Lots of updates, incorporated nvd cve data.

Former-commit-id: d54b2964cf11776521ee7114f536c8c3d9e14028

src/main/java/org/codesecure/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -2,18 +2,18 @@ package org.codesecure.dependencycheck.analyzer;
 /*
  * This file is part of DependencyCheck.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
  *
- * You should have received a copy of the GNU General Public License
- * along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

src/main/java/org/codesecure/dependencycheck/analyzer/AnalysisException.java

@@ -2,18 +2,18 @@ package org.codesecure.dependencycheck.analyzer;
 /*
  * This file is part of DependencyCheck.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
  *
- * You should have received a copy of the GNU General Public License
- * along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -36,6 +36,7 @@ public class AnalysisException extends Exception {
 
     /**
      * Creates a new AnalysisException.
+     *
      * @param msg a message for the exception.
      */
     public AnalysisException(String msg) {
@@ -44,6 +45,7 @@ public class AnalysisException extends Exception {
 
     /**
      * Creates a new AnalysisException.
+     *
      * @param ex the cause of the failure.
      */
     public AnalysisException(Throwable ex) {
@@ -52,6 +54,7 @@ public class AnalysisException extends Exception {
 
     /**
      * Creates a new DownloadFailedException.
+     *
      * @param msg a message for the exception.
      * @param ex the cause of the failure.
      */

src/main/java/org/codesecure/dependencycheck/analyzer/AnalysisPhase.java

@@ -2,18 +2,18 @@ package org.codesecure.dependencycheck.analyzer;
 /*
  * This file is part of DependencyCheck.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
  *
- * You should have received a copy of the GNU General Public License
- * along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java

@@ -2,18 +2,18 @@ package org.codesecure.dependencycheck.analyzer;
 /*
  * This file is part of DependencyCheck.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
  *
- * You should have received a copy of the GNU General Public License
- * along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,58 +31,67 @@ import org.codesecure.dependencycheck.dependency.Dependency;
 public interface Analyzer {
 
     /**
-     * Analyzes the given dependency. The analysis could be anything from identifying
-     * an Idenifier for the dependency, to finding vulnerabilities, etc. Additionally,
-     * if the analyzer collects enough information to add a description or license
-     * information for the dependency it should be added.
+     * Analyzes the given dependency. The analysis could be anything from
+     * identifying an Idenifier for the dependency, to finding vulnerabilities,
+     * etc. Additionally, if the analyzer collects enough information to add a
+     * description or license information for the dependency it should be added.
      *
      * @param dependency a dependency to analyze.
-     * @throws AnalysisException is thrown if there is an error analyzing the dependency file
+     * @throws AnalysisException is thrown if there is an error analyzing the
+     * dependency file
      */
     void analyze(Dependency dependency) throws AnalysisException;
 
     /**
-     * <p>Returns a list of supported file extensions. An example would be an analyzer
-     * that inspected java jar files. The getSupportedExtensions function would return
-     * a set with a single element "jar".</p>
+     * <p>Returns a list of supported file extensions. An example would be an
+     * analyzer that inspected java jar files. The getSupportedExtensions
+     * function would return a set with a single element "jar".</p>
+     *
+     * <p><b>Note:</b> when implementing this the extensions returned MUST be
+     * lowercase.</p>
      *
-     * <p><b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
      * @return The file extensions supported by this analyzer.
      *
-     * <p>If the analyzer returns null it will not cause additional files to be analyzed
-     * but will be executed against every file loaded</p>
+     * <p>If the analyzer returns null it will not cause additional files to be
+     * analyzed but will be executed against every file loaded</p>
      */
     Set<String> getSupportedExtensions();
 
     /**
      * Returns the name of the analyzer.
+     *
      * @return the name of the analyzer.
      */
     String getName();
 
     /**
      * Returns whether or not this analyzer can process the given extension.
+     *
      * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by tihs analyzer.
+     * @return whether or not the specified file extension is supported by tihs
+     * analyzer.
      */
     boolean supportsExtension(String extension);
 
     /**
      * Returns the phase that the analyzer is intended to run in.
+     *
      * @return the phase that the analyzer is intended to run in.
      */
     AnalysisPhase getAnalysisPhase();
 
     /**
-     * The initialize method is called (once) prior to the analyze method being called on
-     * all of the dependencies.
+     * The initialize method is called (once) prior to the analyze method being
+     * called on all of the dependencies.
      *
-     * @throws Exception is thrown if an exception occurs initializing the analyzer.
+     * @throws Exception is thrown if an exception occurs initializing the
+     * analyzer.
      */
     void initialize() throws Exception;
 
     /**
-     * The close method is called after all of the dependencies have been analyzed.
+     * The close method is called after all of the dependencies have been
+     * analyzed.
      *
      * @throws Exception is thrown if an exception occurs closing the analyzer.
      */

src/main/java/org/codesecure/dependencycheck/analyzer/AnalyzerService.java

@@ -2,18 +2,18 @@ package org.codesecure.dependencycheck.analyzer;
 /*
  * This file is part of DependencyCheck.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
  *
- * You should have received a copy of the GNU General Public License
- * along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -39,6 +39,7 @@ public class AnalyzerService {
 
     /**
      * Retrieve the singleton instance of AnalyzerService.
+     *
      * @return a singleton AnalyzerService.
      */
     public static synchronized AnalyzerService getInstance() {
@@ -50,6 +51,7 @@ public class AnalyzerService {
 
     /**
      * Returns an Iterator for all instances of the Analyzer interface.
+     *
      * @return an iterator of Analyzers.
      */
     public Iterator<Analyzer> getAnalyzers() {

src/main/java/org/codesecure/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -2,18 +2,18 @@ package org.codesecure.dependencycheck.analyzer;
 /*
  * This file is part of DependencyCheck.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
  *
- * You should have received a copy of the GNU General Public License
- * along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,14 +31,16 @@ import org.codesecure.dependencycheck.Engine;
 public interface ArchiveAnalyzer {
 
     /**
-     * An ArchiveAnalyzer expands an archive and calls the scan method of the engine on
-     * the exploded contents.
+     * An ArchiveAnalyzer expands an archive and calls the scan method of the
+     * engine on the exploded contents.
      *
      * @param dependency a dependency to analyze.
      * @param engine the engine that is scanning the dependencies.
-     * @throws IOException is thrown if there is an error reading the dependency file
+     * @throws IOException is thrown if there is an error reading the dependency
+     * file
      */
     void analyze(Dependency dependency, Engine engine) throws IOException;
+
     /**
      * Cleans any temporary files generated when analyzing the archive.
      */

src/main/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -2,18 +2,18 @@ package org.codesecure.dependencycheck.analyzer;
 /*
  * This file is part of DependencyCheck.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
  *
- * You should have received a copy of the GNU General Public License
- * along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -46,6 +46,7 @@ public class FileNameAnalyzer implements Analyzer {
 
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
     public Set<String> getSupportedExtensions() {
@@ -54,6 +55,7 @@ public class FileNameAnalyzer implements Analyzer {
 
     /**
      * Returns the name of the analyzer.
+     *
      * @return the name of the analyzer.
      */
     public String getName() {
@@ -62,8 +64,10 @@ public class FileNameAnalyzer implements Analyzer {
 
     /**
      * Returns whether or not this analyzer can process the given extension.
+     *
      * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by tihs analyzer.
+     * @return whether or not the specified file extension is supported by tihs
+     * analyzer.
      */
     public boolean supportsExtension(String extension) {
         return true;
@@ -71,6 +75,7 @@ public class FileNameAnalyzer implements Analyzer {
 
     /**
      * Returns the phase that the analyzer is intended to run in.
+     *
      * @return the phase that the analyzer is intended to run in.
      */
     public AnalysisPhase getAnalysisPhase() {
@@ -91,8 +96,10 @@ public class FileNameAnalyzer implements Analyzer {
 
     /**
      * Determines type of the character passed in.
+     *
      * @param c a character
-     * @return a STRING_STATE representing whether the character is number, alpha, or other.
+     * @return a STRING_STATE representing whether the character is number,
+     * alpha, or other.
      */
     private STRING_STATE determineState(char c) {
         if (c >= '0' && c <= '9') {
@@ -110,7 +117,8 @@ public class FileNameAnalyzer implements Analyzer {
      * Collects information about the file such as hashsums.
      *
      * @param dependency the dependency to analyze.
-     * @throws AnalysisException is thrown if there is an error reading the JAR file.
+     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * file.
      */
     public void analyze(Dependency dependency) throws AnalysisException {
 
@@ -119,7 +127,9 @@ public class FileNameAnalyzer implements Analyzer {
     }
 
     /**
-     * Analyzes the filename of the dependency and adds it to the evidence collections.
+     * Analyzes the filename of the dependency and adds it to the evidence
+     * collections.
+     *
      * @param dependency the dependency to analyze.
      */
     private void analyzeFileName(Dependency dependency) {
@@ -157,7 +167,6 @@ public class FileNameAnalyzer implements Analyzer {
         }
     }
 
-
     /**
      * The initialize method does nothing for this Analyzer
      */

src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java

@@ -2,18 +2,18 @@ package org.codesecure.dependencycheck.analyzer;
 /*
  * This file is part of DependencyCheck.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
  *
- * You should have received a copy of the GNU General Public License
- * along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -57,17 +57,26 @@ public class JarAnalyzer extends AbstractAnalyzer {
     private static final Set<String> IGNORE_LIST = newHashSet(
             "built-by",
             "created-by",
-            //"license",
+            "builtby",
+            "createdby",
             "build-jdk",
+            "buildjdk",
             "ant-version",
+            "antversion",
             "import-package",
             "export-package",
+            "importpackage",
+            "exportpackage",
             "sealed",
             "manifest-version",
             "archiver-version",
+            "manifestversion",
+            "archiverversion",
             "classpath",
+            "class-path",
             "tool",
-            "bundle-manifestversion");
+            "bundle-manifestversion",
+            "bundlemanifestversion");
     /**
      * The set of file extensions supported by this analyzer.
      */