Merge branch 'upmaster' into ruby-bundler

Conflicts:
	dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java

@@ -145,13 +145,15 @@ public class DependencyCheckTask extends Task {
     /**
      * The application name for the report.
      */
-    private String applicationName = "Dependency-Check";
+    @Deprecated
+    private String applicationName = null;
 
     /**
      * Get the value of applicationName.
      *
      * @return the value of applicationName
      */
+    @Deprecated
     public String getApplicationName() {
         return applicationName;
     }
@@ -161,9 +163,37 @@ public class DependencyCheckTask extends Task {
      *
      * @param applicationName new value of applicationName
      */
+    @Deprecated
     public void setApplicationName(String applicationName) {
         this.applicationName = applicationName;
     }
+
+    private String projectName = "Dependency-Check";
+
+    /**
+     * Get the value of projectName.
+     *
+     * @return the value of projectName
+     */
+    public String getProjectName() {
+        if (applicationName != null) {
+            log("Configuration 'applicationName' has been deprecated, please use 'projectName' instead", Project.MSG_WARN);
+            if ("Dependency-Check".equals(projectName)) {
+                projectName = applicationName;
+            }
+        }
+        return projectName;
+    }
+
+    /**
+     * Set the value of projectName.
+     *
+     * @param projectName new value of projectName
+     */
+    public void setProjectName(String projectName) {
+        this.projectName = projectName;
+    }
+
     /**
      * The location of the data directory that contains
      */
@@ -279,8 +309,7 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
+     * The report format to be generated (HTML, XML, VULN, ALL). Default is HTML.
-     * Site plugin unless the externalReport is set to true. Default is HTML.
      */
     private String reportFormat = "HTML";
 
@@ -576,6 +605,29 @@ public class DependencyCheckTask extends Task {
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
     }
 
+    /**
+     * Whether or not the local copy of the NVD should be purged.
+     */
+    private boolean purge = false;
+
+    /**
+     * Used to determine if the local copy of the NVD should be purged.
+     *
+     * @return true if the local copy of the NVD should be purged
+     */
+    public boolean isPurge() {
+        return purge;
+    }
+
+    /**
+     * Set whether or not the local copy of the NVD should be purged.
+     *
+     * @param purge setting to true will cause the local copy of the NVD to be deleted.
+     */
+    public void setPurge(boolean purge) {
+        this.purge = purge;
+    }
+
     /**
      * Whether or not the nexus analyzer is enabled.
      */
@@ -900,7 +952,23 @@ public class DependencyCheckTask extends Task {
         dealWithReferences();
         validateConfiguration();
         populateSettings();
-
+        if (purge) {
+            File db;
+            try {
+                db = new File(Settings.getDataDirectory(), "dc.h2.db");
+                if (db.exists()) {
+                    if (db.delete()) {
+                        log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
+                    } else {
+                        log(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()), Project.MSG_ERR);
+                    }
+                } else {
+                    log(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()), Project.MSG_ERR);
+                }
+            } catch (IOException ex) {
+                log("Unable to delete the database", Project.MSG_ERR);
+            }
+        }
         Engine engine = null;
         try {
             engine = new Engine(DependencyCheckTask.class.getClassLoader());
@@ -933,7 +1001,7 @@ public class DependencyCheckTask extends Task {
                             cve.close();
                         }
                     }
-                    final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
+                    final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop);
                     reporter.generateReports(reportOutputDirectory, reportFormat);
 
                     if (this.failBuildOnCVSS <= 10) {

dependency-check-ant/src/site/markdown/configuration.md

@@ -8,7 +8,7 @@ the project's dependencies.
 
 ```xml
 <target name="dependency-check" description="Dependency-Check Analysis">
-    <dependency-check applicationname="Hello World"
+    <dependency-check projectname="Hello World"
                       reportoutputdirectory="${basedir}"
                       reportformat="ALL">
 
@@ -27,7 +27,7 @@ Property              | Description                        | Default Value
 ----------------------|------------------------------------|------------------
 autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
 updateOnly            | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false
-externalReport        | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
+projectName           | The name of the project being scanned. | Dependency-Check
 reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
 failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
 reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
@@ -76,3 +76,4 @@ databaseDriverPath   | The path to the database driver JAR file; only used if th
 connectionString     | The connection string used to connect to the database.                                      | &nbsp;
 databaseUser         | The username used when connecting to the database.                                          | &nbsp;
 databasePassword     | The password used when connecting to the database.                                          | &nbsp;
+purge                | Delete the local copy of the NVD. This is used to force a refresh of the data.              | &nbsp;

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -38,6 +38,7 @@ import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import ch.qos.logback.core.FileAppender;
+import java.util.logging.Level;
 import org.slf4j.impl.StaticLoggerBinder;
 
 /**
@@ -91,7 +92,28 @@ public class App {
             prepareLogger(cli.getVerboseLog());
         }
 
-        if (cli.isGetVersion()) {
+        if (cli.isPurge()) {
+            if (cli.getConnectionString() != null) {
+                LOGGER.error("Unable to purge the database when using a non-default connection string");
+            } else {
+                populateSettings(cli);
+                File db;
+                try {
+                    db = new File(Settings.getDataDirectory(), "dc.h2.db");
+                    if (db.exists()) {
+                        if (db.delete()) {
+                            LOGGER.info("Database file purged; local copy of the NVD has been removed");
+                        } else {
+                            LOGGER.error("Unable to delete '{}'; please delete the file manually", db.getAbsolutePath());
+                        }
+                    } else {
+                        LOGGER.error("Unable to purge database; the database file does not exists: {}", db.getAbsolutePath());
+                    }
+                } catch (IOException ex) {
+                    LOGGER.error("Unable to delete the database");
+                }
+            }
+        } else if (cli.isGetVersion()) {
             cli.printVersionInfo();
         } else if (cli.isUpdateOnly()) {
             populateSettings(cli);
@@ -99,7 +121,7 @@ public class App {
         } else if (cli.isRunScan()) {
             populateSettings(cli);
             try {
-                runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(),
+                runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), cli.getScanFiles(),
                         cli.getExcludeList(), cli.getSymLinkDepth());
             } catch (InvalidScanPathException ex) {
                 LOGGER.error("An invalid scan path was detected; unable to scan '//*' paths");

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck;
 
 import java.io.File;
 import java.io.FileNotFoundException;
+import java.util.logging.Level;
 
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
@@ -97,8 +98,8 @@ public final class CliParser {
             if (getPathToMono() != null) {
                 validatePathExists(getPathToMono(), ARGUMENT.PATH_TO_MONO);
             }
-            if (!line.hasOption(ARGUMENT.APP_NAME)) {
+            if (!line.hasOption(ARGUMENT.APP_NAME) && !line.hasOption(ARGUMENT.PROJECT)) {
-                throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
+                throw new ParseException("Missing '" + ARGUMENT.PROJECT + "' argument; the scan cannot be run without the an project name.");
             }
             if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) {
                 final String format = line.getOptionValue(ARGUMENT.OUTPUT_FORMAT);
@@ -217,9 +218,9 @@ public final class CliParser {
         final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
                 false, "Disables the automatic updating of the CPE data.");
 
-        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
+        final Option projectName = OptionBuilder.hasArg().withArgName("name").withLongOpt(ARGUMENT.PROJECT)
-                .withDescription("The name of the application being scanned. This is a required argument.")
+                .withDescription("The name of the project being scanned. This is a required argument.")
-                .create(ARGUMENT.APP_NAME_SHORT);
+                .create();
 
         final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN)
                 .withDescription("The path to scan - this option can be specified multiple times. Ant style"
@@ -229,7 +230,7 @@ public final class CliParser {
         final Option excludes = OptionBuilder.withArgName("pattern").hasArg().withLongOpt(ARGUMENT.EXCLUDE)
                 .withDescription("Specify and exclusion pattern. This option can be specified multiple times"
                         + " and it accepts Ant style excludsions.")
-                .create();
+                .create("p");
 
         final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP)
                 .withDescription("A property file to load.")
@@ -265,9 +266,9 @@ public final class CliParser {
 
         options.addOptionGroup(og)
                 .addOptionGroup(exog)
+                .addOption(projectName)
                 .addOption(out)
                 .addOption(outputFormat)
-                .addOption(appName)
                 .addOption(version)
                 .addOption(help)
                 .addOption(advancedHelp)
@@ -398,6 +399,10 @@ public final class CliParser {
         final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
                 .withDescription("Disable the Nexus Analyzer.").create();
 
+        final Option purge = OptionBuilder.withLongOpt(ARGUMENT.PURGE_NVD)
+                .withDescription("Purges the local NVD data cache")
+                .create();
+
         options.addOption(updateOnly)
                 .addOption(cve12Base)
                 .addOption(cve20Base)
@@ -435,7 +440,8 @@ public final class CliParser {
                 .addOption(nexusUsesProxy)
                 .addOption(additionalZipExtensions)
                 .addOption(pathToMono)
-                .addOption(pathToBundleAudit);
+                .addOption(pathToBundleAudit)
+                .addOption(purge);
     }
 
     /**
@@ -451,8 +457,12 @@ public final class CliParser {
         final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL)
                 .withDescription("The proxy url argument is deprecated, use proxyserver instead.")
                 .create();
+        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
+                .withDescription("The name of the project being scanned.")
+                .create(ARGUMENT.APP_NAME_SHORT);
 
         options.addOption(proxyServer);
+        options.addOption(appName);
     }
 
     /**
@@ -741,8 +751,14 @@ public final class CliParser {
      *
      * @return the application name.
      */
-    public String getApplicationName() {
+    public String getProjectName() {
-        return line.getOptionValue(ARGUMENT.APP_NAME);
+        String appName = line.getOptionValue(ARGUMENT.APP_NAME);
+        String name = line.getOptionValue(ARGUMENT.PROJECT);
+        if (name == null && appName != null) {
+            name = appName;
+            LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' argument should no longer be used; use '" + ARGUMENT.PROJECT + "' instead.");
+        }
+        return name;
     }
 
     /**
@@ -894,7 +910,7 @@ public final class CliParser {
      * @return <code>true</code> if auto-update is allowed; otherwise <code>false</code>
      */
     public boolean isAutoUpdate() {
-        return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
+        return line != null && !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
     }
 
     /**
@@ -903,7 +919,16 @@ public final class CliParser {
      * @return <code>true</code> if the update only flag has been set; otherwise <code>false</code>.
      */
     public boolean isUpdateOnly() {
-        return (line == null) || line.hasOption(ARGUMENT.UPDATE_ONLY);
+        return line != null && line.hasOption(ARGUMENT.UPDATE_ONLY);
+    }
+
+    /**
+     * Checks if the purge NVD flag has been set.
+     *
+     * @return <code>true</code> if the purge nvd flag has been set; otherwise <code>false</code>.
+     */
+    public boolean isPurge() {
+        return line != null && line.hasOption(ARGUMENT.PURGE_NVD);
     }
 
     /**
@@ -985,6 +1010,10 @@ public final class CliParser {
          * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
          */
         public static final String UPDATE_ONLY = "updateonly";
+        /**
+         * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
+         */
+        public static final String PURGE_NVD = "purge";
         /**
          * The long CLI argument name specifying the directory to write the reports to.
          */
@@ -1001,13 +1030,19 @@ public final class CliParser {
          * The short CLI argument name specifying the output format to write the reports to.
          */
         public static final String OUTPUT_FORMAT_SHORT = "f";
+        /**
+         * The long CLI argument name specifying the name of the project to be scanned.
+         */
+        public static final String PROJECT = "project";
         /**
          * The long CLI argument name specifying the name of the application to be scanned.
          */
+        @Deprecated
         public static final String APP_NAME = "app";
         /**
          * The short CLI argument name specifying the name of the application to be scanned.
          */
+        @Deprecated
         public static final String APP_NAME_SHORT = "a";
         /**
          * The long CLI argument name asking for help.

dependency-check-cli/src/site/markdown/arguments.md

@@ -5,7 +5,7 @@ The following table lists the command line arguments:
 
 Short  | Argument Name   | Parameter       | Description | Requirement
 -------|-----------------------|-----------------|-------------|------------
- \-a   | \-\-app               | \<name\>        | The name of the application being scanned. This is a required argument. | Required
+       | \-\-project           | \<name\>        | The name of the project being scanned. | Required
  \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. directory/**/*.jar). | Required
        | \-\-exclude           | \<pattern\>     | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**). | Optional
        | \-\-symLink           | \<depth\>       | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed. | Optional
@@ -58,3 +58,4 @@ Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
        | \-\-dbPassword        | \<password\>    | The password for connecting to the database.                                     | &nbsp;
        | \-\-dbUser            | \<user\>        | The username used to connect to the database.                                    | &nbsp;
  \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;
+       | \-\-purge             |                 | Delete the local copy of the NVD. This is used to force a refresh of the data.   | &nbsp;

dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java

@@ -24,8 +24,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This
+ * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This class was
- * class was created to simplify the velocity configuration and avoid using the "built-in" escape tool.
+ * created to simplify the velocity configuration and avoid using the "built-in" escape tool.
  *
  * @author Jeremy Long
  */
@@ -43,6 +43,9 @@ public class EscapeTool {
      * @return the URL encoded text
      */
     public String url(String text) {
+        if (text == null || text.isEmpty()) {
+            return text;
+        }
         try {
             return URLEncoder.encode(text, "UTF-8");
         } catch (UnsupportedEncodingException ex) {
@@ -59,6 +62,9 @@ public class EscapeTool {
      * @return the HTML encoded text
      */
     public String html(String text) {
+        if (text == null || text.isEmpty()) {
+            return text;
+        }
         return StringEscapeUtils.escapeHtml(text);
     }
 
@@ -69,6 +75,9 @@ public class EscapeTool {
      * @return the XML encoded text
      */
     public String xml(String text) {
+        if (text == null || text.isEmpty()) {
+            return text;
+        }
         return StringEscapeUtils.escapeXml(text);
     }
 }

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java

@@ -119,6 +119,8 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
                     //we shouldn't write this because nothing is configured to generate this report.
                     outputDir = new File(current.getBuild().getDirectory());
                 }
+                getLog().warn("\n\n\nwritting: " + outputDir);
+                getLog().warn("for: " + current.getName());
                 writeReports(engine, current, outputDir);
             }
         }

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -233,6 +233,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      */
     @Parameter(property = "connectionString", defaultValue = "", required = false)
     private String connectionString;
+
+    /**
+     * Returns the connection string.
+     *
+     * @return the connection string
+     */
+    protected String getConnectionString() {
+        return connectionString;
+    }
     /**
      * The database driver name. An example would be org.h2.Driver.
      */
@@ -594,7 +603,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
      * required to change the proxy url, port, and connection timeout.
      */
-    private void populateSettings() {
+    protected void populateSettings() {
         Settings.initialize();
         InputStream mojoProperties = null;
         try {

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java

@@ -0,0 +1,107 @@
+/*
+ * This file is part of dependency-check-maven.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.maven;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Locale;
+import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.LifecyclePhase;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.plugins.annotations.ResolutionScope;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Maven Plugin that purges the local copy of the NVD data.
+ *
+ * @author Jeremy Long
+ */
+@Mojo(
+        name = "purge",
+        defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
+        threadSafe = true,
+        requiresDependencyResolution = ResolutionScope.NONE,
+        requiresOnline = true
+)
+public class PurgeMojo extends BaseDependencyCheckMojo {
+
+    /**
+     * Returns false; this mojo cannot generate a report.
+     *
+     * @return <code>false</code>
+     */
+    @Override
+    public boolean canGenerateReport() {
+        return false;
+    }
+
+    /**
+     * Purges the local copy of the NVD.
+     *
+     * @throws MojoExecutionException thrown if there is an exception executing the goal
+     * @throws MojoFailureException thrown if dependency-check is configured to fail the build
+     */
+    @Override
+    public void runCheck() throws MojoExecutionException, MojoFailureException {
+
+        if (getConnectionString() != null && !getConnectionString().isEmpty()) {
+            getLog().error("Unable to purge the local NVD when using a non-default connection string");
+        } else {
+            populateSettings();
+            File db;
+            try {
+                db = new File(Settings.getDataDirectory(), "dc.h2.db");
+                if (db.exists()) {
+                    if (db.delete()) {
+                        getLog().info("Database file purged; local copy of the NVD has been removed");
+                    } else {
+                        getLog().error(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()));
+                    }
+                } else {
+                    getLog().error(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()));
+                }
+            } catch (IOException ex) {
+                getLog().error("Unable to delete the database");
+            }
+            Settings.cleanup();
+        }
+    }
+
+    /**
+     * Returns the report name.
+     *
+     * @param locale the location
+     * @return the report name
+     */
+    public String getName(Locale locale) {
+        return "dependency-check-purge";
+    }
+
+    /**
+     * Gets the description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
+     *
+     * @param locale The Locale to get the description for
+     * @return the description
+     */
+    public String getDescription(Locale locale) {
+        return "Purges the local cache of the NVD dataT.";
+    }
+
+}

dependency-check-maven/src/site/markdown/configuration.md

@@ -6,6 +6,7 @@ Goal        | Description
 aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report.
 check       | Runs dependency-check against the project and generates a report.
 update-only | Updates the local cache of the NVD data from NIST.
+purge       | Deletes the local copy of the NVD. This is used to force a refresh of the data.
 
 Configuration
 ====================
@@ -49,13 +50,13 @@ Advanced Configuration
 The following properties can be configured in the plugin. However, they are less frequently changed. One exception
 may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
 
-Property             | Description                                                              | Default Value
+Property             | Description                                                                                 | Default Value
----------------------|--------------------------------------------------------------------------|------------------
+---------------------|---------------------------------------------------------------------------------------------|------------------
-cveUrl12Modified     | URL for the modified CVE 1.2.                                            | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl12Modified     | URL for the modified CVE 1.2.                                                               | http://nvd.nist.gov/download/nvdcve-modified.xml
-cveUrl20Modified     | URL for the modified CVE 2.0.                                            | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl20Modified     | URL for the modified CVE 2.0.                                                               | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
-cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year.                    | http://nvd.nist.gov/download/nvdcve-%d.xml
-cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year.                    | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
-connectionTimeout    | Sets the URL Connection Timeout used when downloading external data.     |  
+connectionTimeout    | Sets the URL Connection Timeout used when downloading external data.                        |  
 dataDirectory        | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.    |  
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    |  
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. |  

src/site/markdown/analyzers/cmake.md

@@ -0,0 +1,11 @@
+CMake Analyzer
+==============
+
+OWASP dependency-check includes an analyzer that will scan CMake project
+configuration files. The analyzer will collect as much information it can
+about the project. The information collected is internally referred to as
+evidence and is grouped into vendor, product, and version buckets. Other
+analyzers later use this evidence to identify any Common Platform Enumeration
+(CPE) identifiers that apply.
+
+File names scanned: CMakeLists.txt, \*.cmake

src/site/markdown/analyzers/index.md

@@ -5,12 +5,15 @@ to extract identification information from the files analyzed.
 
 | Analyzer | File Types Scanned | Analysis Method |
 | -------- | ------------------ | --------------- |
-| [Archive Analyzer](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. |
+| [Archive](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2) | Extracts archive contents, then scans contents with all available analyzers. |
-| [Assembly Analyzer](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. |
+| [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly), which requires .NET Framework or Mono runtime to be installed. |
-| [Autoconf Analyzer](./autoconf-analyzer.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. |
+| [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. |
-| [Central Analyzer](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. |
+| [Central](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. |
-| [Jar Analyzer](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
+| [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. |
-| [Nexus Analyzer](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central Analyzer. |
+| [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
-| [Nuspec Analyzer](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
+| [Nexus](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central . |
-| [OpenSSL Analyzer](./openssl-analyzer.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
+| [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. |
-| [Python Analyzer](./python-analyzer.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
+| [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
+| [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
+| [Python](./python.html) | Python source files (\*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (\*.whl, \*.egg, \*.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
+| [Ruby Gemspec](./ruby-gemspec.html) | Ruby makefiles (Rakefile); Ruby Gemspec files (\*.gemspec) | Regex scan Gemspec initialization blocks for metadata. |

src/site/markdown/analyzers/nodejs.md

@@ -0,0 +1,14 @@
+Node.js Analyzer
+================
+
+OWASP dependency-check includes an analyzer that will scan [Node Package Manager](https://www.npmjs.com/)
+package specification files. The analyzer will collect as much information as
+it can about the package. The information collected is internally referred to
+as evidence and is grouped into vendor, product, and version buckets. Other
+analyzers later use this evidence to identify any Common Platform Enumeration
+(CPE) identifiers that apply.
+
+__Note:__ Also consider using the Node Security Project auditing tool,
+[nsp](https://nodesecurity.io/tools).
+
+Files Types Scanned: [package.json](https://docs.npmjs.com/files/package.json)

src/site/markdown/analyzers/python-analyzer.md

@@ -1,10 +0,0 @@
-Python Analyzer
-==============
-
-OWASP dependency-check includes an analyzer that will scan Python artifacts. The
-analyzer(s) will collect as much information it can about the python artifacts.
-The information collected is internally referred to as evidence and is grouped into
-vendor, product, and version buckets. Other analyzers later use this evidence to
-identify any Common Platform Enumeration (CPE) identifiers that apply.
-
-Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA

src/site/markdown/analyzers/python.md

@@ -0,0 +1,11 @@
+Python Analyzer
+==============
+
+OWASP dependency-check includes an analyzer that will scan Python artifacts.
+The analyzer(s) will collect as much information it can about the Python
+artifacts. The information collected is internally referred to as evidence and
+is grouped into vendor, product, and version buckets. Other analyzers later
+use this evidence to identify any Common Platform Enumeration (CPE)
+identifiers that apply.
+
+Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA

src/site/markdown/analyzers/ruby-gemspec.md

@@ -0,0 +1,15 @@
+Ruby Gemspec Analyzer
+=====================
+
+OWASP dependency-check includes an analyzer that will scan [Ruby Gem](https://rubygems.org/)
+[specifications](http://guides.rubygems.org/specification-reference/). The
+analyzer will collect as much information as it can about the Gem. The
+information collected is internally referred to as evidence and is grouped
+into vendor, product, and version buckets. Other analyzers later use this
+evidence to identify any Common Platform Enumeration (CPE) identifiers that
+apply.
+
+__Note:__ Also consider using the Ruby 
+[bundler-audit](https://github.com/rubysec/bundler-audit#readme) tool.
+
+Files Types Scanned: Rakefile, \*.gemspec

src/site/markdown/index.md

@@ -2,11 +2,12 @@ About
 ====================
 OWASP dependency-check is an open source solution the OWASP Top 10 2013 entry:
 [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
-Dependency-check can currently be used to scan Java, .NET, and Python
+Dependency-check can currently be used to scan Java, .NET, Python, Ruby and
-applications (and their dependent libraries) to identify known vulnerable
+Node.js applications (and their dependent libraries) to identify known
-components. In addition, Dependency-check can be used to scan some source
+vulnerable components. In addition, Dependency-check can be used to scan some
-code, including OpenSSL source code and source code for projects that use
+source code, including OpenSSL source code and source code for projects that
-Autoconf.
+use [Autoconf](https://www.gnu.org/software/autoconf/) or
+[CMake](http://www.cmake.org/overview/).
 
 The problem with using known vulnerable components was covered in a paper by
 Jeff Williams and Arshan Dabirsiaghi titled, "[The Unfortunate Reality of

src/site/site.xml

@@ -113,26 +113,35 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                 <item name="Assembly Analyzer" href="./analyzers/assembly-analyzer.html">
                     <description>Assembly Analyzer</description>
                 </item>
-                <item name="Autoconf Analyzer" href="./analyzers/autoconf-analyzer.html">
+                <item name="Autoconf Analyzer" href="./analyzers/autoconf.html">
                     <description>Autoconf Analyzer</description>
                 </item>
                 <item name="Central Analyzer" href="./analyzers/central-analyzer.html">
                     <description>Central Analyzer</description>
                 </item>
+                <item name="CMake Analyzer" href="./analyzers/cmake.html">
+                    <description>CMake Analyzer</description>
+                </item>
                 <item name="Jar Analyzer" href="./analyzers/jar-analyzer.html">
                     <description>Jar Analyzer</description>
                 </item>
                 <item name="Nexus Analyzer" href="./analyzers/nexus-analyzer.html">
                     <description>Nexus Analyzer</description>
                 </item>
+                <item name="Node.js Analyzer" href="./analyzers/nodejs.html">
+                    <description>Node.js Analyzer</description>
+                </item>
                 <item name="Nuspec Analyzer" href="./analyzers/nuspec-analyzer.html">
                     <description>Nuspec Analyzer</description>
                 </item>
-                <item name="Python Analyzer" href="./analyzers/python-analyzer.html">
+                <item name="OpenSSL Analyzer" href="./analyzers/openssl.html">
+                    <description>OpenSSL Analyzer</description>
+                </item>
+                <item name="Python Analyzer" href="./analyzers/python.html">
                     <description>Python Analyzer</description>
                 </item>
-                <item name="OpenSSL Analyzer" href="./analyzers/openssl-analyzer.html">
+                <item name="Ruby Gemspec Analyzer" href="./analyzers/ruby-gemspec.html">
-                    <description>OpenSSL Analyzer</description>
+                    <description>Ruby Gemspec Analyzer</description>
                 </item>
             </item>
             <item collapse="true" name="Modules" href="./modules.html">