Fixed merge conflict in App.java

dependency-check-core/src/main/resources/data/dbStatements_h2.properties

@@ -0,0 +1,15 @@
+# Copyright 2015 OWASP.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+MERGE_PROPERTY=MERGE INTO properties (id, value) KEY(id) VALUES(?, ?)

dependency-check-core/src/main/resources/data/dbStatements_mysql.properties

@@ -0,0 +1,15 @@
+# Copyright 2015 OWASP.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+MERGE_PROPERTY=CALL save_property(?, ?)

dependency-check-core/src/main/resources/data/dbStatements_postgreSQL.properties

@@ -0,0 +1,16 @@
+# Copyright 2015 OWASP.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+MERGE_PROPERTY=CALL save_property(?, ?)
+CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id IN (SELECT id FROM cpeEntry LEFT JOIN software ON cpeEntry.id = software.CPEEntryId WHERE software.CPEEntryId IS NULL);

dependency-check-core/src/main/resources/data/initialize_mysql.sql

@@ -37,4 +37,20 @@ CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
 INSERT INTO properties(id,value) VALUES ('version','2.9');
 
 CREATE USER 'dcuser' IDENTIFIED BY 'DC-Pass1337!';
-GRANT SELECT, INSERT, DELETE, UPDATE ON dependencycheck.* TO 'dcuser';
+GRANT SELECT, INSERT, DELETE, UPDATE ON dependencycheck.* TO 'dcuser';
+
+
+DROP PROCEDURE IF EXISTS save_property;
+
+DELIMITER //
+CREATE PROCEDURE save_property
+(IN prop varchar(50), IN val varchar(500))
+BEGIN
+INSERT INTO properties (`id`, `value`) VALUES (prop, val)
+	ON DUPLICATE KEY UPDATE `value`=val;
+END //
+DELIMITER ;
+
+GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
+
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/initialize_postgres.sql

@@ -0,0 +1,53 @@
+CREATE USER dcuser WITH PASSWORD 'DC-Pass1337!';
+
+DROP TABLE IF EXISTS software;
+DROP TABLE IF EXISTS cpeEntry;
+DROP TABLE IF EXISTS reference;
+DROP TABLE IF EXISTS vulnerability;
+DROP TABLE IF EXISTS properties;
+
+CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
+
+CREATE TABLE vulnerability (id SERIAL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
+	description VARCHAR(8000), cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
+	cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
+	cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
+
+CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
+	CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
+
+CREATE TABLE cpeEntry (id SERIAL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
+
+CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
+    , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+
+CREATE INDEX idxVulnerability ON vulnerability(cve);
+CREATE INDEX idxReference ON reference(cveid);
+CREATE INDEX idxCpe ON cpeEntry(cpe);
+CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
+CREATE INDEX idxSoftwareCve ON software(cveid);
+CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
+
+INSERT INTO properties(id,value) VALUES ('version','2.9');
+
+GRANT SELECT, INSERT, DELETE, UPDATE ON ALL TABLES IN SCHEMA public TO dcuser;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public to dcuser;
+
+DROP FUNCTION IF EXISTS save_property(varchar(50),varchar(500));
+
+CREATE FUNCTION save_property (IN prop varchar(50), IN val varchar(500))
+RETURNS void
+AS
+$$
+UPDATE properties SET "value"=val WHERE id=prop;
+
+INSERT INTO properties (id, value)
+	SELECT prop, val
+	WHERE NOT EXISTS (SELECT 1 FROM properties WHERE id=prop);
+$$ LANGUAGE sql;
+
+
+GRANT EXECUTE ON FUNCTION public.save_property(varchar(50),varchar(500)) TO dcuser;
+
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/upgrade_2.9.sql

@@ -1,7 +1 @@
-
---the following is not currently used.
---ALTER TABLE cpeEntry ADD COLUMN IF NOT EXISTS dictionaryEntry BOOLEAN;
---ALTER TABLE cpeEntry ALTER COLUMN dictionaryEntry  SET DEFAULT FALSE;
---UPDATE cpeEntry SET dictionaryEntry=false;
-
---UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/upgrade_3.0.sql

@@ -0,0 +1,7 @@
+
+--the following is not currently used.
+--ALTER TABLE cpeEntry ADD COLUMN IF NOT EXISTS dictionaryEntry BOOLEAN;
+--ALTER TABLE cpeEntry ALTER COLUMN dictionaryEntry  SET DEFAULT FALSE;
+--UPDATE cpeEntry SET dictionaryEntry=false;
+
+--UPDATE Properties SET value='3.1' WHERE ID='version';

dependency-check-core/src/main/resources/data/upgrade_mysql_2.9.sql

@@ -0,0 +1,15 @@
+
+DROP PROCEDURE IF EXISTS save_property;
+
+DELIMITER //
+CREATE PROCEDURE save_property
+(IN prop varchar(50), IN val varchar(500))
+BEGIN
+INSERT INTO properties (`id`, `value`) VALUES (prop, val)
+	ON DUPLICATE KEY UPDATE `value`=val;
+END //
+DELIMITER ;
+
+GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
+
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -161,4 +161,32 @@
         <gav regex="true">.*\bhk2\b.*</gav>
         <cpe>cpe:/a:oracle:glassfish</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
+        ]]></notes>
+        <gav regex="true">org.ow2.petals:petals-se-camel:.*</gav>
+        <cpe>cpe:/a:apache:camel</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Mina gets flagged as apache-ssl
+        ]]></notes>
+        <gav regex="true">org.apache.mina:mina.*</gav>
+        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Woden gets flagged as apache-ssl
+        ]]></notes>
+        <gav regex="true">org.apache.woden:woden.*</gav>
+        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        spec gets flagged as the implementation.
+        ]]></notes>
+        <gav regex="true">org.apache.geronimo.specs:.*</gav>
+        <cpe>cpe:/a:apache:geronimo</cpe>
+    </suppress>
 </suppressions>

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -18,8 +18,8 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
 data.directory=[JAR]/data
 #if the filename has a %s it will be replaced with the current expected version
 data.file_name=dc.h2.db
-data.version=2.9
-data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
+data.version=3.0
+data.connection_string=jdbc:h2:file:%s;FILE_LOCK=FS;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
 
 # user name and password for the database connection. The inherent case is to use H2.
@@ -41,13 +41,15 @@ data.driver_path=
 # to update the other files if we are within this timespan. Per NIST this file
 # holds 8 days of updates, we are using 7 just to be safe.
 cve.url.modified.validfordays=7
-
+# the number of hours to wait before checking if updates are available from the NVD.
+cve.check.validforhours=4
+#first year to pull data from the URLs below
+cve.startyear=2002
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
-cve.startyear=2002
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
 #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
@@ -79,3 +81,22 @@ archive.scan.depth=3
 
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
+
+
+analyzer.jar.enabled=true
+analyzer.archive.enabled=true
+analyzer.node.package.enabled=true
+analyzer.composer.lock.enabled=true
+analyzer.python.distribution.enabled=true
+analyzer.python.package.enabled=true
+analyzer.ruby.gemspec.enabled=true
+analyzer.autoconf.enabled=true
+analyzer.cmake.enabled=true
+analyzer.assembly.enabled=true
+analyzer.nuspec.enabled=true
+analyzer.openssl.enabled=true
+analyzer.central.enabled=true
+analyzer.nexus.enabled=false
+#whether the nexus analyzer uses the proxy
+analyzer.nexus.proxy=true
+

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -578,6 +578,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                         <td data-sort-value="$sortValue">
                         #set($sortValue="")
                         #foreach($id in $dependency.getIdentifiers())
+                            #set($cpeSort=0)
                             #if ($id.type=="maven")
                                 #if ($mavenlink=="" || !$mavenlink.url)
                                     #set($mavenlink=$id)
@@ -591,7 +592,6 @@ arising out of or in connection with the use of this tool, the analysis performe
                                 #else
                                     $enc.html($id.value)
                                 #end
-                                #set($cpeSort=0)
                                 #if ($cpeIdConf == "")
                                     #set($cpeIdConf=$id.confidence)
                                     #set($cpeSort=$id.confidence.ordinal())