From 2285d2ef4b9c4c46389432274f1b9c9b85e6fa31 Mon Sep 17 00:00:00 2001
From: pernst <pernst@salesforce.com>
Date: Thu, 6 Oct 2016 16:40:39 -0400
Subject: [PATCH] first commit

---
 .../owasp/dependencycheck/analyzer/AssemblyAnalyzer.java    | 5 ++++-
 .../owasp/dependencycheck/data/central/CentralSearch.java   | 5 +++--
 .../org/owasp/dependencycheck/data/nexus/NexusSearch.java   | 5 +++--
 .../owasp/dependencycheck/data/nuget/XPathNuspecParser.java | 5 ++++-
 .../org/owasp/dependencycheck/data/update/CpeUpdater.java   | 3 ++-
 .../owasp/dependencycheck/data/update/nvd/ProcessTask.java  | 1 +
 .../org/owasp/dependencycheck/xml/hints/HintParser.java     | 3 ++-
 .../java/org/owasp/dependencycheck/xml/pom/PomParser.java   | 1 +
 .../dependencycheck/xml/suppression/SuppressionParser.java  | 1 +
 .../src/main/resources/dependencycheck.properties           | 6 +++---
 10 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
index 9501da8e6..780495890 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -255,7 +255,10 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
             // Try evacuating the error stream
             IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM);
 
-            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        	factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+    		final DocumentBuilder builder = factory.newDocumentBuilder();       
+            final Document doc = builder.parse(p.getInputStream());
             final XPath xpath = XPathFactory.newInstance().newXPath();
             final String error = xpath.evaluate("/assembly/error", doc);
             if (p.waitFor() != 1 || error == null || error.isEmpty()) {
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
index 5a9641dd4..ca207bcdc 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -110,8 +110,9 @@ public class CentralSearch {
         if (conn.getResponseCode() == 200) {
             boolean missing = false;
             try {
-                final DocumentBuilder builder = DocumentBuilderFactory
-                        .newInstance().newDocumentBuilder();
+            	DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            	factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+        		final DocumentBuilder builder = factory.newDocumentBuilder();
                 final Document doc = builder.parse(conn.getInputStream());
                 final XPath xpath = XPathFactory.newInstance().newXPath();
                 final String numFound = xpath.evaluate("/response/result/@numFound", doc);
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
index e43912491..dcb5b3c90 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
@@ -108,8 +108,9 @@ public class NexusSearch {
 
         if (conn.getResponseCode() == 200) {
             try {
-                final DocumentBuilder builder = DocumentBuilderFactory
-                        .newInstance().newDocumentBuilder();
+            	DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            	factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+        		final DocumentBuilder builder = factory.newDocumentBuilder();
                 final Document doc = builder.parse(conn.getInputStream());
                 final XPath xpath = XPathFactory.newInstance().newXPath();
                 final String groupId = xpath
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java
index 615944ad5..a49311e79 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java
@@ -56,7 +56,10 @@ public class XPathNuspecParser implements NuspecParser {
     @Override
     public NugetPackage parse(InputStream stream) throws NuspecParseException {
         try {
-            final Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream);
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+            final Document d = factory.newDocumentBuilder().parse(stream);
+            
             final XPath xpath = XPathFactory.newInstance().newXPath();
             final NugetPackage nuspec = new NugetPackage();
 
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
index 778ae124a..3f1b9b3be 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
@@ -117,7 +117,8 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
     private List<Cpe> processXML(final File xml) throws UpdateException {
         try {
             final SAXParserFactory factory = SAXParserFactory.newInstance();
-            final SAXParser saxParser = factory.newSAXParser();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+    		final SAXParser saxParser = factory.newSAXParser();
             final CPEHandler handler = new CPEHandler();
             saxParser.parse(xml, handler);
             return handler.getData();
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
index ff25eb0c3..81ebb4c8c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
@@ -138,6 +138,7 @@ public class ProcessTask implements Callable<ProcessTask> {
             SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
 
         final SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
         final SAXParser saxParser = factory.newSAXParser();
 
         final NvdCve12Handler cve12Handler = new NvdCve12Handler();
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
index 96a35bdc9..e6fa4142c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java
@@ -109,7 +109,8 @@ public class HintParser {
             schemaStream = this.getClass().getClassLoader().getResourceAsStream(HINT_SCHEMA);
             final HintHandler handler = new HintHandler();
             final SAXParserFactory factory = SAXParserFactory.newInstance();
-            factory.setNamespaceAware(true);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
+    		factory.setNamespaceAware(true);
             factory.setValidating(true);
             final SAXParser saxParser = factory.newSAXParser();
             saxParser.setProperty(HintParser.JAXP_SCHEMA_LANGUAGE, HintParser.W3C_XML_SCHEMA);
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java
index d17ff6b6c..2ff59b665 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java
@@ -85,6 +85,7 @@ public class PomParser {
             final SAXParserFactory factory = SAXParserFactory.newInstance();
 //            factory.setNamespaceAware(true);
 //            factory.setValidating(true);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
             final SAXParser saxParser = factory.newSAXParser();
             final XMLReader xmlReader = saxParser.getXMLReader();
             xmlReader.setContentHandler(handler);
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
index d6e863f55..ffe61c4a5 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java
@@ -128,6 +128,7 @@ public class SuppressionParser {
             final SAXParserFactory factory = SAXParserFactory.newInstance();
             factory.setNamespaceAware(true);
             factory.setValidating(true);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);	
             final SAXParser saxParser = factory.newSAXParser();
             saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_LANGUAGE, SuppressionParser.W3C_XML_SCHEMA);
             saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_SOURCE, new InputSource(schemaStream));
diff --git a/dependency-check-core/src/main/resources/dependencycheck.properties b/dependency-check-core/src/main/resources/dependencycheck.properties
index fe567580e..b07cf3d6b 100644
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -4,7 +4,7 @@ autoupdate=true
 max.download.threads=3
 
 # the url to obtain the current engine version from
-engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
+engine.version.url=https://jeremylong.github.io/DependencyCheck/current.txt
 
 #temp.directory defaults to System.getProperty("java.io.tmpdir")
 #temp.directory=[path to temp directory]
@@ -62,7 +62,7 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 cve.cpe.startswith.filter=cpe:/a:
 
 cpe.validfordays=30
-cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
+cpe.url=https://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
 
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
@@ -73,7 +73,7 @@ analyzer.nexus.proxy=true
 
 # the URL for searching search.maven.org for SHA-1 and whether it's enabled
 analyzer.central.enabled=true
-analyzer.central.url=http://search.maven.org/solrsearch/select
+analyzer.central.url=https://search.maven.org/solrsearch/select
 
 # the number of nested archives that will be searched.
 archive.scan.depth=3