diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index fc4fc9d3b..78f6e823a 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -86,8 +86,8 @@ public class Check extends Update { } /** - * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the path - * object. + * Returns the path. If the path has not been initialized yet, this class is + * synchronized, and will instantiate the path object. * * @return the path */ @@ -109,7 +109,8 @@ public class Check extends Update { } /** - * Add a reference to a Path, FileSet, DirSet, or FileList defined elsewhere. + * Add a reference to a Path, FileSet, DirSet, or FileList defined + * elsewhere. * * @param r the reference to a path, fileset, dirset or filelist. */ @@ -121,7 +122,8 @@ public class Check extends Update { } /** - * If this is a reference, this method will add the referenced resource collection to the collection of paths. + * If this is a reference, this method will add the referenced resource + * collection to the collection of paths. * * @throws BuildException if the reference is not to a resource collection */ @@ -196,7 +198,8 @@ public class Check extends Update { } /** - * Specifies the destination directory for the generated Dependency-Check report. + * Specifies the destination directory for the generated Dependency-Check + * report. */ private String reportOutputDirectory = "."; @@ -218,9 +221,11 @@ public class Check extends Update { this.reportOutputDirectory = reportOutputDirectory; } /** - * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which - * means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range - * for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail. + * Specifies if the build should be failed if a CVSS score above a specified + * level is identified. The default is 11 which means since the CVSS scores + * are 0-10, by default the build will never fail and the CVSS score is set + * to 11. The valid range for the fail build on CVSS is 0 to 11, where + * anything above 10 will not cause the build to fail. */ private float failBuildOnCVSS = 11; @@ -242,8 +247,8 @@ public class Check extends Update { this.failBuildOnCVSS = failBuildOnCVSS; } /** - * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default - * is true. + * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not + * recommended that this be turned to false. Default is true. */ private Boolean autoUpdate; @@ -295,7 +300,8 @@ public class Check extends Update { } /** - * The report format to be generated (HTML, XML, VULN, ALL). Default is HTML. + * The report format to be generated (HTML, XML, VULN, ALL). Default is + * HTML. */ private String reportFormat = "HTML"; @@ -383,7 +389,7 @@ public class Check extends Update { public void setEnableExperimental(Boolean enableExperimental) { this.enableExperimental = enableExperimental; } - + /** * Whether or not the Jar Analyzer is enabled. */ @@ -644,7 +650,8 @@ public class Check extends Update { /** * Set the value of pyDistributionAnalyzerEnabled. * - * @param pyDistributionAnalyzerEnabled new value of pyDistributionAnalyzerEnabled + * @param pyDistributionAnalyzerEnabled new value of + * pyDistributionAnalyzerEnabled */ public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) { this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled; @@ -697,7 +704,8 @@ public class Check extends Update { } /** - * The URL of a Nexus server's REST API end point (http://domain/nexus/service/local). + * The URL of a Nexus server's REST API end point + * (http://domain/nexus/service/local). */ private String nexusUrl; @@ -742,8 +750,8 @@ public class Check extends Update { } /** - * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP - * files. + * Additional ZIP File extensions to add analyze. This should be a + * comma-separated list of file extensions to treat like ZIP files. */ private String zipExtensions; @@ -853,7 +861,8 @@ public class Check extends Update { } /** - * Validate the configuration to ensure the parameters have been properly configured/initialized. + * Validate the configuration to ensure the parameters have been properly + * configured/initialized. * * @throws BuildException if the task was not configured correctly. */ @@ -867,8 +876,9 @@ public class Check extends Update { } /** - * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties - * required to change the proxy server, port, and connection timeout. + * Takes the properties supplied and updates the dependency-check settings. + * Additionally, this sets the system properties required to change the + * proxy server, port, and connection timeout. * * @throws BuildException thrown when an invalid setting is configured. */ @@ -899,11 +909,12 @@ public class Check extends Update { } /** - * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the - * configuration. + * Checks to see if a vulnerability has been identified with a CVSS score + * that is above the threshold set in the configuration. * * @param dependencies the list of dependency objects - * @throws BuildException thrown if a CVSS score is found that is higher then the threshold set + * @throws BuildException thrown if a CVSS score is found that is higher + * then the threshold set */ private void checkForFailure(List dependencies) throws BuildException { final StringBuilder ids = new StringBuilder(); @@ -927,7 +938,8 @@ public class Check extends Update { } /** - * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries. + * Generates a warning message listing a summary of dependencies and their + * associated CPE and CVE entries. * * @param dependencies a list of dependency objects */ @@ -967,7 +979,8 @@ public class Check extends Update { } /** - * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN", etc.. + * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN", + * etc.. */ public static class ReportFormats extends EnumeratedAttribute { diff --git a/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java b/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java index c7d3bd93b..92c87d3e1 100644 --- a/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java +++ b/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java @@ -23,16 +23,18 @@ import org.slf4j.ILoggerFactory; import org.slf4j.spi.LoggerFactoryBinder; /** - * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information - * returned by this class. + * The binding of org.slf4j.LoggerFactory class with an actual instance of + * org.slf4j.ILoggerFactory is performed using information returned by this + * class. * * @author colezlaw */ +//CSOFF: FinalClass public class StaticLoggerBinder implements LoggerFactoryBinder { +//CSON: FinalClass /** * The unique instance of this class - * */ private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder(); @@ -46,7 +48,8 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { } /** - * Ant tasks have the log method we actually want to call. So we hang onto the task as a delegate + * Ant tasks have the log method we actually want to call. So we hang onto + * the task as a delegate */ private Task task = null; @@ -61,16 +64,24 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { } /** - * Declare the version of the SLF4J API this implementation is compiled against. The value of this filed is usually modified - * with each release. + * Declare the version of the SLF4J API this implementation is compiled + * against. The value of this filed is usually modified with each release. */ // to avoid constant folding by the compiler, this field must *not* be final + //CSOFF: StaticVariableName + //CSOFF: VisibilityModifier public static String REQUESTED_API_VERSION = "1.7.12"; // final - + //CSON: VisibilityModifier + //CSON: StaticVariableName + + /** + * The logger factory class string. + */ private static final String LOGGER_FACTORY_CLASS = AntLoggerFactory.class.getName(); /** - * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the smae object + * The ILoggerFactory instance returned by the {@link #getLoggerFactory} + * method should always be the smae object */ private ILoggerFactory loggerFactory; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java index 97c0719d5..812f70394 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java @@ -24,7 +24,6 @@ import java.net.MalformedURLException; import java.net.URL; import java.util.List; import java.util.Set; -import java.util.logging.Level; import java.util.regex.Pattern; import org.owasp.dependencycheck.suppression.SuppressionParseException; import org.owasp.dependencycheck.suppression.SuppressionParser; @@ -38,7 +37,8 @@ import org.slf4j.LoggerFactory; import org.xml.sax.SAXException; /** - * Abstract base suppression analyzer that contains methods for parsing the suppression xml file. + * Abstract base suppression analyzer that contains methods for parsing the + * suppression xml file. * * @author Jeremy Long */ @@ -173,7 +173,8 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer { * * @param message the exception message * @param exception the cause of the exception - * @throws SuppressionParseException throws the generated SuppressionParseException + * @throws SuppressionParseException throws the generated + * SuppressionParseException */ private void throwSuppressionParseException(String message, Exception exception) throws SuppressionParseException { LOGGER.warn(message); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java index 41a243021..e27f95649 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java @@ -57,7 +57,7 @@ public class AnalyzerService { * @return a list of Analyzers. */ public List getAnalyzers() { - List analyzers = new ArrayList(); + final List analyzers = new ArrayList(); final Iterator iterator = service.iterator(); boolean experimentalEnabled = false; try { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java index b7d23a3e3..0775e8a88 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java @@ -67,11 +67,13 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer { } // - // Python init files + /** + * Python init files + */ private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[] { "__init__.py", "__init__.pyc", - "__init__.pyo" + "__init__.pyo", }); /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index c76e8199b..18218d583 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -60,7 +60,8 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Used to load a JAR file and collect information that can be used to determine the associated CPE. + * Used to load a JAR file and collect information that can be used to determine + * the associated CPE. * * @author Jeremy Long */ @@ -72,7 +73,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { */ private static final Logger LOGGER = LoggerFactory.getLogger(JarAnalyzer.class); /** - * The count of directories created during analysis. This is used for creating temporary directories. + * The count of directories created during analysis. This is used for + * creating temporary directories. */ private static int dirCount = 0; /** @@ -80,7 +82,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { */ private static final String NEWLINE = System.getProperty("line.separator"); /** - * A list of values in the manifest to ignore as they only result in false positives. + * A list of values in the manifest to ignore as they only result in false + * positives. */ private static final Set IGNORE_VALUES = newHashSet( "Sun Java System Application Server"); @@ -123,7 +126,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { "ipojo-extension", "eclipse-sourcereferences"); /** - * Deprecated Jar manifest attribute, that is, nonetheless, useful for analysis. + * Deprecated Jar manifest attribute, that is, nonetheless, useful for + * analysis. */ @SuppressWarnings("deprecation") private static final String IMPLEMENTATION_VENDOR_ID = Attributes.Name.IMPLEMENTATION_VENDOR_ID @@ -203,7 +207,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { // /** - * Returns the key used in the properties file to reference the analyzer's enabled property. + * Returns the key used in the properties file to reference the analyzer's + * enabled property. * * @return the analyzer's enabled property setting key */ @@ -213,12 +218,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE - * information. + * Loads a specified JAR file and collects information from the manifest and + * checksums to identify the correct CPE information. * * @param dependency the dependency to analyze. * @param engine the engine that is scanning the dependencies - * @throws AnalysisException is thrown if there is an error reading the JAR file. + * @throws AnalysisException is thrown if there is an error reading the JAR + * file. */ @Override public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException { @@ -242,13 +248,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence. This will - * attempt to interpolate the strings contained within the pom.properties if one exists. + * Attempts to find a pom.xml within the JAR file. If found it extracts + * information and adds it to the evidence. This will attempt to interpolate + * the strings contained within the pom.properties if one exists. * * @param dependency the dependency being analyzed * @param classes a collection of class name information * @param engine the analysis engine, used to add additional dependencies - * @throws AnalysisException is thrown if there is an exception parsing the pom + * @throws AnalysisException is thrown if there is an exception parsing the + * pom * @return whether or not evidence was added to the dependency */ protected boolean analyzePOM(Dependency dependency, List classes, Engine engine) throws AnalysisException { @@ -329,12 +337,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Given a path to a pom.xml within a JarFile, this method attempts to load a sibling pom.properties if one exists. + * Given a path to a pom.xml within a JarFile, this method attempts to load + * a sibling pom.properties if one exists. * * @param path the path to the pom.xml within the JarFile * @param jar the JarFile to load the pom.properties from * @return a Properties object or null if no pom.properties was found - * @throws IOException thrown if there is an exception reading the pom.properties + * @throws IOException thrown if there is an exception reading the + * pom.properties */ private Properties retrievePomProperties(String path, final JarFile jar) throws IOException { Properties pomProperties = null; @@ -361,7 +371,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Searches a JarFile for pom.xml entries and returns a listing of these entries. + * Searches a JarFile for pom.xml entries and returns a listing of these + * entries. * * @param jar the JarFile to search * @return a list of pom.xml entries @@ -388,8 +399,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * @param jar the jar file to extract the pom from * @param dependency the dependency being analyzed * @return returns the POM object - * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM - * {@link org.owasp.dependencycheck.xml.pom.Model} object + * @throws AnalysisException is thrown if there is an exception extracting + * or parsing the POM {@link org.owasp.dependencycheck.xml.pom.Model} object */ private Model extractPom(String path, JarFile jar, Dependency dependency) throws AnalysisException { InputStream input = null; @@ -447,9 +458,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * * @param dependency the dependency to set data on * @param pom the information from the pom - * @param classes a collection of ClassNameInformation - containing data about the fully qualified class names within the JAR - * file being analyzed - * @return true if there was evidence within the pom that we could use; otherwise false + * @param classes a collection of ClassNameInformation - containing data + * about the fully qualified class names within the JAR file being analyzed + * @return true if there was evidence within the pom that we could use; + * otherwise false */ public static boolean setPomEvidence(Dependency dependency, Model pom, List classes) { boolean foundSomething = false; @@ -571,12 +583,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or - * product names. If any are found they are stored in the packageVendor and packageProduct hashSets. + * Analyzes the path information of the classes contained within the + * JarAnalyzer to try and determine possible vendor or product names. If any + * are found they are stored in the packageVendor and packageProduct + * hashSets. * * @param classNames a list of class names * @param dependency a dependency to analyze - * @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence. + * @param addPackagesAsEvidence a flag indicating whether or not package + * names should be added as evidence. */ protected void analyzePackageNames(List classNames, Dependency dependency, boolean addPackagesAsEvidence) { @@ -611,11 +626,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { /** *

- * Reads the manifest from the JAR file and collects the entries. Some vendorKey entries are:

+ * Reads the manifest from the JAR file and collects the entries. Some + * vendorKey entries are:

*
  • Implementation Title
    • *
  • Implementation Version
  • Implementation Vendor
    • - *
  • Implementation VendorId
  • Bundle Name
  • Bundle Version
  • Bundle Vendor
  • Bundle - * Description
  • Main Class
+ *
  • Implementation VendorId
  • Bundle Name
  • Bundle + * Version
  • Bundle Vendor
  • Bundle Description
  • Main + * Class
    • * However, all but a handful of specific entries are read in. * * @param dependency A reference to the dependency @@ -623,7 +640,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * @return whether evidence was identified parsing the manifest * @throws IOException if there is an issue reading the JAR file */ - protected boolean parseManifest(Dependency dependency, List classInformation) throws IOException { + protected boolean parseManifest(Dependency dependency, List classInformation) + throws IOException { boolean foundSomething = false; JarFile jar = null; try { @@ -748,21 +766,19 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { addMatchingValues(classInformation, value, productEvidence); } else if (key.contains("license")) { addLicense(dependency, value); + } else if (key.contains("description")) { + addDescription(dependency, value, "manifest", key); } else { - if (key.contains("description")) { - addDescription(dependency, value, "manifest", key); - } else { - productEvidence.addEvidence(source, key, value, Confidence.LOW); - vendorEvidence.addEvidence(source, key, value, Confidence.LOW); - addMatchingValues(classInformation, value, vendorEvidence); - addMatchingValues(classInformation, value, productEvidence); - if (value.matches(".*\\d.*")) { - final StringTokenizer tokenizer = new StringTokenizer(value, " "); - while (tokenizer.hasMoreElements()) { - final String s = tokenizer.nextToken(); - if (s.matches("^[0-9.]+$")) { - versionEvidence.addEvidence(source, key, s, Confidence.LOW); - } + productEvidence.addEvidence(source, key, value, Confidence.LOW); + vendorEvidence.addEvidence(source, key, value, Confidence.LOW); + addMatchingValues(classInformation, value, vendorEvidence); + addMatchingValues(classInformation, value, productEvidence); + if (value.matches(".*\\d.*")) { + final StringTokenizer tokenizer = new StringTokenizer(value, " "); + while (tokenizer.hasMoreElements()) { + final String s = tokenizer.nextToken(); + if (s.matches("^[0-9.]+$")) { + versionEvidence.addEvidence(source, key, s, Confidence.LOW); } } } @@ -810,15 +826,18 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Adds a description to the given dependency. If the description contains one of the following strings beyond 100 characters, - * then the description used will be trimmed to that position: - *
    • "such as"
    • "like "
    • "will use "
    • "* uses "
    + * Adds a description to the given dependency. If the description contains + * one of the following strings beyond 100 characters, then the description + * used will be trimmed to that position: + *
    • "such as"
    • "like "
    • "will use "
    • "* uses + * "
    * * @param dependency a dependency * @param description the description * @param source the source of the evidence * @param key the "name" of the evidence - * @return if the description is trimmed, the trimmed version is returned; otherwise the original description is returned + * @return if the description is trimmed, the trimmed version is returned; + * otherwise the original description is returned */ public static String addDescription(Dependency dependency, String description, String source, String key) { if (dependency.getDescription() == null) { @@ -889,7 +908,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { /** * Initializes the JarAnalyzer. * - * @throws Exception is thrown if there is an exception creating a temporary directory + * @throws Exception is thrown if there is an exception creating a temporary + * directory */ @Override public void initializeFileTypeAnalyzer() throws Exception { @@ -920,11 +940,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Determines if the key value pair from the manifest is for an "import" type entry for package names. + * Determines if the key value pair from the manifest is for an "import" + * type entry for package names. * * @param key the key from the manifest * @param value the value from the manifest - * @return true or false depending on if it is believed the entry is an "import" entry + * @return true or false depending on if it is believed the entry is an + * "import" entry */ private boolean isImportPackage(String key, String value) { final Pattern packageRx = Pattern.compile("^([a-zA-Z0-9_#\\$\\*\\.]+\\s*[,;]\\s*)+([a-zA-Z0-9_#\\$\\*\\.]+\\s*)?$"); @@ -933,8 +955,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names. This - * does not include core Java package names (i.e. java.* or javax.*). + * Cycles through an enumeration of JarEntries, contained within the + * dependency, and returns a list of the class names. This does not include + * core Java package names (i.e. java.* or javax.*). * * @param dependency the dependency being analyzed * @return an list of fully qualified class names @@ -970,12 +993,16 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and product. - * This is helpful when analyzing vendor/product as many times this is included in the package name. + * Cycles through the list of class names and places the package levels 0-3 + * into the provided maps for vendor and product. This is helpful when + * analyzing vendor/product as many times this is included in the package + * name. * * @param classNames a list of class names - * @param vendor HashMap of possible vendor names from package names (e.g. owasp) - * @param product HashMap of possible product names from package names (e.g. dependencycheck) + * @param vendor HashMap of possible vendor names from package names (e.g. + * owasp) + * @param product HashMap of possible product names from package names (e.g. + * dependencycheck) */ private void analyzeFullyQualifiedClassNames(List classNames, Map vendor, Map product) { @@ -1002,8 +1029,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists in the - * collection then the Integer is incremented by 1. + * Adds an entry to the specified collection and sets the Integer (e.g. the + * count) to 1. If the entry already exists in the collection then the + * Integer is incremented by 1. * * @param collection a collection of strings and their occurrence count * @param key the key to add to the collection @@ -1017,9 +1045,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Cycles through the collection of class name information to see if parts of the package names are contained in the provided - * value. If found, it will be added as the HIGHEST confidence evidence because we have more then one source corroborating the - * value. + * Cycles through the collection of class name information to see if parts + * of the package names are contained in the provided value. If found, it + * will be added as the HIGHEST confidence evidence because we have more + * then one source corroborating the value. * * @param classes a collection of class name information * @param value the value to check to see if it contains a package name @@ -1042,7 +1071,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Simple check to see if the attribute from a manifest is just a package name. + * Simple check to see if the attribute from a manifest is just a package + * name. * * @param key the key of the value to check * @param value the value to check @@ -1056,7 +1086,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Extracts the license information from the pom and adds it to the dependency. + * Extracts the license information from the pom and adds it to the + * dependency. * * @param pom the pom object * @param dependency the dependency to add license information too @@ -1103,9 +1134,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { /** *

    - * Stores information about a given class name. This class will keep the fully qualified class name and a list of the - * important parts of the package structure. Up to the first four levels of the package structure are stored, excluding a - * leading "org" or "com". Example:

    + * Stores information about a given class name. This class will keep the + * fully qualified class name and a list of the important parts of the + * package structure. Up to the first four levels of the package + * structure are stored, excluding a leading "org" or "com". + * Example:

    * ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer"); * System.out.println(obj.getName()); * for (String p : obj.getPackageStructure()) @@ -1164,7 +1197,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { this.name = name; } /** - * Up to the first four levels of the package structure, excluding a leading "org" or "com". + * Up to the first four levels of the package structure, excluding a + * leading "org" or "com". */ private final ArrayList packageStructure = new ArrayList(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index 5e4f90afa..940d50cbf 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -17,6 +17,15 @@ */ package org.owasp.dependencycheck.analyzer; +import java.io.BufferedReader; +import java.io.File; +import java.io.FileFilter; +import java.io.IOException; +import java.io.InputStreamReader; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; import org.apache.commons.io.FileUtils; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; @@ -30,9 +39,6 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.*; -import java.util.*; -import java.util.logging.Level; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; /** @@ -62,10 +68,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { public static final String ADVISORY = "Advisory: "; public static final String CRITICALITY = "Criticality: "; - public CveDB cvedb; - //instance.open(); - //Vulnerability result = instance.getVulnerability("CVE-2015-3225"); - + private CveDB cvedb; + /** * @return a filter that accepts files named Gemfile.lock */ @@ -237,7 +241,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { } catch (IOException ioe) { LOGGER.warn("bundle-audit failure", ioe); } finally { - if (errReader!= null) { + if (errReader != null) { try { errReader.close(); } catch (IOException ioe) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java index 1ec66a517..020c2263c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java @@ -261,6 +261,7 @@ public class DownloadTask implements Callable> { try { is.close(); } catch (IOException ex) { + LOGGER.debug("Error closing stream", ex); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java index e4956ed1b..4d368fb3c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java @@ -25,7 +25,6 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.io.Reader; import java.util.List; -import java.util.logging.Level; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; @@ -110,7 +109,8 @@ public class SuppressionParser { * * @param inputStream an InputStream containing suppression rues * @return a list of suppression rules - * @throws SuppressionParseException if the xml cannot be parsed + * @throws SuppressionParseException thrown if the xml cannot be parsed + * @throws SAXException thrown if the xml cannot be parsed */ public List parseSuppressionRules(InputStream inputStream) throws SuppressionParseException, SAXException { try { diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java index 68436e92e..4eabdcab9 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java @@ -59,7 +59,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest { */ @Before public void setUp() throws Exception { - Settings.initialize(); + Settings.initialize(); analyzer = new RubyBundleAuditAnalyzer(); analyzer.setFilesMatched(true); } @@ -71,7 +71,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest { */ @After public void tearDown() throws Exception { - Settings.cleanup(); + Settings.cleanup(); analyzer.close(); analyzer = null; } @@ -99,7 +99,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest { */ @Test public void testAnalysis() throws AnalysisException, DatabaseException { - try { + try { analyzer.initialize(); final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, @@ -113,7 +113,6 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest { assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet")); assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2")); - } catch (Exception e) { LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".", e); Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e); @@ -133,7 +132,6 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest { final Engine engine = new Engine(); analyzer.analyze(result, engine); - Dependency dependency = engine.getDependencies().get(0); Vulnerability vulnerability = dependency.getVulnerabilities().first(); assertEquals(vulnerability.getCvssScore(), 5.0f, 0.0); @@ -144,7 +142,6 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest { } } - /** * Test when Ruby bundle-audit is not available on the system. * @@ -152,19 +149,17 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest { */ @Test public void testMissingBundleAudit() throws AnalysisException, DatabaseException { - //set a non-exist bundle-audit + //set a non-exist bundle-audit Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit"); try { //initialize should fail. - analyzer.initialize(); - } catch (Exception e) { - //expected, so ignore. - } - finally { - assertThat(analyzer.isEnabled(), is(false)); - LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected."); + analyzer.initialize(); + } catch (Exception e) { + //expected, so ignore. + } finally { + assertThat(analyzer.isEnabled(), is(false)); + LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected."); } } - } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 1fd81babe..070c6e693 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -688,7 +688,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma } } Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate); - + Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental); if (externalReport != null) { diff --git a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java index bb9c6f538..af66c7ee3 100644 --- a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java +++ b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java @@ -23,8 +23,9 @@ import org.slf4j.ILoggerFactory; import org.slf4j.spi.LoggerFactoryBinder; /** - * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information - * returned by this class. + * The binding of org.slf4j.LoggerFactory class with an actual instance of + * org.slf4j.ILoggerFactory is performed using information returned by this + * class. * * @author colezlaw */ @@ -47,7 +48,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { } /** - * Maven mojos have their own logger, so we'll use one of those + * Maven mojos have their own logger, so we'll use one of those. */ private Log log = null; @@ -62,8 +63,8 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { } /** - * Declare the version of the SLF4J API this implementation is compiled against. The value of this filed is usually modified - * with each release. + * Declare the version of the SLF4J API this implementation is compiled + * against. The value of this filed is usually modified with each release. */ // to avoid constant folding by the compiler, this field must *not* be final //CSOFF: StaticVariableName @@ -78,7 +79,8 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { private static final String LOGGER_FACTORY_CLASS = MavenLoggerFactory.class.getName(); /** - * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the same object + * The ILoggerFactory instance returned by the {@link #getLoggerFactory} + * method should always be the same object */ private ILoggerFactory loggerFactory;