Prefer interfaces over concrete classes. I have updated internal usage and accepted parameters. I have not touched return values for public/protected methods since they may be called externally and I don't want to break assignments from these.

Former-commit-id: e534f9acf569a258dd72a568dfe69e70486eb697

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -110,7 +110,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     static {
         final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
         if (additionalZipExt != null) {
-            final HashSet<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
+            final Set<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
             ZIPPABLES.addAll(ext);
         }
         EXTENSIONS.addAll(ZIPPABLES);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -255,7 +255,7 @@ public class CPEAnalyzer implements Analyzer {
     protected List<IndexEntry> searchCPE(String vendor, String product,
             Set<String> vendorWeightings, Set<String> productWeightings) {
 
-        final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
+        final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
 
         final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
         if (searchString == null) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;
 
 import java.util.ArrayList;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -101,7 +102,7 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
         }
         final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
-        final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
+        final List<Evidence> newEntries = new ArrayList<Evidence>();
         while (itr.hasNext()) {
             final Evidence e = itr.next();
             if ("sun".equalsIgnoreCase(e.getValue(false))) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -227,7 +227,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         try {
-            final ArrayList<ClassNameInformation> classNames = collectClassNames(dependency);
+            final List<ClassNameInformation> classNames = collectClassNames(dependency);
             final String fileName = dependency.getFileName().toLowerCase();
             if (classNames.isEmpty()
                     && (fileName.endsWith("-sources.jar")
@@ -255,7 +255,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException is thrown if there is an exception parsing the pom
      * @return whether or not evidence was added to the dependency
      */
-    protected boolean analyzePOM(Dependency dependency, ArrayList<ClassNameInformation> classes, Engine engine) throws AnalysisException {
+    protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
         boolean foundSomething = false;
         final JarFile jar;
         try {
@@ -531,7 +531,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * file being analyzed
      * @return true if there was evidence within the pom that we could use; otherwise false
      */
-    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
+    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, List<ClassNameInformation> classes) {
         boolean foundSomething = false;
         boolean addAsIdentifier = true;
         if (pom == null) {
@@ -659,10 +659,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param dependency a dependency to analyze
      * @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
      */
-    protected void analyzePackageNames(ArrayList<ClassNameInformation> classNames,
+    protected void analyzePackageNames(List<ClassNameInformation> classNames,
             Dependency dependency, boolean addPackagesAsEvidence) {
-        final HashMap<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
+        final Map<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
-        final HashMap<String, Integer> productIdentifiers = new HashMap<String, Integer>();
+        final Map<String, Integer> productIdentifiers = new HashMap<String, Integer>();
         analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);
 
         final int classCount = classNames.size();
@@ -704,7 +704,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @return whether evidence was identified parsing the manifest
      * @throws IOException if there is an issue reading the JAR file
      */
-    protected boolean parseManifest(Dependency dependency, ArrayList<ClassNameInformation> classInformation) throws IOException {
+    protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) throws IOException {
         boolean foundSomething = false;
         JarFile jar = null;
         try {
@@ -1050,8 +1050,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param dependency the dependency being analyzed
      * @return an list of fully qualified class names
      */
-    private ArrayList<ClassNameInformation> collectClassNames(Dependency dependency) {
+    private List<ClassNameInformation> collectClassNames(Dependency dependency) {
-        final ArrayList<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
+        final List<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
         JarFile jar = null;
         try {
             jar = new JarFile(dependency.getActualFilePath());
@@ -1089,10 +1089,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param vendor HashMap of possible vendor names from package names (e.g. owasp)
      * @param product HashMap of possible product names from package names (e.g. dependencycheck)
      */
-    private void analyzeFullyQualifiedClassNames(ArrayList<ClassNameInformation> classNames,
+    private void analyzeFullyQualifiedClassNames(List<ClassNameInformation> classNames,
-            HashMap<String, Integer> vendor, HashMap<String, Integer> product) {
+            Map<String, Integer> vendor, Map<String, Integer> product) {
         for (ClassNameInformation entry : classNames) {
-            final ArrayList<String> list = entry.getPackageStructure();
+            final List<String> list = entry.getPackageStructure();
             addEntry(vendor, list.get(0));
 
             if (list.size() == 2) {
@@ -1120,7 +1120,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param collection a collection of strings and their occurrence count
      * @param key the key to add to the collection
      */
-    private void addEntry(HashMap<String, Integer> collection, String key) {
+    private void addEntry(Map<String, Integer> collection, String key) {
         if (collection.containsKey(key)) {
             collection.put(key, collection.get(key) + 1);
         } else {
@@ -1137,7 +1137,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param value the value to check to see if it contains a package name
      * @param evidence the evidence collection to add new entries too
      */
-    private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
+    private void addMatchingValues(List<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
         if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
             return;
         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -28,6 +28,7 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.Set;
@@ -458,7 +459,8 @@ public class CveDB {
         final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
 
         PreparedStatement ps;
-        final HashSet<String> cveEntries = new HashSet<String>();
+        //TODO(code review): Looks like things are only added to this map, but never retrieved or checked
+        final Set<String> cveEntries = new HashSet<String>();
         try {
             ps = getConnection().prepareStatement(SELECT_CVE_FROM_SOFTWARE);
             ps.setString(1, cpe.getVendor());
@@ -466,7 +468,7 @@ public class CveDB {
             rs = ps.executeQuery();
             String currentCVE = "";
 
-            final HashMap<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
+            final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
             while (rs.next()) {
                 final String cveId = rs.getString(1);
                 if (!currentCVE.equals(cveId)) { //check for match and add
@@ -787,12 +789,12 @@ public class CveDB {
      * @param identifiedVersion the identified version of the dependency being analyzed
      * @return true if the identified version is affected, otherwise false
      */
-    protected Entry<String, Boolean> getMatchingSoftware(HashMap<String, Boolean> vulnerableSoftware, String vendor, String product,
+    protected Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
             DependencyVersion identifiedVersion) {
 
         final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product);
 
-        final HashSet<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
+        final Set<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
         final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString());
         String majorVersionMatch = null;
         for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -154,7 +154,7 @@ public class DatabaseProperties {
      * @return a map of the database meta data
      */
     public Map<String, String> getMetaData() {
-        final TreeMap<String, String> map = new TreeMap<String, String>();
+        final Map<String, String> map = new TreeMap<String, String>();
         for (Entry<Object, Object> entry : properties.entrySet()) {
             final String key = (String) entry.getKey();
             if (!"version".equals(key)) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java

@@ -27,6 +27,7 @@ import java.sql.Driver;
 import java.sql.DriverManager;
 import java.sql.SQLException;
 import java.util.ArrayList;
+import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -75,7 +76,7 @@ public final class DriverLoader {
      */
     public static Driver load(String className, String pathToDriver) throws DriverLoadException {
         final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
-        final ArrayList<URL> urls = new ArrayList<URL>();
+        final List<URL> urls = new ArrayList<URL>();
         final String[] paths = pathToDriver.split(File.pathSeparator);
         for (String path : paths) {
             final File file = new File(path);

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -18,6 +18,7 @@
 package org.owasp.dependencycheck.utils;
 
 import java.util.ArrayList;
+import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -62,7 +63,7 @@ public final class DependencyVersionUtil {
         //'-' is a special case used within the CVE entries, just include it as the version.
         if ("-".equals(text)) {
             final DependencyVersion dv = new DependencyVersion();
-            final ArrayList<String> list = new ArrayList<String>();
+            final List<String> list = new ArrayList<String>();
             list.add(text);
             dv.setVersionParts(list);
             return dv;

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java

@@ -23,6 +23,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.regex.Pattern;
 
 /**
@@ -68,7 +69,7 @@ public final class UrlStringUtils {
     /**
      * A listing of domain parts that should not be used as evidence. Yes, this is an incomplete list.
      */
-    private static final HashSet<String> IGNORE_LIST = new HashSet<String>(
+    private static final Set<String> IGNORE_LIST = new HashSet<String>(
             Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
 
     /**
@@ -86,7 +87,7 @@ public final class UrlStringUtils {
      * @throws MalformedURLException thrown if the URL is malformed
      */
     public static List<String> extractImportantUrlData(String text) throws MalformedURLException {
-        final ArrayList<String> importantParts = new ArrayList<String>();
+        final List<String> importantParts = new ArrayList<String>();
         final URL url = new URL(text);
         final String[] domain = url.getHost().split("\\.");
         //add the domain except www and the tld.