaced private method with calls to StringUtils.equalsIgnoreCase() Former-commit-id: d4c92115e6f90109bfae9487ef3f4c829bf22232 --- .../dependencycheck/dependency/Evidence.java | 22 +++---------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index 241791dea..bddd69bc8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -231,9 +231,9 @@ public class Evidence implements Serializable, Comparable { if (o == null) { return 1; } - if (equalsWithNullCheck(source, o.source)) { - if (equalsWithNullCheck(name, o.name)) { - if (equalsWithNullCheck(value, o.value)) { + if (StringUtils.equalsIgnoreCase(source, o.source)) { + if (StringUtils.equalsIgnoreCase(name, o.name)) { + if (StringUtils.equalsIgnoreCase(value, o.value)) { if (ObjectUtils.equals(confidence, o.confidence)) { return 0; //they are equal } else { @@ -250,22 +250,6 @@ public class Evidence implements Serializable, Comparable { } } - /** - * Equality check with an exhaustive, possibly duplicative, check against nulls. - * - * @param me the value to be compared - * @param other the other value to be compared - * @return true if the values are equal; otherwise false - */ - private boolean equalsWithNullCheck(String me, String other) { - if (me == null && other == null) { - return true; - } else if (me == null || other == null) { - return false; - } - return me.equalsIgnoreCase(other); - } - /** * Wrapper around {@link java.lang.String#compareToIgnoreCase(java.lang.String) String.compareToIgnoreCase} with an * exhaustive, possibly duplicative, check against nulls. From 723ba740e0a30e1092baf037b40ba69911ac5d34 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 24 Jun 2015 15:12:15 -0400 Subject: [PATCH 15/20] Repleced testEquality() with StringUtils.equalsIgnoreCase(). Former-commit-id: 559413b9fef79fddbb85bcebda3ed0ca76c908dd --- .../owasp/dependencycheck/dependency/Evidence.java | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index bddd69bc8..a9d6a6d3e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -206,21 +206,10 @@ public class Evidence implements Serializable, Comparable { } final Evidence e = (Evidence) that; - return testEquality(name, e.name) && testEquality(source, e.source) && testEquality(value, e.value) + return StringUtils.equalsIgnoreCase(name, e.name) && StringUtils.equalsIgnoreCase(source, e.source) && StringUtils.equalsIgnoreCase(value, e.value) && (confidence == null ? e.confidence == null : confidence == e.confidence); } - /** - * Simple equality test for use within the equals method. This does a case insensitive compare. - * - * @param l a string to compare. - * @param r another string to compare. - * @return whether the two strings are the same. - */ - private boolean testEquality(String l, String r) { - return l == null ? r == null : l.equalsIgnoreCase(r); - } - /** * Implementation of the comparable interface. * From 414912de6702b77d19873030d59ddb0321cf50e7 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 24 Jun 2015 15:19:24 -0400 Subject: [PATCH 16/20] Replaced private method with ObjectUtils.compare(). Former-commit-id: 16c4a5a7ed74819351bab55528442183a3244a0c --- .../dependencycheck/dependency/Evidence.java | 21 +------------------ 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index a9d6a6d3e..d6c9654c8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -226,7 +226,7 @@ public class Evidence implements Serializable, Comparable { if (ObjectUtils.equals(confidence, o.confidence)) { return 0; //they are equal } else { - return compareToWithNullCheck(confidence, o.confidence); + return ObjectUtils.compare(confidence, o.confidence); } } else { return compareToIgnoreCaseWithNullCheck(value, o.value); @@ -258,25 +258,6 @@ public class Evidence implements Serializable, Comparable { return me.compareToIgnoreCase(other); } - /** - * Wrapper around {@link java.lang.Enum#compareTo(java.lang.Enum) Enum.compareTo} with an exhaustive, possibly duplicative, - * check against nulls. - * - * @param me the value to be compared - * @param other the other value to be compared - * @return true if the values are equal; otherwise false - */ - private int compareToWithNullCheck(Confidence me, Confidence other) { - if (me == null && other == null) { - return 0; - } else if (me == null) { - return -1; //the other string is greater then me - } else if (other == null) { - return 1; //me is greater then the other string - } - return me.compareTo(other); - } - /** * Standard toString() implementation. * From e6707c65a57c200f3d97f6e9af7e83ac9b062471 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 24 Jun 2015 15:25:03 -0400 Subject: [PATCH 17/20] Made magic number constants private. Former-commit-id: 12539d50efb17790b770934d10b953e0fd180c8a --- .../owasp/dependencycheck/dependency/Evidence.java | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index d6c9654c8..c632b94f4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -29,8 +29,15 @@ import java.io.Serializable; */ public class Evidence implements Serializable, Comparable { - public static final int MAGIC_HASH_INIT_VALUE = 3; - public static final int MAGIC_HASH_MULTIPLIER = 67; + /** + * Used as starting point for generating the value in {@link #hashCode()}. + */ + private static final int MAGIC_HASH_INIT_VALUE = 3; + + /** + * Used as a multiplier for generating the value in {@link #hashCode()}. + */ + private static final int MAGIC_HASH_MULTIPLIER = 67; /** * Creates a new Evidence object. From 888f2aed9701632676867d09f4c44a9b1d886dd6 Mon Sep 17 00:00:00 2001 From: Dale Visser Date: Wed, 24 Jun 2015 15:38:03 -0400 Subject: [PATCH 18/20] Replaced ternary expression with ObjectUtils.equals(), and reformatted using IDE. Former-commit-id: e72ba88f6e4d29cb00288c34a9d413e455f26b16 --- .../dependencycheck/dependency/Evidence.java | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index c632b94f4..4fa29805b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -48,9 +48,9 @@ public class Evidence implements Serializable, Comparable { /** * Creates a new Evidence objects. * - * @param source the source of the evidence. - * @param name the name of the evidence. - * @param value the value of the evidence. + * @param source the source of the evidence. + * @param name the name of the evidence. + * @param value the value of the evidence. * @param confidence the confidence of the evidence. */ public Evidence(String source, String name, String value, Confidence confidence) { @@ -59,6 +59,7 @@ public class Evidence implements Serializable, Comparable { this.value = value; this.confidence = confidence; } + /** * The name of the evidence. */ @@ -81,6 +82,7 @@ public class Evidence implements Serializable, Comparable { public void setName(String name) { this.name = name; } + /** * The source of the evidence. */ @@ -103,6 +105,7 @@ public class Evidence implements Serializable, Comparable { public void setSource(String source) { this.source = source; } + /** * The value of the evidence. */ @@ -137,6 +140,7 @@ public class Evidence implements Serializable, Comparable { public void setValue(String value) { this.value = value; } + /** * A value indicating if the Evidence has been "used" (aka read). */ @@ -159,6 +163,7 @@ public class Evidence implements Serializable, Comparable { public void setUsed(boolean used) { this.used = used; } + /** * The confidence level for the evidence. */ @@ -213,8 +218,10 @@ public class Evidence implements Serializable, Comparable { } final Evidence e = (Evidence) that; - return StringUtils.equalsIgnoreCase(name, e.name) && StringUtils.equalsIgnoreCase(source, e.source) && StringUtils.equalsIgnoreCase(value, e.value) - && (confidence == null ? e.confidence == null : confidence == e.confidence); + return StringUtils.equalsIgnoreCase(name, e.name) + && StringUtils.equalsIgnoreCase(source, e.source) + && StringUtils.equalsIgnoreCase(value, e.value) + && ObjectUtils.equals(confidence, e.confidence); } /** @@ -250,7 +257,7 @@ public class Evidence implements Serializable, Comparable { * Wrapper around {@link java.lang.String#compareToIgnoreCase(java.lang.String) String.compareToIgnoreCase} with an * exhaustive, possibly duplicative, check against nulls. * - * @param me the value to be compared + * @param me the value to be compared * @param other the other value to be compared * @return true if the values are equal; otherwise false */ From 890bb4a2c3d3827bf55b48930394a49b8785e405 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 28 Jun 2015 07:08:36 -0400 Subject: [PATCH 19/20] changed how specification version is handled to resolve 262 Former-commit-id: c902d0683bec70a8254c7110e14b14bf0f3ad54a --- .../dependencycheck/analyzer/JarAnalyzer.java | 16 +++++++++++++--- .../analyzer/CPEAnalyzerIntegrationTest.java | 2 +- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index a44b7f5f5..f9c180446 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -657,6 +657,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { final String source = "Manifest"; + String specificationVersion = null; + boolean hasImplementationVersion = false; + for (Entry entry : atts.entrySet()) { String key = entry.getKey().toString(); String value = atts.getValue(key); @@ -670,8 +673,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { productEvidence.addEvidence(source, key, value, Confidence.HIGH); addMatchingValues(classInformation, value, productEvidence); } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) { + hasImplementationVersion = true; foundSomething = true; versionEvidence.addEvidence(source, key, value, Confidence.HIGH); + } else if ("specification-version".equalsIgnoreCase(key)) { + specificationVersion = key; } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) { foundSomething = true; vendorEvidence.addEvidence(source, key, value, Confidence.HIGH); @@ -724,9 +730,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { foundSomething = true; if (key.contains("version")) { - if (key.contains("specification")) { - versionEvidence.addEvidence(source, key, value, Confidence.LOW); - } else { + if (!key.contains("specification")) { + //versionEvidence.addEvidence(source, key, value, Confidence.LOW); + //} else { versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM); } } else if ("build-id".equals(key)) { @@ -778,6 +784,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } } } + if (specificationVersion != null && !hasImplementationVersion) { + foundSomething = true; + versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH); + } } finally { if (jar != null) { jar.close(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java index 2214c4d3b..3625537a3 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java @@ -96,7 +96,7 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase { callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:vmware:springsource_spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); - callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); + callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); callDetermineCPE_full("ehcache-core-2.2.0.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp); } finally { From 9fbf8b58a1cb3353056a2ffecf9d515dd459f051 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 29 Jun 2015 06:24:43 -0400 Subject: [PATCH 20/20] added archive.scan.depth Former-commit-id: 4582ae764582a0435b6f672ed86393d37f8e3d05 --- .../src/main/resources/dependencycheck.properties | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties index 6a737631c..6bbba2235 100644 --- a/dependency-check-core/src/main/resources/dependencycheck.properties +++ b/dependency-check-core/src/main/resources/dependencycheck.properties @@ -70,3 +70,6 @@ analyzer.nexus.proxy=true # the URL for searching search.maven.org for SHA-1 and whether it's enabled analyzer.central.enabled=true analyzer.central.url=http://search.maven.org/solrsearch/select + +# the number of nested archives that will be searched. +archive.scan.depth=3 \ No newline at end of file